I am trying to find out if there is a cmd that will create a new user in AD but able to pull in the AD services folder from another person that already exists i.e. managers groups or member of.
Look into the Get-ADUser and Set-ADUser cmdlets, provided by the MS ActiveDirectory module.
(If installed, you can add it to the powershell session with: import-module activedirectory)
Once you have it loaded, you can get the AD User you wish to 'copy', look for their "MemberOf" attribute and note them, then you can user Add-ADGroupMember for each of those groups.
Microsoft has good references here: http://technet.microsoft.com/en-us/library/ee617195.aspx
Related
I want to be able to set an email forward in Exchange Powershell O365
I'm trying
Set-Mailbox -Identity emailaddress -DeliverToMailboxAndForward $true -ForwardingSMTPAddress forwardingaddress
but getting
A parameter cannot be found that matches parameter name
'DeliverToMailboxAndForward'.
Do I need to load a snap-in? I can't find any help about this.
You forgot your $'s my friend
Set-Mailbox -Identity $emailaddress -DeliverToMailboxAndForward $true -ForwardingSMTPAddress $forwardingaddress
Also something to look out for when using Exchange Online PSSession (and maybe regular Exchange PSSession) is that it uses the JEA functionality of PowerShell. JEA is Just Enough Administration it actually looks at what roles the account used to connect to the PowerShell Session has and it ONLY gives you the commands that account has the roles to do. I'm not sure if it goes to the level of removing parameters from functions you only have partial access to do. For the missing Cmdlet part though I ran into this while beating my head against the wall writing a batch migration utility come to find out SysAdmin never gave me the permission to do batch migration. As soon as They gave me the permission and I imported the PSSession again BAM Cmdlet was there.
Hope that helps.
folks,
my Active Directory accounts with admin privileges all start with the same characters: "ad" followed by a dot and the name of the admin. Example: "ad.tim".
I would like to have admin accounts (every account beginning with "ad.") automatically deleted (profiles and user data) by the Windows clients and would like to distribute a Powershell script to my clients (better ideas are welcome).
I'm not very familiar with Powershell nor Scripting, but I allready figured out (thanks, Google) how to list all Accounts:
Get-WMIObject -Class Win32_UserProfile | select LocalPath
Now I'd have to filter (-like ad.*) and delete, but I'm not sure how or where to install it. It would be great if someone could give me some information so that I can better understand it and reach my goal!
I want to check whether a given Active Directory user (specified by username and domain) has read/(write) permissions on a given folder. And this unrelated to having them granted directly by user name or indirectly by some group membership. However I've been googling like 5 hours by now to no avail.
I understand, that Get-Acl Cmdlet is used to read folder permissions. Most likely the user is member of some group, that indirectly grants it permissions.
So my idea was to just match the output of
(Get-Acl <Folder>).Access | ft
against the group membership of the user.
I collect the group Information using the command
Get-ADPrincipalGroupMembership "<Username>" | select name
but found out, that this features an entirely different set of group names. I assumed, that the groups outputted by Get-Acl are local ones, while the other ones were AD-sided groups.
I found the command whoami /groups, that prints all groups, but only for the currently logged in user.
After quite some additional time I figured out the command (based on .NET):
(New-Object Security.Principal.WindowsIdentity -ArgumentList #(,"<User#fullDomain.com>")).Claims | select Value
This however just prints SIDs, while
(Get-Acl <Folder>).Access | ft
displays some human friendly output like "NT SERVICE\TrustedInstaller" and such.
I believe I'm pretty close, but I just can't get it to work.
On another note: Does this really have to be that complicated?
Other solutions I found only work based on direct user permissions but do not check group permissions.
Oh and one thing: Everything has to run on PowerShell 4.0 on Windows Server 2012 R2 and the PowerShell script will be running locally. No NuGet packages or anything requiring an Internet connection are allowed.
I am trying to write a powershell script to add and remove members from a distribution list which is present in the active directory.I tried a command for adding members to the distribution list which is like:
ADD-DistributionGroupmember -identity "staff" -member "johnevans#contoso.com"
but when i try to execute this command i get an error saying that add-distributiongroupmember is an invalid command.
so,can anyone provide me a powershell script to add and remove members from the distribution list which is present in the active directory.
Add-DistributionGroupMember is an Exchange cmdlet, and requires the Exchange management snapin, or a remote Exchange management session.
You can accomplish the same thing using the ActiveDirectory module and Add-ADGroupMember, but you won't be able to use the user's email address as the member identity to add. Exchange will work with that as an identity reference, but the native AD cmdlets won't.
You need Exchange Powershell module: http://blogs.technet.com/b/heyscriptingguy/archive/2012/01/23/learn-how-to-use-powershell-to-run-exchange-server-commands-remotely.aspx
If you want to do it without the Exchange cmdlets, this works I tested it:
$groupIdentity = "My Group"
$userEmailAddress = "johnevans#contoso.com"
Add-ADGroupMember -Identity $groupIdentity -Member (Get-ADUser -Filter {mail -eq $userEmailAddress})
I am writing a simple script to copy AD group membership from one user to the other. I am doing it using the ActiveDirectory module only.
The script looks like it would work and does work up until I try to ad the groups to the user.
Code:
import-module ActiveDirectory
$templateUser = get-ADUser user1
$targetUser = getADUser user2
$groups =get-adprincipalgroupmembership $templateUser
$groups2 = get-ADPrincipalGroupMembership $targetUser
foreach($group in $groups) {
add-adGroupMember $group $targetUser
}
Error:
Add-ADGroupMember : insufficient access rights to performt the operation
At line:9 char:18
+ FullyQualifiedErrorID : Insufficient access rights to perform the operation,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
Notes/Thoughts:
I am logged in as a normal user, but I ran the powershell as a different user (my admin account). I am not a local admin, but I am an admin on the domain. I am able to add the user to groups if I launch the AD Tools and do it manually (I have permissions to add to those groups).
Edit:
Run the powershell as admin.
Run powershell as administrator.
I hit this today in Server 2012. I was running the powershell as Administrator, I was a domain admin, I was a local admin, I was every kind of admin I could find.
I "fixed" it by using the Active Directory Users and Computers tool, adding myself as the Manager of the AD groups I was trying to add users to, and ticked the box to allow the manager to change membership. I could then run AD-AddGroupMember happily.
I ran into this problem as well using Powershell remoting to connect to a domain controller.
In my case it turned out Include inheritable permissions from this object's parent was turned off for the specific object I couldn't change.
I ran into this issue today where an automated system was using powershell scripts for various things.... It turned out to be executionpolicy.
We were running our script with the ExecutionPolicy Bypass flag, and even running the command directly in powershell outside of a script wouldn't work, but once we set executionpolicy to unrestricted, everything magically worked.
For us we were able to create security groups even, but not add users to groups via powershell, even though we could make the same changes in ADUC.