I'm trying to create a script that queries active directory for a group named $server-Administrators, checks to make sure if the group is in local admins, and if not in local admins adds the group to local admins. I know that get-ADGroup allows you to easily check for if there is an administrator group, however I'm not sure how to add an entire group to AD. I'm aware of add-ADGroupMember, however I don't think that is the cmdlet that would let me add an entire group to active directory.
$serverName = hostname
$query = get-adgroup administrators
if ($query == false){
#add group to local admins
}
Does anyone know of a way to add an entire group?
Since it doesn't look like you're trying to work through a problem (you don't really show any attempts to solve the issue yourself, and only have pseudo-code shown), I'll just give reference to what will solve the question without doing much real work myself.
I flexed my Google muscles and searched for 'powershell local administrators group' and the 6th result showed me the answer to your question (second thing I clicked on, because I can't help but read the Hey Scripting Guy! site first).
Use Jaap Brasser's script from the TechNet Script Gallery. The work has already been done, there's no need for you to re-invent the wheel here. Save that script, then run it as described in the in-script help.
.\Get-Set-ADAccountasLocalAdministrator.ps1 -Computer 'Server01,Server02' -Trustee YourDomain\Server-Administrators
Related
i have synced an extension "departmentnumber" to azure ad.
I can see the output in ms graph, when i do the following: https://graph.microsoft.com/v1.0/users/*************************?$select=extension_450c0e26a8a440748e1e4f*******_departmentNumber
The problem is, that I can not see it in powershell. There is only a blank field as you can see here:
As I understood it, there should be another row with this output: extension_450c0e26a8a440748e1e4f*******_departmentNumber
Where is my mistake?
purpose: i want to get an export, where every user is listed with the assigned licences and the departmentnumber which will get added in onprem AD. If anyone has a better solution - please tell me
Thx for yourt help guys!! :)
In my environment, someone renamed the "Group name" of an active directory global security group. (I refer here to the attribute sAMAccountName, not the display name)
I'd like to know who did so and I can't manage to get it done by PowerShell using Get-WinEvent. I don't know if some of you already managed to get it done, but on my side I struggle to identify the condition required to do so.
Any idea is welcomed !
Thanks in advance :)
I tried with many options like checking add/remove permissions users to the others mailbox users, but its not working.
I executed below command in my Exchange Management Shell :
Set-Mailbox 'mailboxname' –GrantSendOnbehalfto #{ Remove="john#ncbb.com","kim#fghgh.com" }
error: the command completed successfully but no settings of 'mailboxname' have been modified.
The error that you have listed isn't really an error, it's more of a warning. It's not telling you that it can't do something, it's just saying the parameters you provided don't exist.
I recently wrote a script that had the same issue, and I just had to mess around with it. Mine ended up needing the sAMAccountname instead of email or surname/givenname. In other words, instead of using 'test.account#abc.com', it wanted TAccount which was the username.
It may help to dig into your AD, or install an LDAP browser or AD Explorer to see what your organization names things. When I did this, I found out that half of the things I was calling in my scripts by name was completely incorrect just because of the naming convention.
Right now I have a pushbutton tool, which is basically a fancy GUI that calls the DSMOVE command.
Is it possible to change a workstation account to another OU (in powershell natively) without actually having the AD tools for powershell installed? I do have the syntax to be able to see what OU I am in, but I can't find a way to change it. I'd like to cut out the DSMOVE executable.
The next question would be, how do I?
Without any tools (or error checking, or anything similar):
$User = [adsi]'LDAP://CN=BielawB,CN=Users,DC=monad,DC=ps1'
$User.MoveTo('LDAP://OU=Destination,DC=monad,DC=ps1')
Obviously, it would be wise to wrap it in some function and add some checking/ error handling.
I've used user object, but that's not different for any other AD object...
I'm writing a GUI tool using PowerShell that is able to do most AD related tasks with just a user name and button click. I've done all the usual ones (Create / Remove Users, Create / Remove Security & Distribution Groups, Resetting Passwords, etc) but can't find away of unlocking a "Locked Out" account.
I'm trying to do this without using Quest AD cmdlets as I want a more stand alone solution. So I'm wondering whether is possible with plain PowerShell (1.0 or 2.0) in a Windows 2003 Domain.
Many thanks.
Set the lockoutTime property of the DirectoryEntry to 0.
Sample:
$x = [ADSI]'LDAP://SomeDN'
$x.lockoutTime = 0
$x.CommitChanges()
$x.Close()
Been out of the AD world for a few years. I haven't worked with PowerShell at all but does the link below offer what you're looking for?
http://dmitrysotnikov.wordpress.com/2007/08/14/enable-disable-unlock-user-accounts/