I Am trying to get a csv of computers that are in a security group "Security Group A" and then filter based on LastlogonTimestamp so that any computers that haven't logged on for 60 days will not be in the result. I have tried a few different ways but i am not having any luck.
I was wondering if anybody can assist.
Currently I have tried
`$lastlogon = (get-date).adddays(-60).ToFileTime()
Get-ADGroupmember "Security Group A" | Select Name
I am not sure how I can pipe this out from here. I have tried using a variable of $comp but i get an error about not being an ad object but rather a system object.
The other option is
$lastlogon = (get-date).adddays(-60).ToFileTime()
Get-ADGroup "Security Group A" -properties members | %{$_.members} | %{get-adcomputer $_ |select name | out-file C:\temp\output.csv
With the last one i have tried to add
-filter {Lastlogontimestamp -gt $lastlogon}
after the $_ and before but that seems to return an empty CSV (i know there are results).
I am doing something wrong...any ideas?
Thanks
Try this
[DateTime]$lastlogon = (get-date).adddays(-60).ToFileTime()
$Computers = Get-ADGroupmember "Security Group A" | Select-Object Name,#{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}}
$Computers | where {$_.lastLogonTimestamp -gt $lastlogon} | select name | out-file C:\temp\output.csv -Force
Tested with a Distribution Group, but should also work in a security group
Related
It has been many moons since I have last done this and I am having problems exporting some commands to CSV. The biggest one that is getting me right now is
$ADGroupList = Get-ADGroup -Filter * -property * | Select Name -ExpandProperty Name | Sort
ForEach($Group in $ADGroupList)
{
Write-Host "Group: "$Group.Name
Get-ADGroupMember -Identity $Group | Select Name -ExpandProperty Name | Sort
Write-Host ""
}
Export-Csv -path "c:\Temp\test675.csv"
Works fine with out trying to export but the second I try to export the command will run and either generate a blank file or no file at all.
I am able to run other commands with out a issue exporting them to csv. Thanks for any help in advance.
Tim,
From what I can see you're not giving Export-Csv anything to write. Try this:
$ADGroupList = Get-ADGroup -Filter * -property * | Select Name -ExpandProperty Name | Sort
ForEach($Group in $ADGroupList)
{
Write-Host "Group: "$Group.Name
Get-ADGroupMember -Identity $Group |
Select Name -ExpandProperty Name |
Sort |
Export-Csv -path "c:\Temp\test675.csv"
Write-Host ""
}
I'd test this but I don't have access to ActiveDirectory.
Also the Write-Hosts you probably don't want in the .csv file as they won't play well with the format, headers & columns.
HTH
I am hoping someone can help me here. I was able, thanks to help of Google, find a PowerShell script online that displayed all empty DLs in our environment since we are trying to do a cleanup. Here is that script:
Get-DistributionGroup -ResultSize Unlimited |? {!(Get-DistributionGroupMember $_.PrimarySMTPAddress).Count} | select DisplayName,PrimarySMTPAddress | Export-Csv DLsToRemove3.csv
I added an Export-Csv to it in order to get the list into a file. I started looking through the list and noticed that some of the DLs listed actually have one member in them. At this point I tried to run another script against my CSV file to get a list of any if the DLs with one member in it and the that one member. Here is that script:
Import-Csv "C:\Users\177626\DLsToRemove3.csv" | foreach {$Group=$_.PrimarySmtpAddress; Get-DistributionGroupMember -Identity $Group | select #{Name="Group";Expression={$Group}}, DisplayName | Export-Csv Members.csv -NoType}
When I ran that, there was no information at all populating in my CSV. I am looking for help with either being able to add the second step to the first step and combine both scripts into one or at least being able to get the second script to work to view the DLs with that one member in them.
Thanks!
This never failed me to get the empty DL's
$emptyGroups = foreach ($grp in Get-DistributionGroup -ResultSize Unlimited) {
if (#(Get-DistributionGroupMember –Identity $grp.DistinguishedName -ResultSize Unlimited).Count –eq 0 ) {
[PsCustomObject]#{
DisplayName = $grp.DisplayName
PrimarySMTPAddress = $grp.PrimarySMTPAddress
DistinguishedName = $grp.DistinguishedName
}
}
}
$emptyGroups | Export-Csv 'C:\Users\177626\DLsToRemove4.csv' -NoTypeInformation
The #() forces the Get-DistributionGroupMember results into an array to get an accurat .Count property
Try this instead.
