I have setup my script to disable inactive user in my Win 2003 AD server using Quest's AD tool GET-QADUSER, and now I am going to migrate AD to Win 2008 R2. Since there is Active Directory module and Quest's tool is no longer free to download (is that?), I am going to migrate to GET-ADUSER.
I am converting from:
Foreach ($ou in $searchBase) {
#$inactUsr += #(Get-QADUser -SearchRoot $ou -Enabled -PasswordNeverExpires:$false -NotLoggedOnFor $inactiveDays -CreatedBefore $creationCutoff -SizeLimit $sizeLimit | Select-Object Name,SamAccountName,LastLogonTimeStamp,Description,passwordneverexpires,canonicalName | Sort-Object Name)
}
to:
$inactUsr += #(Get-ADUser -SearchRoot $ou -Filter 'enabled -eq $true -and PasswordNeverExpires -eq $False' -Properties Name,SamAccountName,LastLogonTimeStamp,Description,passwordneverexpires,canonicalName | Select Name,SamAccountName,#{N='LastLogonTimeStamp'; E={[DateTime]::FromFileTime($_.LastLogonTimeStamp)}},Description,passwordneverexpires,canonicalName | Sort Name)
I am almost there and leave only -NotLogonFor (which select user that not logon for certain days) and -CreatedBefore (which give a grace period for newly created ID). I want to select ID NotLogon for 30 days and DO NOT want ID created less than 30 days.
Appreciate if anyone can let me know whether there is a built-in properties or any manual method to achieve that.
Edited:
I have the CreatedBefore solved by:
$inactUsrdraft += #(Get-ADUser -SearchBase $ou -Filter 'enabled -eq $true -and PasswordNeverExpires -eq $False -and whenCreated -le $CreationCutOff' -Properties Name,SamAccountName,LastLogonTimeStamp,Description,passwordneverexpires,canonicalName | Select Name,SamAccountName,#{N='LastLogonTimeStamp'; E={[DateTime]::FromFileTime($_.LastLogonTimeStamp)}},Description,passwordneverexpires,canonicalName | Sort Name)
:)
Now I need only need to filter ID not logon more than 30 days.
Any help is appreciated.
How about:
$LastLogonCutoff = (Get-Date).Date.AddDays(-30)
That's midnight 30 days ago. If you want it to the second, use (Get-Date).AddDays(-30).
Followed by changing the -Filter to include:
`-and (LastLogonTimeStamp -lt $LastLogonCutoff)`
Also beware that the LastLogonTimeStamp property is not very accurate. Laptop logins off-network that use saved credentials won't trigger, I believe. If you don't have "Wait for network" enabled, clients might never actually update this value, IIRC.
Related
I am running the below script with the intention to get all users that are currently enabled, password never expire, password last set and last logon date and it works just fine. I would like to add to the data the group those users/accounts belong to or any other information so i can contact their respective teams/managers to request clean up or decomm.
get-aduser -filter {Enabled -eq $TRUE} -properties passwordlastset, passwordneverexpires, lastlogonDate |
Select-Object Name, passwordlastset, Passwordneverexpires, lastlogonDate, DistinguishedName |
Export-Csv -Path 'C:\Temp\passlastset_enabledusers.csv'
How would i add this to this query. As it is works great but thought to avoid manual labor :)
Any advise? Thank you.
I personally like adding all of my properties to an array beforehand. Helps when you want to expand onto it in the future. As for the members groups, you need to create you own expression or else when you export to a csv it'll just say [Microsoft.ActiveDirectory.Management.ADPropertyValueCollection]. Also added the users manager as one of the properties it selects.
$properties = #(
"passwordlastset",
"passwordneverexpires",
"lastlogonDate",
"memberof"
)
Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $true} -properties $properties |
Select-Object Name, passwordlastset, Passwordneverexpires, lastlogonDate, DistinguishedName, Manager, #{Name='MemberOf';Expression={$_.MemberOf -join ';'}} |
Export-Csv -Path 'C:\Temp\passlastset_enabledusers.csv' -NoTypeInformation
i am currently new to Powershell and i am in the process of writing a short script to output a list of users who accounts have expired longer than 30 days i have attempting to use Get-Date).adddays(-12) but i keep receiving invalid parameters when attempting this.
any pointers would be greatly appreciated and i have included the below sample of code i am attempting to get working.
$result =
foreach($OU in $OUS){
Get-ADUser -SearchBase $OU -Filter 'enabled -eq $false' -Properties AccountExpirationDate | Select sAMAccountName, distinguishedName, AccountExpirationDate
}
$result | Export-Csv -path C:\temp\leavers.csv -NoTypeInformation
I'm trying to retrieve only enabled users in the AD. When I run this code line it returns the error. I tried using a filter as well to filter only enabled users for the requested info but it returns ALL users from every domain instead of just the single id.
Get-ADUser : A positional parameter cannot be found that accepts argument 'enabled -eq 'true''.
This is my code that is throwing the error.
