I am running into a strange issue when using Get-ADGroups and Get-ADGroupMembers
This line works correctly (no issues)
$searchFilter = "OU=Projects,DC=my,DC=lab"
Get-ADGroup -Filter * -Properties * -SearchBase $distinguishedName | Get-ADGroupMember | Where-Object {$_.objectClass -eq "user"} | Get-ADUser | ft Name, SamAccountName, Enabled
However this block does not work
$groups = Get-ADGroup -Filter * -Properties * -SearchBase $distinguishedName
foreach ($g in $groups) {
Write-Host "Group:" $g.CN "(" $g.DistinguishedName ")"
Get-ADGroupMember -Identity $g.DistinguishedName -Debug -Verbose | Where-Object {$_.objectClass -eq "user"} | Get-ADUser | ft Name, SamAccountName, Enabled
}
Returns the following exception
Microsoft.ActiveDirectory.Management.ADException: An operations error occurred ---> System.ServiceModel.FaultException`1[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADGroupMemberFault]: Active Directory returned an error processing the operation.
Anyone have any thoughts on why?
Your second one works for me. Double-check your $distinguishedName value that you are passing to -SearchBase.
I noticed that you define $searchFilter, but you never actually reference it. Is that a typo?
Related
Ok so I am trying to use a variable to make up a where statement on a get-aduser command.
This is what I am trying to emulate which works:
get-aduser -filter * | where { $_.DistinguishedName -like "*Users,DC*" }
Note the are asterix before and after the User,DC. Not showing for some reason.
So here is what I have in the script which returns nothing:
$SearchBase = (get-addomain).DistinguishedName
$DefaultUsersOU = "*OU=Users," + $SearchBase
get-aduser -Filter * -Properties lastLogonTimeStamp -Searchbase "$($SearchBase)" | where-object { $_.DistinguishedName -like $DefaultUsersOU }
Found a similar article on here Where object as variable but if I apply that thinking to the DistinguishedName field it doesnt work either.
I have an issue with the following script:
get-aduser -filter * -searchbase "dc=domain,dc=global" -ResultSetSize $null | where-object {((get-aduser $_.samaccountname -properties memberof).memberof -ne "Mimecast Remote Access Exceptions")} | ForEach {add-adgroupmember -identity "Mimecast Internal Access" -member $_.samaccountname}
It is still adding all users but not filtering out users who are members of the remote access exceptions group. Any idea what I am doing wrong?
First of all, you don't need to perform Get-ADUser twice.
Then, the MemberOf user property is a collection, not a single string, so you need to use -notcontains instead of -ne
Try:
# get the DistinguishedName property of the group
$groupDN = (Get-ADGroup -Identity "Mimecast Remote Access Exceptions").DistinguishedName
Get-ADUser -Filter * -SearchBase "dc=domain,dc=global" -Properties MemberOf |
Where-Object {$_.MemberOf -notcontains $groupDN} |
ForEach-Object { Add-ADGroupMember -Identity "Mimecast Internal Access" -Members $_ }
Building on #Theo's Answer
.memberOf will return distinguished name strings. -notcontains won't work unless you change the left hand side to the DN. That might look something like:
$DN = 'CN=Mimecast Remote Access Exceptions,OU=SomeOU,DC=domain,DC=global'
Get-ADUser -Filter * -SearchBase "dc=domain,dc=global" -Properties MemberOf |
Where-Object {$_.MemberOf -notcontains $DN } |
ForEach-Object { Add-ADGroupMember -Identity $DN -Members $_ }
Obviously correct $DN for your environment etc...
I have a list with AD groups in a CSV file: Input_ADGroup.csv
Column A looks like this:
CN
ADgroup1
ADgroup2
I already have some code which list all the users of the groups in the output.csv file, however I am missing the ADgroup name. So it is unclear which users are member of which group.
$Manager = #{Name = "Manager"; Expression = {%{(Get-ADUser $_.Manager -Properties DisplayName).DisplayName}}}
$Manager_Location = #{Name = "Manager_Location"; Expression = {%{(Get-ADUser $_.Manager -Properties Office).Office}}}
$Fields = #(
'SamAccountName'
'CN'
'DisplayName'
'Office'
'mail'
'Department'
$Manager
$Manager_Location
)
Import-Csv -Path H:\Test\Input_ADGroup.csv |
ForEach-Object {
Get-ADGroup -Filter "CN -eq '$($_.CN)'" -Properties * -ErrorAction SilentlyContinue |
Get-ADGroupMember | Get-ADUser -properties * | Select $Fields
} | Export-Csv -Path H:\Test\Output_ADGroup.csv -NoTypeInformation
H:\Test\Output_ADGroup.csv
So is it possible to get a column which shows the "source-ADgroup"... or another format which breaks the list with the ADGroup name or something?
