Trying to change displayname in AD LDS with Powershell - powershell

I have an online learning management system with most of its data in sql server but its page structure and contents in an AD LDS instance. I have a few classes which have already been set up with 50 pages called "Unused Portfolio 01" through "Unused Portfolio 50". These are their displaynames. Their CNs are "Portfolio 01" through "Portfolio 50".
I need to change the displaynames to each have a different student's name, in the format "Last, First". I am trying to use Active Directory Module for Windows Powershell. Right now I am on a test server trying to make this work for just a few pages. I can't manage to change more than one displayname at a time.
I can get a list of the objects for these pages:
Get-ADObject -Server localhost:389 -filter 'displayname -like "*Portfolio*" -and cn -like "Portfolio*"' -searchbase 'CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US'
I get the distinguishedname, name, objectclass, and objectguid for all three expected objects and no unexpected objects. Great.
I can change any one object's displayname at a time:
set-adobject -Server localhost:389 -identity "CN=Portfolio 01,CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US" -displayname "testing"
The specified object has its displayname changed to "testing". Awesome.
I'm trying to use this to change all of the displaynames for these three objects to "testing" at once, and obviously I have something wrong because it is not working:
Get-ADObject -Server localhost:389 -filter 'displayname -like "*Portfolio*" -and cn -like "Portfolio*"' -searchbase 'CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US' | foreach-object 'set-adobject -Server localhost:389 -identity $_ -displayname "testing"'
The ultimate goal is that I will have a csv file (which I will have gotten from an sql query from the sql server) containing a "number" column 01 to 50, a "lastname" column, and a "firstname" column, and I will change each page's display name to match ", " for each student, but I'm not at that point yet.
Thanks for any help you can offer.

Foreach-Object uses a script block and not a string, so use:
something | Foreach-Object {Do something with $_}

This might be due to the fact that $_ contains an object and not its DN. $_.DistinguishedName. Also what ojk says
Get-ADObject -Server localhost:389 -filter 'displayname -like "*Portfolio*" -and cn -like "Portfolio*"' -searchbase 'CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US' | foreach-object {set-adobject -Server localhost:389 -identity $_.DistinguishedName -displayname "testing"}

Related

Powershell - How to get the GUID from a security group to assign acl

I might be missing something, but I am trying to get the GUID from a security group to assign some delegated permissions.
I have a basic code see below;
$guidmap = get-adgroup -Filter "name -like 'MyOU'" -Properties * | select objectguid
Write-host "Here is what you need: " $guidmap
Not sure why I can't seem to resolve the GUID on this.
The thing to remember is that Powershell is very much an object-based language. One of your best debugging tools will be the Get-Member cmdlet. In this case, it turns out that the output from Select-Object is still an object of type ADGroup (specifically, Selected.Microsoft.ActiveDirectory.Management.ADGroup), when what you want is apparently either a System.GUID or a System.String.
If you want a System.GUID, try
$GUIDMap = (Get-ADGroup -Filter "Name -like 'MyOU'" -Properties ObjectGUID).ObjectGUID
or if you want a System.String, use
$GUIDMap = (Get-ADGroup -Filter "Name -like 'MyOU'" -Properties ObjectGUID).ObjectGUID.GUID
(Incidentally, if you're retrieving the information for a single specific group, you don't need to use the -Filter parameter and expression; you can use -Identity instead - Get-ADGroup -Identity MyOU -Properties ObjectGUID...)

exporting AD users displayName for selected groups only - powershell

I am new to powershell so please excuse me if the answer is quite simple. I am trying to get user list sorted by selected AD groups and export that to table or csv at least. Due to the fact that:
Get-ADGroupMember -Identity "TestGroupName"
... gives me only user IDs for my AD, I used below:
Get-ADGroupMember -Identity "TestGroupName" | Get-ADObject -Properties displayName
This works perfectly but I do not want to type manually each group there so I decided to first export groups that I need which are beginning with "Test":
Get-ADGroup -Filter "name -like 'Test*'" |Select-Object Name | Export-csv -path \Groups.csv
Now I want to use information from Groups.csv to list all user displayName for groups listed in Groups.csv so I tried something like that:
Import-Csv -Path .\Groups.csv | Get-ADGroupMember ForEach($Name in $Groups) | Get-ADObject -Properties displayName | Export-csv -path \UsersByGroups.csv
unfortunately it does not work properly maybe because I still do not get exactly how to use ForEach
Can someone with more experience have a look and help?
Thanks!
Maciej
Just pipe the groups output by Get-ADGroup -Filter ... directly to Get-ADGroupMember:
Get-ADGroup -Filter "name -like 'Test*'" |Get-ADGroupMember |Get-ADObject -Properties displayName