Get-ADGroupMember -Identity 'Animal Shop A' | Get-ADUser -Filter '*' | Get-ADUser Where "enabled -eq 'true'" | Get-ADUser -Properties ('Mail')
This one returns ALL users from every domain
Get-ADGroupMember -Identity 'Animal Shop A' | Get-ADUser -Filter "enabled -eq'true'" | Get-ADUser -Properties ('Mail')
Is my syntax wrong on both of them? If I just want to return values from say "Animal shop A" and then "Animal Shop B"
.. or a little bit shorter this way:
Get-ADUser -Filter 'enabled -eq $true' -Properties mail |
Select-Object -Property Name,samaccountname,mail
Besides this I would recommend to use a -SearchBase. That's less stressful for the AD. ;-)
Get-ADUser -Filter * -Properties mail | Where { $_.Enabled -eq $True} | Select Name,samaccountname,mail
That will get all enabled users in your target domain that are enabled and display the name, username, and mail properties
Important to know for both commands:
You must work with an elevated powershell process.
Otherwise the result may not be complete.
get-aduser -filter 'enabled -eq "true"' -ResultSetSize $Null
simply try below commands in powershell as administrator permission.
As a guide, the first part will filter users, second part filtered enabled users and last part will give you export of results.
Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like “false”} | Export-Csv -Path C:\eport.csv -Encoding ascii -NoTypeInformation
hope to be useful for you.
I've been tasked with finding service accounts (in our shop, that's user accounts starting with 'svc-' in the username) that have expiring passwords. Normally service accounts should not have expiring passwords, so I'm trying to find service accounts incorrectly created so they can be fixed.
I've been using Search-ADAccount and I'm having parameter issues. If I use this:
Search-ADAccount -PasswordNeverExpires | Where {$_.SamAccountName -like 'SVC-*'}
then I get long lists of results, none of which have expiring passwords. But if I'm including the -PasswordNeverExpires parameter, then I'm filtering out any accounts which do have expiring passwords, no?
I've also tried this:
Search-ADAccount | Where {$_.SamAccountName -like 'SVC-*' -and $_.PasswordNeverExpires -like 'FALSE' }
but I only get an error: "Parameter set cannot be resolved using the specified named parameters." That sounds like Search-ADAccount requires certain parameters, but I don't see in the help files which parameters are required.
It's counter-intuitive (to me) that Search-ADAccount has a parameter which can search for one Boolean condition (TRUE) but not the other.
Get-ADUser doesn't seem to have any password configuration info.
Yes, Trondh. That's it. I first looked at Get-ADUser, but the help files didn't mention anything about the PasswordNeverExpires parameter, and piping a single result into Get-Member didn't reveal any relevant property to search against.
In sum, this is the one-liner that worked:
Get-ADUser -filter {PasswordNeverExpires -eq $False} | Where {$_.SamAccountName -like 'SVC-*'}
Thanks again.
I would just use get-aduser (need to clean up the filter param, I just banged this together in my head):
$adusers = Get-ADUser -Filter * -Properties * | where {$_.PasswordNeverExpires -eq $false}
did you try $_.PasswordNeverExpires -eq $false?
I have an online learning management system with most of its data in sql server but its page structure and contents in an AD LDS instance. I have a few classes which have already been set up with 50 pages called "Unused Portfolio 01" through "Unused Portfolio 50". These are their displaynames. Their CNs are "Portfolio 01" through "Portfolio 50".
I need to change the displaynames to each have a different student's name, in the format "Last, First". I am trying to use Active Directory Module for Windows Powershell. Right now I am on a test server trying to make this work for just a few pages. I can't manage to change more than one displayname at a time.
I can get a list of the objects for these pages:
Get-ADObject -Server localhost:389 -filter 'displayname -like "*Portfolio*" -and cn -like "Portfolio*"' -searchbase 'CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US'
I get the distinguishedname, name, objectclass, and objectguid for all three expected objects and no unexpected objects. Great.
I can change any one object's displayname at a time:
set-adobject -Server localhost:389 -identity "CN=Portfolio 01,CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US" -displayname "testing"
The specified object has its displayname changed to "testing". Awesome.
I'm trying to use this to change all of the displaynames for these three objects to "testing" at once, and obviously I have something wrong because it is not working:
Get-ADObject -Server localhost:389 -filter 'displayname -like "*Portfolio*" -and cn -like "Portfolio*"' -searchbase 'CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US' | foreach-object 'set-adobject -Server localhost:389 -identity $_ -displayname "testing"'
The ultimate goal is that I will have a csv file (which I will have gotten from an sql query from the sql server) containing a "number" column 01 to 50, a "lastname" column, and a "firstname" column, and I will change each page's display name to match ", " for each student, but I'm not at that point yet.
Thanks for any help you can offer.
Foreach-Object uses a script block and not a string, so use:
something | Foreach-Object {Do something with $_}
This might be due to the fact that $_ contains an object and not its DN. $_.DistinguishedName. Also what ojk says
Get-ADObject -Server localhost:389 -filter 'displayname -like "*Portfolio*" -and cn -like "Portfolio*"' -searchbase 'CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US' | foreach-object {set-adobject -Server localhost:389 -identity $_.DistinguishedName -displayname "testing"}