Get-DistributionGroup -ResultSize Unlimited | ? { (Get-DistributionGroupMember $_.PrimarySMTPAddress | Measure-Object).Count -eq 0 } | select DisplayName,PrimarySMTPAddress | Export-Csv DLsToRemove3.csv
Measure-Object is more reliable when counting objects in an array.
There's the attribute msExchGroupMemberCount which is maintained by Exchange, so a quicker way is to filter on that attribute using get-adgroup.
get-adgroup -Filter "msExchGroupMemberCount -eq 0" -Properties DisplayName,mail | select DisplayName,mail
I'm working on a script that takes all the users in the AD and getting four specifics.
saMAccountName
Displayname
Comment
Specific group name (Group A)
Below is the code that I have now. It works, but it gives me all the groups, I only need one specific group (Group A) to be listed.
If the user is not a member of this group, the user must be listed in the export but without the listing of the group
Get-ADGroup -Filter {name -like "Domain Users"} |
Get-ADGroupMember | Where-Object { $_.objectClass -eq 'user' } |
Get-ADUser -Properties comment,displayname,MemberOf |
select saMAccountName,displayname,comment,#{Name="MemberOf";Expression={$_.MemberOf -Join ";"}} |
Sort-Object SamAccountName | Export-csv -path C:\Install\Export-AD.csv -NoTypeInformation
Hope you have some tips and pointers for me on how to filter on the group name.
You could just add a comparison operation (-like) to your expression for MemberOf. You can see an example of this below. However, I would recommend against that single augmentation because of the inefficient nature of the Where-Object and the unnecessary queries that are happening here.
Get-ADGroup -Filter {name -like "Domain Users"} | Get-ADGroupMember | Where-Object { $_.objectClass -eq 'user' } | Get-ADUser -Properties comment,displayname,MemberOf | select saMAccountName,displayname,comment,#{Name="MemberOf";Expression={($_.MemberOf -like "Group A") -join ";"}} | Sort-Object SamAccountName | Export-csv -path C:\Install\Export-AD.csv -NoTypeInformation
I don't know how efficiently this runs in your AD. I tested this with a 722 member group, and it took 22.221 seconds to run.
I would try something like this instead as it will be significantly faster:
$GroupFilterDN = (Get-ADGroup "DOMAIN users").DistinguishedName
$GroupCheck = (Get-ADGroup "Group A").DistinguishedName
Get-ADUser -filter {(memberof -eq $GroupFilterDN -or PrimaryGroup -eq $GroupFilterDN) -and (ObjectClass -eq "user")} -Properties comment,displayname,MemberOf |
select saMAccountName,displayname,comment,#{Name="MemberOf";Expression={$_.MemberOf.where({$_ -in $GroupCheck}) -join ";"}} |
Sort-Object SamAccountName | Export-csv -path C:\Install\Export-AD.csv -NoTypeInformation
You need to replace the Group A string with your group name in the $GroupCheck variable.
$GroupFilter contains the group you want to filter on. In your example, you wanted to filter on Domain Users. The variable holds the DN for that group.
$GroupCheck contains the group for which you want to find members. The variable holds the DN for that group. In your example, you called this Group A.
The PrimaryGroup check had to be added since in your example you are using Domain Users. Domain Users does not show up in the MemberOf property.
The where({$_ -in $GroupCheck}) method is for when $GroupCheck has multiple groups. $GroupCheck currently would only have one group, but it could be tweaked to have multiple.
The code removes the requirement of using the Get-ADGroupMember command, which contains the Where-Object. Then it adds a comparison operation (-eq) for the MemberOf expression.
I tested the second block of code and it completed in 3.847 seconds with the same 722 member group.
I'm trying to query Active Directory to get a list of all users and all groups each user is a member of. I only need the direct groups each user is a member of, not the nested groups. The end-goal is to output this list to a CSV file. I'm attempting to do this using PowerShell in Windows Server 2012 R2.
UPDATE
So I've now managed to output a list of all users' names, however only some of the users's groups are included in the output, using the following command:
Get-ADuser -LDAPFilter "(objectClass=user)" -property "memberOf" |
select -Property #{n='name';e={$_.name}},#{n='groups';e
{$($_.MemberOf | Get-adgroup | % {$_.name}) -join ','}}
I'm unable to determine why only some of the users output (probably only 5-10 total) include the groups the user is a member of, while the rest (95%) of the users output only display the name of the user, without any groups at all.
Any ideas from here?
First of all I'am afraid that Get-ADuser -Filter {group -eq 'Domain Users'} just give nothing.
You can try to begin :
Get-ADuser -LDAPFilter "(objectClass=user)" -property "memberof" | select -Property #{n='name';e={$_.SamAccountName}},#{n='groups';e={$_.MemberOf -join ','}}
Then you can modify the filter to also take InetOrgPerson.
