I would like to compare two organizational units users.
I can get my user list with this command:
OU_NUMBER_1:
Get-ADUser -filter * -SearchBase "OU=OU_NUMBER_1,OU=OU-SNE_SharePoint,DC=vf,DC=local" | Select sAMAccountName
OU_NUMBER_2:
Get-ADUser -filter * -SearchBase "OU=OU_NUMBER_2,OU=OU-SNE_SharePoint,DC=vf,DC=local" | Select sAMAccountName
I would like to get homonymous from these lists. Do I have to put my users in some lists and compare them ? Or anyone get a better idea ?
To summary, I would like to get a list with homonymous of my OU's.
/Update
Try
$UserGroup1 = Get-ADUser -filter * -SearchBase "OU=OU_NUMBER_1,OU=OU-SNE_SharePoint,DC=vf,DC=local" | select sAMAccountName
$UserGroup2 = Get-ADUser -filter * -SearchBase "OU=OU_NUMBER_2,OU=OU-SNE_SharePoint,DC=vf,DC=local" | Select sAMAccountName
$UserInBothOU = Compare-Object $UserGroup1 $UserGroup2 -IncludeEqual
Be aware that the Array $UserInBothOU contains PowerShell Objects.
When you want the sAMAccountName, then you must do something like that:
foreach($User in $UserInBothOU)
{
Write-host $User.sAMAccountName
}
Because sAMAccountName is only an attribute.
$OLDGroup = Get-ADUser -filter * -SearchBase "OU=InactiveObjects,DC=gov,DC=au" -server "gov.au" | select sAMAccountName
$NEWGroup = Get-ADUser -filter * -SearchBase "OU=StandardUsers,OU=Users,DC=nsw,DC=gov,DC=au" -server "nsw.gov.au" | Select sAMAccountName
compare-object $OLDGroup $NEWGroup -Property 'SamAccountName' -IncludeEqual
Related
Current powershell script being used is in this format:
Get-ADUser -Filter * -Properties EmailAddress, DisplayName -SearchBase "OU=USERS, OU=Site, OU=$_, DC=domain" -Server ServerName | Select DisplayNAme, EmailAddress
My problem is that the OU users, and site are buried in different folders one level up, and I can't figure out how to make the powershell script look thru all the folders above (OU=$_). Using OU=* doesn't work either (bad syntax error).
The -SearchBase parameter doesn't allow wildcards, if I understand correctly, you're looking for all parents OUs having OU=USERS, OU=Site as child OU, in which case, you can first filter for all OUs with Name Users then filter again for those OUs where their DistinguishedName contains OU=USERS, OU=Site and lastly feed these OUs to Get-ADUser -SearchBase:
(Get-ADOrganizationalUnit -LDAPFilter "(name=users)").DistinguishedName | ForEach-Object {
if($_ -notlike "OU=USERS, OU=Site*") { return }
Get-ADUser -Filter * -Properties EmailAddress, DisplayName -SearchBase $_ -Server ServerName
} | Select DisplayName, EmailAddress
I'm looking for some guidance on creating a powershell script that will check security and distribution groups from specific OU's and see if the owner is a user who's disabled.
We have lots of old groups in our AD created by ex employees that need to be cleaned up.
This is what i've started with.
$managedByGroups = get-adgroup -filter 'groupCategory -eq "Distribution"' -SearchBase "OU=SydExchangeGroups,OU=SydGroups,OU=Sydney,DC=my,DC=org,DC=biz" -Properties distinguishedname, managedby | select sAMAccountName, managedby
$disabledUsers = Get-ADUser -Filter {Enabled -eq $false} -SearchBase "OU=SydDisabledUsers,OU=SydMisc,OU=Sydney,DC=my,DC=org,DC=biz" | select distinguishedname
foreach ($group in $managedByGroups){
if($managedByGroups.managedby -eq $disabledUsers.distinguishedname)
{
write-output
}
}
Thanks
There are a number of issues with your if block:
you are looping through $managedByGroups, but you are never using that variable (it should be $group.managedby)
you are trying to compare 1 element with a list of elements, in this case consider using -in operator instead of -eq.
you should treat the case when there is no value for managedby attribute, in case you do not get the desired results.
An alternative to your code may is below.
I'm first getting the list of managedby users, then i'm looping though each entry, and if it is not null, we try to do a get-aduser filtering by enabled status and the distinguishedname.
$DisabledManagedBy variable will contains ADUser objects which are disabled.
$grp = get-adgroup -filter 'groupCategory -eq "Distribution"' -Properties ManagedBy,DistinguishedName
$DisabledManagedBy = foreach ($item in $grp.ManagedBy) {
if ($item) {
Get-ADUser -Filter {Enabled -eq $false -and DistinguishedName -like $item} -Properties DistinguishedName
}
}
I worked this out eventually by doing the following:
$myDisabledUsers = #()
$date = get-date -format dd-MM-yyyy
$managedSydGroups = Get-ADGroup -Filter * -Properties * -Searchbase "OU=SydExchangeGroups,OU=SydGroups,OU=Sydney,DC=my,DC=biz,DC=org" | where {$_.managedby -ne $null} | select name, managedby
$disabledSydUser = Get-ADUser -Filter * -SearchBase "OU=SydDisabledUsers,OU=SydMisc,OU=Sydney,DC=my,DC=biz,DC=org" | where {$_.enabled -eq $false} | select -ExpandProperty distinguishedname
$disabledOwners = foreach($group in $managedSydGroups)
{
$managedByString = [string]$group.managedby
if($disabledSydUser -contains $managedByString)
{$myDisabledUsers += $group}
}
Just getting started with Powershell and I've run into a roadblock. I'm trying to iterate through AD and get a list of all OU's. From there I'm trying to get user account info for each user in each OU. To test I've been able to get the DN for all OU's and output to console but when I try and pass those values to the get-aduser cmdlt it fails.
