Our application will add list of user in local user groups.
Users will be associated with the groups , if the user name is changed we may need to update them in groups.
I was trying to use [ADSI] in powershell to get the list first then modify it .
$MyprojGroups=#("Myproj Engineers",
"Myproj Managers",
"MyprojDBUser",
"MyprojUser")
Foreach( $MyprojGroup in $MyprojGroups) {
Write-host "MyprojGroup : $MyprojGroup "
$usergroup=[ADSI]($MyprojGroup).psbase.Path
$usergroup
UpdateUserName -groupName $usergroup -OlduserName "Administrator" -NewuserName "Admin"
}
Function UpdateUserName {
Param (
[string]$OlduserName,
[string]$groupName,
[string]$NewuserName
)
# To check whether the user name is associated with the group
$MEm=$groupName.psbase.Invoke("Members") | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
If ($mem -eq "OlduserName") {
# Has to update the New User Name
}
}
But passing the groupname directly is not being accepted for ADSI. How to update the user name if it associated with the assigned groups?
do you run your powershell script on each computer you want to check ?
Do you want to add local users to the local groups ?
can you try something like (within administrator shell of course) :
$grp = [ADSI]"WinNT://$computerName/$groupName,group"
$grp.add("WinNT://$computerName/$NewUserName")
$grp.remove("WinNT://$computerName/$OldUserName")
Related
I am fairly new to PowerShell. There is a command I run many times a day that checks if an AD user account belongs to a couple of AD security groups. Right now, I am pasting the user's account into the command from OneNote and then pasting that command into the PowerShell window. Ideally, I would love to be able to run a .ps1 file that would launch a popup where I could enter in the user's account and the popup would then provide the command output. If that is not possible, run the .ps1 file and have the PowerShell ask for input where I can paste the user's AD account and hit enter. Below is the command I am running. Thank you all in advance.
(Get-ADUser %ADACCOUNT% -Properties MemberOf).MemberOf | findstr /i %ADGROUP%
Here is an idea to get you started using InputBox function to get the input user, MessageBox.Show method in case the user was not part of any group and Out-GridView in case the user was member of at least one of the groups.
Usage is quite simple, you just name this script as whatever you want and then when calling it, you can do .\myScript.ps1 -ADGroups 'somegroup1', 'somegroup2', etc
param([string[]] $ADGroups)
Add-Type -AssemblyName Microsoft.VisualBasic, System.Windows.Forms
# Get user input
$choice = [Microsoft.VisualBasic.Interaction]::InputBox(
'Input User SamAccountName',
'Choose a Title for me'
)
# if the user didn't provide any input, exit script
if([string]::IsNullOrWhiteSpace($choice)) {
return
}
# get user membership and filter
$result = (Get-ADUser $choice -Properties memberOf).memberOf | Where-Object {
# where the DistinguishedName matches any of input AD Groups
foreach($group in $ADGroups) {
if($_ -match $group) { return $true }
}
}
# if no results found
if(-not $result) {
# show this message
[Windows.Forms.MessageBox]::Show(
"$choice was not a member of any AD Group",
'Choose a Title for me',
[Windows.Forms.MessageBoxButtons]::OK,
[Windows.Forms.MessageBoxIcon]::Warning
)
# and exit the script
return
}
# otherwise, show this grid that contains the list of DistinguishedNames
# the user is a member of
$result | Out-GridView
I'm having trouble getting a small PS script to work the way I want it to.
Powershell version: 5.1
Ultimate goal: I want to parse all existing local User accounts and generate a list of those that are not part of any local Groups. (This is not an AD environment, nor part of a domain. This is all just local OS accounts and Groups.) Also, I am only interested in the Groups that I have manually created - I don't care about the default System Groups. (More on how I try to achieve this, later.) And then, after I get this part working, this output (list of User names) will then be used (in the future - not shown in this code) as input to another block that will add these not-in-a-Group users to a Group.
I found an example bit of code - which worked, and resulted in the correct set of user names. But it was slow - it took >5 minutes. So I wanted something faster.
The approach that I'm working with now generally seems like it will work, and is pretty quick. I'm just having trouble getting it to restrict things down correctly. It seems I'm having trouble referencing properties of objects returned by the cmdlets. (See code a bit further down. There are various counters and write-host steps in here, too, that are purely for helping me see what's going on and debugging - they aren't required for the actual task.)
My general outline of how I am going about this:
Compile a list of all Users in all Groups
But, I only want Groups that have no Description - these are the ones that I have created on the machine. The OS default Groups all have a Description. This will help me narrow down my list of Users.
Loop over the list of all Users on the system
Compare each user to the List from Step 1
If User is on the List, then that User is IN a Group, so skip it
If User is not on the List, then save/report that Name back
[Side note - the user 'WDAGUtilityAccount' turned out to also not be in any Groups, but I don't want to change that one; so have a specific test to exclude it from the list.]