IMO my other suggested solution is more efficient applyig the same CN from the input:
$Data = ForEach($CN in (Import-Csv -Path H:\Test\Input_ADGroup.csv).CN) {
Get-ADGroup -Filter "CN -eq '$CN'" -Properties CN -ErrorAction SilentlyContinue |
Get-ADGroupMember | Get-ADUser -Properties * | Select-Object ($Fields+#{n="Group";e={$CN}})
}
$Data
$Data | Export-Csv -Path H:\Test\Output_ADGroup.csv -NoTypeInformation
As you already have AD group name in $_, you can add one more calculated property to your Select-Object by changing this:
Get-ADGroup -Filter "CN -eq '$($_.CN)'" -Properties * -ErrorAction SilentlyContinue |
Get-ADGroupMember | Get-ADUser -properties * | Select $Fields
to this (saving first group name to variable to not mix up with $_ used later in pipeline):
$GroupName = $_.CN
Get-ADGroup -Filter "CN -eq '$($_.CN)'" -Properties * -ErrorAction SilentlyContinue |
Get-ADGroupMember | Get-ADUser -properties * | Select ($Fields+#{n="Group";e={$GroupName}})
Credits to #LotPings and #Maikel for pointing out the issue with incorrect $_ usage in comments
NOTE: remember about brackets, otherwise you'd receive an error like:
Select-Object : A positional parameter cannot be found that accepts argument n="Group";e={$GroupName}
#Lotpings #robdy - Thanks for your input, I got it working so many thanks. See code below
Import-Csv -Path H:\Test\Input_ADGroup.csv |
ForEach-Object {
Get-ADGroup -Filter "CN -eq '$($_.CN)'" -Properties CN -PipelineVariable name -ErrorAction SilentlyContinue |
Get-ADGroupMember | Get-ADUser -properties * | Select ($Fields+#{n="Group";e={$name}})
} | Export-Csv -Path H:\Test\Output_ADGroup.csv -NoTypeInformation
H:\Test\Output_ADGroup.csv
One last note: The AD group gets displayed as CN=Groupname,OU=...OU=… etc
I couldn't get it to show just "Groupname" but this really is not an issue.
New to PowerShell and am having issues with Get-ADUser -Filter. I believe the issue has to do with the -Filter
$TC_TellerID_Array = #()
$TC_TellerID_Array = Import-Csv "C:\Designer.csv"
$ADUsersArray = #()
$ADUsersArray=get-aduser -filter * -Properties * | select Name, SamAccountName, extensionAttribute1, Enabled | where extensionAttribute1 -ne $null
Foreach ($User in $ADUsersArray)
{$TrimmedTeller = ($User.extensionAttribute1).Trim()
Foreach ($TC_TellerID in $TC_TellerID_Array)
{
Get-ADUser -Filter "'$TrimmedTeller' -eq '$TC_TellerID.TellerID'" -Properties * | Select Name,SamAccountName,extensionAttribute1, Enabled
}
}
Those single quotes are forcing a literal string. As #JosefZ pointed out. You would also want to pull your value of TellerID out using a SubExpression . Try changing your code to look like
Get-ADUser -Filter {$TrimmedTeller -eq $($TC_TellerID.TellerID)} -Properties * | Select Name,SamAccountName,extensionAttribute1, Enabled
I'm trying to stitch together two lines of PowerShell, but I just can't figure the syntax. There is a post that sounds like it might be what I need, but it isn't using -LDAPFilter.
To generate a list of AD users created in the last 100 days, I use
$now = ((Get-Date).AddDays(-100)).Date
$users = Get-ADUser -Filter {whenCreated -ge $now} -Searchbase "OU=staff,OU=SMUC_Users,DC=stmarys,DC=ac,DC=ie" |
Where-Object { $_.Enabled -eq 'True' }
And this code from "How to get ALL AD user groups (recursively) with Powershell or other tools?" does the next step, which is to find all the groups that a user is a member of:
$username = 'd.trump'
$dn = (Get-ADUser $username).DistinguishedName
Get-ADGroup -LDAPFilter ("(member:1.2.840.113556.1.4.1941:={0})" -f $dn) |
select -Expand Name
but I can't pipe the output of the first into the second to get an overall list.
Get-ADUser -Filter {whenCreated -ge $now} -Searchbase "OU=staff,OU=SMUC_Users,DC=stmarys,DC=ac,DC=ie" |
Where-Object { $_.Enabled -eq 'True' } |
Select-Object DistinguishedName |
Get-ADGroup -LDAPFilter ("(member:1.2.840.113556.1.4.1941:={0})" -f $_) |
select -expand Name
The error message is:
Get-ADGroup : The search filter cannot be recognized
I thought the second code snippet extracted the distingushed name and supplied it to the filter, and that is what I have tried to do in the pipeline.
You are missing ForEach-Object (alias %).
The following code should work:
Get-ADUser -Filter {whenCreated -ge $now} -SearchBase "OU=staff,OU=SMUC_Users,DC=stmarys,DC=ac,DC=ie" `
| Where-Object { $_.Enabled -eq 'True' } `
| %{Get-ADGroup -LDAPFilter ("(member:1.2.840.113556.1.4.1941:={0})" -f $_.DistinguishedName)} `
| Select-Object -ExpandProperty Name
If you want to output both user and group information you can expand the code like this:
Get-ADUser -Filter {whenCreated -ge $now} -SearchBase "OU=staff,OU=SMUC_Users,DC=stmarys,DC=ac,DC=ie" `
| Where-Object { $_.Enabled -eq 'True' } `
| %{$group = Get-ADGroup -LDAPFilter ("(member:1.2.840.113556.1.4.1941:={0})" -f $_.DistinguishedName);Write-Output $_.UserPrincipalName $group.Name}