Get-ADuser -LDAPFilter "(|(objectClass=user)(objectClass=inetOrgPerson))" -property "memberof" | select -Property #{n='name';e={$_.SamAccountName}},#{n='groups';e={$_.MemberOf -join ','}}
Then you can take the samAccountName of the group DN
Get-ADuser -LDAPFilter "(|(objectClass=user)(objectClass=inetOrgPerson))" -property "memberof" | select -Property #{n='name';e={$_.SamAccountName}},#{n='groups';e={$($_.MemberOf | Get-adgroup | % {$_.SamAccountname}) -join ','}}
Late reply to this post, but I built a script that output all Groups in a specific OU and all users of each group. Only downside is that the "owner" of each group is also a member, so there is a bit of redundancy, but nothing breaking for my purpose. The output is formatted into two columns.
$mGroups=#(
Get-ADGroup -filter * -SearchBase "OU=,OU=,OU=,DC=,DC=" | select name);
$col = #()
for ($i=0
$i -lt $mGroups.Count;
$i++)
{
$agents=#(
Get-ADGroupMember $mGroups[$i].name | select sAMAccountName)
for ($n=0
$n -lt $agents.Count;
$n++)
{
$agentList = [PSCustomObject]#{
Group = $mGroups[$i].name
Agents = $agents[$n].sAMAccountName
}
$col+=$agentList;
}
}
$col
$col | Export-CSV -NoTypeInformation C:\Path\to\file.type
I am stuck trying to figure out how to get all Active Directory groups that are empty. I came up with this command, which selects groups that have no Members and aren't a MemberOf anything.
Get-QADGroup -GroupType Security -SizeLimit 0 | where-object {$_.Members.Count -eq 0 -and $_.MemberOf.Count -eq 0} | select GroupName, ParentContainer | Export-Csv c:\emptygroups.csv
This is mostly correct, but it's saying certain groups like the default group Domain Computers is empty, but it isn't empty. This particular group has only members that are computers, but it appears that other groups that only have computers as well aren't selected.
Does anyone know why this command is pulling in some that have members?
The Get-QADGroup cmdlet has a parameter -Empty. The description in the help hints at the reason these default groups are being returned:
Note: A group is considered empty if it has the "member" attribute not set. So, this parameter can retrieve a group that has only those members for which the group is set as the primary group. An example is the Domain Users group, which normally is the primary group for any user account while having the "member" attribute not set.
I'm not really familiar with the Quest stuff, but I was able to find empty groups this way, (probably not the most efficient):
Get-ADGroup -Filter {GroupCategory -eq 'Security'} | ?{#(Get-ADGroupMember $_).Length -eq 0}
This line will do (use Import-Module ActiveDirectory first):
Get-ADGroup -Filter * -Properties Members | where { $_.Members.Count -eq 0 }
This version will display only the groupcategory and SAMaccountname. Name could also be used in place of samaccountname. The groupcategory will show you if its a security group or a DL.
Get-ADGroup –Filter * -Properties Members | where { $_.Members.Count –eq 0 } |select groupcategory,samaccountname >c:\temp\nomembers.csv
Actually it will be a lost faster in environments with multiple domains, large number of groups (and large number of users) to run it as a script.
Note: you will need to have PowerShell Active directory module loaded (import-module activedirectory)
$domains = Get-ADForest|select -ExpandProperty domains
$empties = #()
$oops = #()
foreach ($d in $domains){
$groups = get-adgroup -filter * -server $d
foreach ($g in $groups){
$q = get-adgroup $g -properties members -server $d|select -expandproperty members
If(!$?){$oops += $g
write-host $g.name}
if ($q -eq $null) {$empties += $g}
}
}
$empties|select name,distinguishedname|export-csv .\empties.csv
$oops|select name,distinguishedname|export-csv .\oops.csv
This worked for me.
Get-ADGroup -Filter {GroupCategory -eq 'Security'} -Properties Members | where { $_.Members.Count -eq 0 } | Select Name | Sort-Object Name
Was able to get the values properly by piping in Get-QADGroupMember and getting the count of Members and MemberOf which could then be filtered. This seems terribly inefficient, but it serves the purpose to get the counts needed.
Get-QADGroup -SizeLimit 0 | Select-Object Name,#{n='MemberCount';e={ (Get-QADGroupMember $_ -SizeLimit 0 | Measure-Object).Count}},#{n='MemberOfCount';e={ ((Get-QADGroup $_).MemberOf | Measure-Object).Count}}
If anyone has a better way to do this, do tell.