[original version of code]
# --- Part 1
$UsersList = foreach ( $aGroup in get-localgroup ) {
$groupcount++
# Only want Groups that don't have a Description
if ( $null -eq $aGroup.Description ) {
Get-LocalGroupMember $aGroup.name
}
write-host "$groupCount -- $aGroup.Name _ $aGroup.Description"
}
# Just for debugging - to see the content of Part 1
write-host "List = $UsersList"
# ---- Part 2
Get-LocalUser | ForEach-Object {
$count++
$name = $_.Name
if ( $name -eq "WDAGUtilityAccount" ) {
# nothing - skip this one
} elseif ( $UsersList.Name -inotcontains "$env:COMPUTERNAME\$_" ) {
$count2++
write-host "$Count ($Count2) : $name -- not a part of any groups"
}
}
It appears that my attempts to extract the Properties of the Group in Part 1 are failing - I am getting literal text 'Name' and 'Description', instead of the aGroup.Name aGroup.Description property values. So my output looks like "MyGroup1.Name" instead of "MyGroup1" (assuming the actual name of the group is 'MyGroup1').
I believe that I am approaching the 'Group' object correctly - when I do 'get-localgroup | get-member" it says that it is a 'LocalGroup' object, with various properties (Name and Description being two of those).
There may be many other approaches to this - I'm interested in hearing general ideas; but I would also like to know the specific issues with my current code - it's a learning exercise. :)
Thanks, J
[ Version 2 of code - after some suggestions... ]
$UsersList = foreach ( $aGroup in get-localgroup ) {
$groupcount++
#Write-Host $aGroup.Description
# Only want Groups that don't have a Description (i.e. are the Groups that we created, not the default System/OS groups)
if ( $null -eq $($aGroup.Description) ) {
$UserList += Get-LocalGroupMember $($aGroup.name)
write-host "$groupCount -- $($aGroup.Name) _ $($aGroup.Description)"
}
}
write-host "List = $UsersList"
Get-LocalUser | ForEach-Object {
$count++
$name = $_.Name
if ( $name -eq "WDAGUtilityAccount" ) {
# nothing - skip this one
} elseif ( $($UsersList.name) -inotcontains "$env:COMPUTERNAME\$_" ) {
$count2++
write-host "$Count ($Count2) : $name -- not a part of any groups"
}
}
I believe this could be reduced to:
Store all members of a any group where the group's Description is null.
Get all local users and filter where their user's Name is not equal to WDAGUtilityAccount and they are not part of the stored member's SID array.
$members = Get-LocalGroup | Where-Object { -not $_.Description } | Get-LocalGroupMember
Get-LocalUser | Where-Object {
$_.Name -ne 'WDAGUtilityAccount' -and $_.SID -notin $members.SID
} | Format-Table -AutoSize
Is there a way to get the ObjectId of the Service Principal that is currently executing an Azure PowerShell task in Azure DevOps at all?
I am creating a resource, and then want to apply permissions for the 'current' user.. but can't work out how to get the current user ObjectId / ApplicationId
Is this possible?
Ok - based of the above, I've made a little function - it may work for a lot of cases:
function Get-CurrentUserObjectID {
$ctx = Get-AzContext
#This is different for users that are internal vs external
#We can use Mail for users and guests
$User = Get-AzADUser -Mail $ctx.Account.id
if (-not $user) { #Try UPN
$User = Get-AzADUser -UserPrincipalName $ctx.Account.Id
}
if (-not $User) { #User was not found by mail or UPN, try MailNick
$mail = ($ctx.Account.id -replace "#","_" ) + "#EXT#"
$User = Get-AzADUser | Where-Object { $_MailNick -EQ $Mail}
}
Return $User.id
}
There seems to be two ways of doing this depending on if it's a user, or a service principal:-
Get-AzADUser
Get-AzADServicePrincipal
These i believe are in the Az.Resources module. So, to give you the ObjectId (for permissions), you could take a two step approach like this:
$x = (Get-AzContext).Account.Id
$x
> df6fc4f6-cb05-4301-91e3-11d93d7fd43d # ApplicationId
$y = Get-AzADServicePrincipal -ApplicationId $x
$y.Id
> c3588e6a-b48b-4111-8241-3d6bd726ca40 # ObjectId
I can't get anything to work reliably with standard users though.. if your user is created in the AzureAD directly, and not external (i.e. gmail.com, outlook.com, etc) this should work:
$x = (Get-AzContext).Account.Id
$x
> sample#your-domain.onmicrosoft.com # UserPrincipalName
$y = Get-AzADUser -UserPrincipalName $x
$y.Id
> c5d4339b-48dc-4190-b9fb-f5397053844b # ObjectId
If your user is external, and has the weird your.email.address_outlook.com#EXT##your-domain.onmicrosoft.com as the UserPrincipalName you'll need to solve that with a bit of string manipulation i think 😕.