Get-ADUser using old pre-Windows 2000 Logon name instead of CN

I'm trying to use Add-ADGroupMember cmdlet in PowerShell, but I've realized PS doesn't recognize the object if I use the CN, and it only seems to recognize the pre-Windows 2000 logon name.
That attribute had a character limitation of 20 characters, so some of our accounts have different CNs and Pre-Windows 2000 logon names.
My whole process is:
Step 1: Get a list of my users (this gives me the legacy pre-Windows 2000 logon names):
Get-ADUser -Filter {department –notlike “Field”} –SearchBase “OU=Accounts,OU=HQ,OU=Production,DC=MYDC,DC=MYDC1,DC=MYDC2” -Properties department | select name | Out-file C:\Users\Public\Users.txt
Step 2: Add those users to my security group:
$UserList = Get-Content "C:\Users\Public\Users.txt"
$GroupName = "MY-SEC-Group"
$Members = Get-ADGroupMember -Identity $GroupName -Recursive | Select -ExpandProperty SAMAccountName
ForEach ($user in $UserList)
{
If ($Members -contains $user)
{
Write-Host "$user is member of $GroupName"
}
Else
{
Write-Host "$user is not a member. Attempting to add now, run script again for verification"
Add-ADGroupMember -Identity $GroupName -Members $User
}
}
For all accounts where the legacy logon name and the CN are the exact same, there are no issues. But in situations where they are different, I get the error "Object not found"
Is there a better/more up-to-date cmdlet to use? Maybe one that relies on the CN instead of the legacy logon name? Or do I need to add in CN to all my scripts now?
Get-ADGroupMember returns objects that point to the concrete user in ActiveDirectory and contain different fields including distinguishedName, SamAccountName , SID, Name and so on. In your code you create a txt file with Names (not SamAccountName) but use SamAccountName in Get-ADGroupMember. So, you just compare names with SamAccountName values (that's incorrect).
Just replace
select name | Out-file C:\Users\Public\Users.txt
with
select SamAccountName | Out-file C:\Users\Public\Users.txt
SamAccountName (just as SID) is the unique attribute in AD -
https://blogs.technet.microsoft.com/389thoughts/2017/02/03/uniqueness-requirements-for-attributes-and-objects-in-active-directory/ so, you should use it in your code.

cmdlet to variable not being accepted

Should be a very simple script but having issues getting the output from the get-aduser to be recognized as a variable, among other things. I've tried every format of quotes and brackets I can think of but can't get a proper output. The script is just querying a specific user and exporting the AD groups to a folder named for their department, then into a text file using the name and title.
$usertocheck = Read-Host -Prompt 'Input user to check'
$depttoadd = Get-AdUser -Filter {samAccountName -eq "$usertocheck"} -Properties Department |
Select-Object -expand Department
New-Item -ItemType Directory -Force -Path "C:\Users\Public\Desktop\UserRecords\$depttoadd\"
Get-ADPrincipalGroupMembership $usertocheck | select name |
Out-File -FilePath "C:\Users\Public\Desktop\UserRecords\$($usertocheck)_$($titlelookup).txt"
Any hints would be appreciated.
It works for me, when I remove the quotes around $usertocheck in the below line ($usertocheck is a string already, so no need for quotes)
$depttoadd = Get-AdUser -Filter {samAccountName -eq $usertocheck} -Properties Department |
As a side note, you could also access the department property of the object returned by Get-AdUser like so
$depttoadd = $(Get-AdUser -Filter {samAccountName -eq $usertocheck} -Properties Department).Department
Acessing the properties of an object is from my experience the more reliable and cleaner way of getting the output you want, rather than using 'Select-Object'.
Hope this helps.

How to retrieve only enabled users from the Active Directory

I'm trying to retrieve only enabled users in the AD. When I run this code line it returns the error. I tried using a filter as well to filter only enabled users for the requested info but it returns ALL users from every domain instead of just the single id.
Get-ADUser : A positional parameter cannot be found that accepts argument 'enabled -eq 'true''.
This is my code that is throwing the error.
Get-ADGroupMember -Identity 'Animal Shop A' | Get-ADUser -Filter '*' | Get-ADUser Where "enabled -eq 'true'" | Get-ADUser -Properties ('Mail')
This one returns ALL users from every domain
Get-ADGroupMember -Identity 'Animal Shop A' | Get-ADUser -Filter "enabled -eq'true'" | Get-ADUser -Properties ('Mail')
Is my syntax wrong on both of them? If I just want to return values from say "Animal shop A" and then "Animal Shop B"
.. or a little bit shorter this way:
Get-ADUser -Filter 'enabled -eq $true' -Properties mail |
Select-Object -Property Name,samaccountname,mail
Besides this I would recommend to use a -SearchBase. That's less stressful for the AD. ;-)
Get-ADUser -Filter * -Properties mail | Where { $_.Enabled -eq $True} | Select Name,samaccountname,mail
That will get all enabled users in your target domain that are enabled and display the name, username, and mail properties
Important to know for both commands:
You must work with an elevated powershell process.
Otherwise the result may not be complete.
get-aduser -filter 'enabled -eq "true"' -ResultSetSize $Null
simply try below commands in powershell as administrator permission.
As a guide, the first part will filter users, second part filtered enabled users and last part will give you export of results.
Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like “false”} | Export-Csv -Path C:\eport.csv -Encoding ascii -NoTypeInformation
hope to be useful for you.