Loop through multiple Active Directory Ou's in Powershell - powershell

How do you search multiple OU's in Active Directory. Say if there are 4 OU's for different users, and need to search only 3 of the 4.
Currently I am using the below to search one path, how would I expand that to search multiple OU's.
$OU='AD Path'
Get-ADUser -SearchBase $OU -Properties Lastlogondate -filter {lastlogondate -lt $DisableDays}

It looks like -searchbase takes <string>, so you would need to loop through OUs.
The following query would get users in each OU:
$OU=#('cn=users,dc=xyz,dc=com','ou=companyusers,dc=xyz,dc=com')
$ou | foreach { get-aduser -searchbase $_ ...}

Related

Powershell How to Get list of computers from two different OU's in the same script

I know how to get a list of computers in specific OU's using powershell, and I can use a like command to; however I am looking . How can I get a list of computers in two different OU's that start Like COMP using Powershell ?
You could loop over the list of OUs and repeat the same query multiple times:
# fetch the target OUs
$OUs = Get-ADOrganizationalUnit -Filter "Name -like 'Comp*'"
# call Get-ADComputer once for each OU
$Computers = $OUs |ForEach-Object {
Get-ADComputer -Filter * -SearchBase $_.distinguishedName
}

How to check if a user is in a OU in Powershell

I'm trying to know if a specific user is member of a specific OU.
Use the -SearchBase parameter with the Get-ADUser cmdlet from the ActiveDirectory RSAT module to narrow your query to a specific subtree:
$ADUser = Get-ADUser -Filter "SamAccountName -eq 'lmontoya'" -SearchBase "OU=TargetOU,DC=domain,DC=tld"
Beware that it will default to a recursive subtree search by default, so if you need to test whether the user is present directly under that OU (as opposed to just somewhere under the OU), you need to specify a -SearchScope as well:
$ADUser = Get-ADUser -Filter "SamAccountName -eq 'lmontoya'" -SearchBase "OU=TargetOU,DC=domain,DC=tld" -SearchScope OneLevel
If the user isn't found with the specified criteria, $ADUser will be empty
The SearchBase/SearchScope parameters work with all the query cmdlets in the module, so you can use the same approach for computers or OUs or whatever else you need to find in a specific container:
# Query all the computer account objects residing at "OU=TargetOU,DC=domain,DC=tld"
Get-ADComputer -Filter * -SearchBase "OU=TargetOU,DC=domain,DC=tld" -SearchScope OneLevel

Users in ADGroup with direct reports

I want a list of users in ATL Users that have direct reports.
Part 1: Group Membership
I can get the users in a group.
Get-ADGroupMember "ATL Users" | Where objectClass -eq "user"
Part 2: Filter for Direct Reports
I can get a list of users with direct reports, but very slowly (scans entire tree).
Get-ADUser -Filter "DirectReports -like '*'"
Question
How can I get the list of users in ATL Users then -Filter those users by if they have direct reports?
This is readily done with an LDAP filter using memberOf. If this is a one-off query and you know the group's distinguished name (cn=ATL Users,ou=groups,dc=domain,dc=gTLD in this example), you can use:
get-aduser -LDAPFilter "(&(memberOf=cn=ATL Users,ou=groups,dc=domain,dc=gTLD)(directReports=*)(objectClass=user))"
If you will be running this query repeatedly, it would be best to get the group object from a search so directory restructuring won't break your query.
PS> $groupFQDN = (get-adgroup -identity "ATL Users").distinguishedName
PS> $groupFQDN
CN=ATL Users,OU=NewGroupsOU,DC=company,DC=gTLD
PS> get-aduser -LDAPFilter "(&(memberOf=$groupFQDN)(directReports=*)(objectClass=user))"
You can just pipe a foreach into Get-ADUser -filter after Get-ADGroupMember
Example:
Get-ADGroupMember "ATL Users" | Where-Object {$_.ObjectClass -eq "user"} | foreach {Get-ADUser $_.samaccountname -properties Name, DirectReports | Where-Object {$_.DirectReports -like "*"} |Select Name, DirectReports}

Powershell AD user search by name and OU

I receive task on studies to create command that will find a specific users in specific OU in Active Directory.
More precise, find all persons that name is A* and are located in OU *es.
After hours of researching I created such commands:
For finding all A* users:
Get-ADUser -filter {name -like "A*"}
For finding all *es OU
Get-ADObject -filter {OU -like "*es"}
And I don't have idea how to connect those outputs.
I was thinking about such resolutions, but they don't work for me.
$var = Get-ADObject -filter {OU -like "*es"} | Select DistinguishedName
Get-ADUser -filter {name -like "A*"} -SearchBase $var
Or
Get-ADUser -filter {name -like "A*" -and OU -like "*es"}
I'm lost, please advice.
You could first use the server filter to get all A*users and then filter the OU on the client using the Where-Object cmdlet:
Get-ADUser -filter {Name -like 'A*'} | Where-Object DistinguishedName -like '*OU=*es*'
If you know all your OU you want to filter, consider using the -SearchBase Parameter. More information here.

Get computers list from certain OU in active directory?

I am using the powershell command below to get a list of computers that havent been logged into in the past 60 days. This is returning all OU computers. Is it possible to change the line below to return from a certain OU?
Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | FT Name,lastLogonDate
From the online help page try using -SearchBase filter
C:\PS>Get-ADComputer -LDAPFilter "(name=*laptop*)" -SearchBase "CN=Computers,DC=Fabrikam,DC=com"