But! You shouldn't be scripting things with user accounts anyway, so it probably doesn't matter 😆.
Note: I have not tried this in Azure DevOps, you will probs need to upgrade the PowerShell packages, but i think the same commands should exist as Get-AzureRmADUser, and Get-AzureRmADServicePrincipal. Please let me know.
I have a PowerShell script that builds IIS sites and configures settings. Most of it works as expected except for a function to either add a domain user to a specific local group or if the group is not there to create the group than add the user. I get this error when adding to the group:
Exception calling "add" with "1" argument(s): "A member could not be added to or removed from the local group because the member does not exist.
I have PowerShell v1.0 so I do not have access to the Microsoft.PowerShell.LocalAccounts module so using Add-LocalGroupMember and New-LocalGroup are not an option.
function addEventLogWriter($appPoolUser) {
$user = $appPoolUser
$group = "Event Log Writers"
$description = "Members of this group can write event logs from local machine"
#try{
$groupObj =[ADSI]"WinNT://./$group,group"
$membersObj = #($groupObj.psbase.Invoke("Members"))
$members = ($membersObj | foreach {
$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
})
Write-Output "Adding Service Account To Event Log Writers..."
if ($members -contains $user) {
Write-Host "$user already exists in the group $group..."
} else {
$groupObj.add("WinNT://./$user,user")
Write-Output "$user added to $group"
}
}
At the moment the group 'Event Log Writers' has been created but in the case it is not (ie: new server builds etc..), I would like my function check to make sure the group is there, if not, create the group than add the user.
The issue is because ADSI requires a slash instead of a backslash like a typical username.
Also, how the group membership returns, in this case, it drops the domain name, so we have to split out the username when seeing if it exists.
So if your $appPoolUser is a credential object with the full username:
function addEventLogWriter($appPoolUser) {
$AdsiUsername = $appPoolUser.replace('\','/')
$user = $appPoolUser.Split('\')[1]
$group = "Event Log Writers"
$description = "Members of this group can write event logs from local machine"
#try{
$groupObj =[ADSI]"WinNT://./$group,group"
$membersObj = #($groupObj.psbase.Invoke("Members"))
$members = ($membersObj | foreach {
$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
})
Write-Output "Adding Service Account To Event Log Writers..."
if ($members -contains $user) {
Write-Host "$user already exists in the group $group..."
} else {
$groupObj.add("WinNT://./$AdsiUsername,user")
Write-Output "$user added to $group"
}
}
A bit of context, I am trying to get a list of users from a security group, then check if any of those users do not have an assigned XenDesktop.
Please forgive me, I only started using Powershell yesterday so my formatting is off. It first grabs the users from the AD group then checks if that user has an assigned desktop, which works but I what I can't seem to get working is that if the user is found in that list, I want it to move onto the next username, instead it continues to check against every machine and then onto the final bits of code.
$checkusernames = Get-ADGroupMember "***AD security Group***" | Select SamAccountName
$desktops = get-brokerdesktop -DesktopGroupName Personal_WIN8 | Select MachineName, #{Name='AssociatedUserNames';Expression={[string]::join(“;”, ($_.AssociatedUserNames))}}
foreach ($username in $checkusernames.SamAccountName) {
foreach ($desktop in $desktops) {
If ($desktop.AssociatedUserNames -like "*$username*") {
write-host $username "is assigned to" $desktop.machinename
}
write-host $username "is not assigned to a desktop"
}
Write-host $username "is not assigned to anything"
pause
}
If you want to exit from a ForEach loop early you can do so with the Break keyword. For example:
$checkusernames = Get-ADGroupMember "***AD security Group***" | Select SamAccountName
$desktops = get-brokerdesktop -DesktopGroupName Personal_WIN8 | Select MachineName, #{Name='AssociatedUserNames';Expression={[string]::join(“;”, ($_.AssociatedUserNames))}}
foreach ($username in $checkusernames.SamAccountName) {
$machine = ''
foreach ($desktop in $desktops) {
If ($desktop.AssociatedUserNames -like "*$username*") {
$machine = $desktop.machinename
break
}
}
If ($machine) {
write-host $username "is assigned to" $desktop.machinename
} Else {
write-host $username "is not assigned to a desktop"
pause
}
}
This will stop the current cycle of the inner ForEach loop (once it has completed in it's entirety) without interrupting the ongoing cycle of the outer one.
Per the dicussion in the comments, i've also reorganised the code so that you only get a single output dependent on whether a desktop is matched to a user or not and it only pauses if it does not find a match.