The following script is using the Active Directory extended properties to filter the results correctly as it only shows AD users where "script_ignore" is in the 'info' field (this is the 'Notes' field on the Telephones tab in AD users & computers).
However it doesn't display any extended properties as I'd expected in the following foreach-object %_info or $_city.
How can I output extended properties?
get-aduser -filter { info -like "script_ignore" } | % {
$_.name + " " + $_.city + " " + $_.info
}
You need to add any property you're interested in which are not included in the default property set, in the Properties parameter.
get-aduser -filter { info -like "script_ignore" } -Properties City,Info | % {
$_.name + " " + $_.city + " " + $_.info
}
Related
I have AD groups named xxx16up, yyy16up, zzz16up. What I'm trying to do is if:
AD user is grade level 16 and up
AD user is not yet a member of said group
the script will add the AD user to the corresponding group based on company codes xxx, yyy, zzz.
$list = Import-CSV "C:\update12Apr2018.csv"
foreach ($company in $list) {
$myList = ( Get-ADGroup "$($company.comp)16up" ).DistinguishedName
if ( ([INT]$_.level -ge 16) -and (Get-ADUser -LDAPFilter "(!(memberof=$myList))" )) {
Add-ADGroupMember -Identity "$($company.comp)16up" -Members $company.samAccountName
}
}
The part highlighted does not work within the code. But if I take it out and run it by itself it has no problems. It produces the corresponding group of either xxx16up, yyy16up, or zzz16up.
Within the code, it gave below error:
Get-ADGroup : Cannot find an object with identity: '16up' under: 'DC=ACME,DC=com'. At line:1 char:33
+ ... ch ($company in $list) { ( Get-ADGroup "$($company.comp)16up" ).Disti ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (16up:ADGroup) [Get-ADGroup], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Manag
ement.Commands.GetADGroup
I was able to narrow down the problem to when there is an assignment operation and that is when it acts as if the concatenation failed.
ForEach ($company in $list) {
$groupName = $company.comp + '16up'
$myList = ( Get-ADGroup $groupName ).DistinguishedName
see the sleight of hand? ;-)
We have a distribution list (called "TopGroup", for example) that has sub-DLs inside it, as well as normal personal user email accounts alongside those nested DLs. For some reason, only the individual accounts are receiving any mail sent to MasterDL. Any members inside the sub-DLs do not receive anything sent to MasterDL in their inbox. then I have noticed there is restriction (to only allow specific users sending message to specific distribution groups.) on some sub-DLs.BTW I have been using Exchange Server 2013.
script regarding this? What we are looking for is a PowerShell script that can
1 - Identify all nested groups
2 - Identify on each TOP DL check for 2nd layer DL
2 - Identify 2nd layer DL Distribution Lists that have sender Restrictions and get list
3 - Report them and take output to CSV
4 - optional- notify user and manager and IT group via email
it would be output like below :
ParentGroupName SubDL1 Restriction SubDL2 Restriction .... so on
Group Group1 GroupA,GroupB Group2 GroupA,GroupB,Group
Here is my script so far :
Import-Module ActiveDirectory
$groups = Get-ADGroup -Filter "name -like '*'" -SearchBase "OU=Groups,DC=contoso,DC=com" | Select SamAccountName
Foreach ($g in $groups)
{
$member = Get-ADGroupMember $g | ?{$_.ObjectClass -eq "Group"} | Select Name,SamAccountName
foreach ($sg in $member)
{
$sgname = $sg.name
Write-Host $sgname -foregroundcolor "magenta" -backgroundcolor "yellow"
$dg = Get-DistributionGroup -Identity "$sgname"
if ($dg.AcceptMessagesOnlyFromDLMembers.count -ne 0){
Write-Host "$($dg.Name) has mail attribute set" -ForegroundColor Green
Get-DistributionGroup -ResultSize Unlimited -filter {AcceptMessagesOnlyFromDLMembers -ne $null} | select-object Name,#{Name="AcceptMessagesOnlyFromDLMembers";Expression={[string]::join(";",($_.AcceptMessagesOnlyFromDLMembers| foreach {$_.name}) )}}
}
}
elseif($dg.AcceptMessagesOnlyFromDLMembers.count -eq 0){
Write-Host "$($dg.Name) has no mail attribute set" -ForegroundColor Cyan
}
}
}
Error message :
#Test_groupA has mail attribute set Get-ADGroupMember : Cannot bind parameter 'Identity'. Cannot convert value "#{SamAccountName=test}" to type "Microsoft.ActiveDirectory.Management.ADGroup". Error: "Cannot convert the "#{SamAccountName=test}" value of type "Selected.Microsoft.ActiveDirectory.Management.ADGroup" to type "Microsoft.ActiveDirectory.Management.ADGroup"." At line:9 char:31
+ $member = Get-ADGroupMember $g | ?{$_.ObjectClass -eq "Group"} | Select Name,S ...
+ ~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADGroupMember], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
Thanks,
I am writing a script for work and trying to determine why my code is showing errors. I am new to this coding and want to understand what is wrong.
The errors I get are from the tag .... PC listings in my .txt file.
Ex: Get-Content : Cannot find path 'F:\tag 77909' because it does not exist.