Here's my code:
import-module activedirectory
$SearchBase = get-adorganizationalunit -filter * -searchbase "ou=users,ou=myUsers,dc=company,dc=local" -Properties CanonicalName | select-object -Property distinguishedName
foreach ($ou in $SearchBase) {
get-aduser -filter * -searchbase $ou -Properties givenName,sn,mail
}
I'm getting the following error message: "The supplied distinguishedName must belong to one of the following partitions..."
I think the issue is that when passing $ou to the get-aduser cmdlt the distinguished name must be enclosed in quotes after -searchbase correct? If so not sure how to go about that. Any help is appreciated.
The issue you are having is you need to expand the property you are selecting. You will notice if you run:
get-adorganizationalunit -filter * -searchbase "ou=users,ou=myUsers,dc=company,dc=local" -Properties CanonicalName | select-object -Property distinguishedName
It will show the parent property:
There are two ways to fix this:
Expand the property in your select statement:
$SearchBase = get-adorganizationalunit -filter * -searchbase "ou=users,ou=myUsers,dc=company,dc=local" -Properties CanonicalName | select-object -ExpandProperty distinguishedName
OR Call the Property in your foreach:
foreach ($ou in $SearchBase) {
get-aduser -filter * -searchbase $ou.distinguishedName -Properties givenName,sn,mail
}
Trying to run a command in a foreach loop that contains different search locations, e.g.:
$ous ='ou=Staff,dc=example,dc=local', 'ou=Managers,dc=example,dc=local'
$colItems = $ous | ForEach { Get-ADUser -Filter * -SearchBase "ou=Example,dc=example,dc=local" -Properties whenCreated | select -Property Enabled,Name,SamAccountName,whenCreated }
I want to replace the OU in the search query each time
"ou=Example,dc=example,dc=local"
If you use a pipeline with a ForEach-Object loop, you must use the current object variable ($_) to refer to the current object from the pipeline. Change this:
$ous | ForEach { Get-ADUser -Filter * -SearchBase "ou=Example,dc=example,dc=local" -Properties ... }
into this:
$ous | ForEach-Object { Get-ADUser -Filter * -SearchBase $_ -Properties ... }
See about_Automatic_Variables for more information.
I think this was my answer.
$colItems = ForEach ($ou in $ous) { Get-ADUser -Filter * -SearchBase $ou -Properties whenCreated | select -Property Enabled,Name,SamAccountName,whenCreated }
I am trying to get a list of AD user who does not have picture. I am on QBC.CAN domain and trying to get information from KOBAL domain. The KOBAL domain looks like this KOBAL.COM. There is OU called SALES AND sub OU called NORTHWEST.
My job is the get a list of users with name, title, email, where Picture is not present. thumbnailPhoto is the ldap-display name. I tried few queries but it doesn't give me what I need and keep getting error.
Get-ADUser -Filter * -Server "ADCP12WSDC54X01.KOBAL.COM" -properties thumbnailPhoto | ? {!$_.thumbnailPhoto} | select Name
This code works but I don't need the entire list. I only need OU=SALES,OU=NORTHWEST. If I change the script to following I get an error
Get-ADUser -Filter * -SearchBase "OU=NORTHWEST, OU=SALES ,DC=KOBAL,DC=COM" -properties thumbnailPhoto | ? {!$_.thumbnailPhoto} | select Name
Get-ADUser : The supplied distinguishedName must belong to one of the following
partition(s): 'DC=QBC,DC=CAN , CN=Configuration,DC=QBC,DC=CAN , cN=Schema,CN=Configuration,DC=QBC,DC=CAN , DC=DomainDnsZones,DC=QBC,DC=CAN, DC=ForestDnsZones,DC=QBC,DC=CAN'.
Here's what I would use:
$SearchBase = 'OU=NORTHWEST,OU=SALES,DC=KOBAL,DC=COM';
$LdapServer = 'YourLDAPServerName';
$UsersWithoutPhotos = Get-ADUser -Filter 'thumbnailPhoto -notlike "*"' -SearchBase $SearchBase -SearchScope 'Subtree' -Server $LdapServer | Select-Object 'Name'
The filter here removes the need for piping to a Where-Object. It will return any user in the target OU or below that doesn't have a thumbnailPhoto attribute. You don't need -Properties thumbnailPhoto now since you're not using it for anything anymore, so you won't be returning all that data.
Edit to add:
By default, the only properties returned by Get-ADUser are DistinguishedName, Enabled, GivenName, Name, ObjectClass, ObjectGUID, SamAccountName, SID, Surname, UserPrincipalName. If you want access to anything else, you'll need to include the -Properties parameter again with Get-ADUser to tell that command to fetch that data, too. All the Select-Object command does is eliminate fields that you don't want to see.
This should work for you:
$UsersWithoutPhotos = Get-ADUser -Filter 'thumbnailPhoto -notlike "*"' -SearchBase $SearchBase -SearchScope 'Subtree' -Server $LdapServer -Properties 'title', 'displayName';
You can then restrict it to just the fields you want:
$UsersWithoutPhotos = $UsersWithoutPhotos | Select-Object 'Name','title', 'displayName';
Or sort it by a field:
$UsersWithoutPhotos = $UsersWithoutPhotos | Sort-Object 'displayName';
And display it:
$UsersWithoutPhotos | Format-Table -AutoSize;
Or:
$UsersWithoutPhotos | Out-GridView;
Of course, you can do all that on one line, too, and just keep piping.