My confusion is that when I write-host after the .Replace code it prints correctly
Ex:You cannot call a method on a null-valued expression. + $Notags =$PC.Replace <<<< ("tag ", "PC")
+ CategoryInfo : InvalidOperation: (Replace:String) [], RuntimeEx
ception
+ FullyQualifiedErrorId : InvokeMethodOnNull
Last error I get is that it only prints out the last PC.... ID in my .txt file listing??? I am unsure why given I have a foreach loop
**MY CODE SO FAR:**
Import-Module activedirectory
$compImports = Get-Content "C:\Temp\temp\input.txt"
$groupExport = "C:\temp\temp\output.txt"
Clear-Content $groupExport
$Header = "PC Name" + "|" + "Group Name" + "|" + "Group Description"
#Write header
$Header | Out-File $groupExport -Append
#get PC tag listing
$PCs = Get-Content $compImports
#For loop to change all "tag " to "PC"
foreach($PC in $PCS)
{
$Notags =$PC.Replace("tag ", "PC")
}
#loop to get information and print it out
foreach ($Notag in $Notags) {
$computerobj = Get-ADComputer $Notag -Properties memberof
$computerobj.memberof | ? {$_ -match '^CN=APP.*'} `
| % {get-adgroup $_ -Properties name, description} | `
% {$computerobj.Name + "|" + $_.name + "|" + $_.description `
| Out-File $groupExport -Append}
}
I see at least one issue here
$compImports = Get-Content "C:\Temp\temp\input.txt"
...
$PCs = Get-Content $compImports
You are calling Get-Content twice which would generate the error you are seeing most likely.
Could be simplified as
$PCs = Get-Content "C:\Temp\temp\input.txt"
Your other error should go away as a result since $PCs should contain real data at that point.
In Exchange Management Shell, you can write a query to display administrator activities.
Search-AdminAuditLog -Startdate ((get-date).AddDays(-5)) -EndDate (get-date) | where{$_.caller -ne "NT AUTHORITY\SYSTEM (MSExchangeHMWorker)"} |select Caller, Rundate, ObjectModified, CmdLetName, #{n="Parameters"; e={$e=$null;$_.CmdLetParameters|%{$e += ( " -" + $_.name.tostring() + " '" + $_.value + "'")};$e}} | ft -autosize
Most of the commands make sense but can anyone explain the #... part in English? Specifically this part:
#{n="Parameters"; e={$e=$null; $_.CmdLetParameters | %{$e += ( " -" + $_.name.tostring() + " '" + $_.value + "'")};$e}}
That's called a "Calculated property". It's a way to add a property in your selected object with the name specified by n= and having the value resulting from expression e=.
http://technet.microsoft.com/en-us/library/ff730948.aspx
I'm fairly new PS user... Looking for some assistance with a powershell script to obtain list of security groups user is member of.
To describe what I need:
I have input list (txt file) with many users (samaccountnames). Every name is on a new line.
I need the script to search these names in AD - whole forest, not just one single domain
output should look like "samaccountname" and list of groups this account is member of in one line, so I can sort it in excel
This is the script I have:
$users = Get-Content C:\users.txt
ForEach ($User in $users) {
$getmembership = Get-ADUser $User.Users -Properties MemberOf | Select -ExpandProperty memberof
$getmembership | Out-File -Append c:\membership.txt
}
but it throws me an error:
Get-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try the command again.
At line:4 char:28
+ $getmembership = Get-ADUser <<<< $User.Users -Properties MemberOf | Select -ExpandProperty memberof
+ CategoryInfo : InvalidData: (:) [Get-ADUser], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADUser
Anyway, this script wouldn't search the whole forest.
Sample input list:
username1
username2
username3
username4... etc
Sample output list
username1;group1;group2;group3
username2;group1;group2;group3;group4... etc or something similar
Any help would be greatly appreciated.
First: As it currently stands, the $User variable does not have a .Users property. In your code, $User simply represents one line (the "current" line in the foreach loop) from the text file.
$getmembership = Get-ADUser $User -Properties MemberOf | Select -ExpandProperty memberof
Secondly, I do not believe you can query an entire forest with one command. You will have to break it down into smaller chunks:
Query forest for list of domains
Call Get-ADUser for each domain (you may have to specify alternate credentials via the -Credential parameter
Thirdly, to get a list of groups that a user is a member of:
$User = Get-ADUser -Identity trevor -Properties *;
$GroupMembership = ($user.memberof | % { (Get-ADGroup $_).Name; }) -join ';';
# Result:
Orchestrator Users Group;ConfigMgr Administrators;Service Manager Admins;Domain Admins;Schema Admins
Fourthly: To get the final, desired string format, simply add the $User.Name, a semicolon, and the $GroupMembership string together:
$User.SamAccountName + ';' + $GroupMembership;
Get-ADPrincipalGroupMembership username | select name
Got it from another answer but the script works magic. :)
Or add "sort name" to list alphabetically
Get-ADPrincipalGroupMembership username | select name | sort name
Everything in one line:
get-aduser -filter * -Properties memberof | select name, #{ l="GroupMembership"; e={$_.memberof -join ";" } } | export-csv membership.csv
The below code will return username group membership using the samaccountname. You can modify it to get input from a file or change the query to get accounts with non expiring passwords etc
$location = "c:\temp\Peace2.txt"
$users = (get-aduser -filter *).samaccountname
$le = $users.length
for($i = 0; $i -lt $le; $i++){
$output = (get-aduser $users[$i] | Get-ADPrincipalGroupMembership).name
$users[$i] + " " + $output
$z = $users[$i] + " " + $output
add-content $location $z
}
Sample Output:
Administrator Domain Users Administrators Schema Admins Enterprise Admins Domain Admins Group Policy Creator Owners
Guest Domain Guests Guests
krbtgt Domain Users Denied RODC Password Replication Group
Redacted Domain Users CompanyUsers Production
Redacted Domain Users CompanyUsers Production
Redacted Domain Users CompanyUsers Production