I am very new to Powershell and am having an issue when using the Get-ADUser and GetADComputer cmdlets.
I am trying to use the Get-ADComputer and Get-ADUser to retrieve the memberOf from Active-Directory of all the users and computers. It only appears to be retrieving information from users and computers that are in 2 or more groups. Any users/computers that are only in 1 group display nothing.
For example: If UserA is in group Administrators I get no output when I use MemberOf. But if User2 is in both Administrators and Domains Administrators I get some output. However it will only output one of those groups.
Get-ADGroup does the same thing.
Is this normal? I can't imagine it is.
Here is my code:
Get-ADUser -Filter * -Properties * | Select-Object -Property Name,MemberOf | Sort-Object -Property Name
Thanks
Your trouble comes from the fact that the primary group is not part of the memberOf attribute.
So try this :
Get-ADUser -Filter * -Properties * | Select-Object -Property Name,MemberOf,PrimaryGroup | Sort-Object -Property Name
You'll find a deeper explanation in this answer.
Related
Is there any simple way to just filter user group member like this:
$abcgroup = (Get-ADUser -Identity username –Properties MemberOf) | where {$_.MemberOf -like "*ABC*"}| Select-Object -ExpandProperty MemberOf | FT MemberOf -AutoSize
And return user group just the ABC-XYZ instead of every single group as output, otherwise any easy method to process all the group name and just extract the any group name start with ABC-*
Thanks
I would make it a little bit simpler, both in server and local processing:
Get-ADGroup -LDAPFilter "(&(member=$((Get-ADUser username).distinguishedName))(sAMAccountName=abc-*))"
This would get all the groups that include selected user and their name matches the pattern. This would only include two LDAP requests (one for getting user DN, one for getting all the groups). All the selection will be done on the server and only interesting values will be returned, meaning less data transfer and less post-processing (i.e. filtering) on the client side.
Untested, but this might work:
$abcgroup = (Get-ADUser -Identity username –Properties MemberOf).MemberOf |
Where-Object {$_ -match '^cn=ABC-'} | ForEach-Object {(Get-ADGroup -Identity $_).Name}
$abcgroup | Format-Table
I'm searching a way in PowerShell to list all OU with Users in it.
I tried something with Get-ADUser or Get-ADOrganizationalUnit but it doesn't really work.
One approach would be to get all of the OU's and check to see if they contain any users via -SearchBase. Filter them out with a Where-Object clause
Get-ADOrganizationalUnit -Filter * |
Where-Object {(Get-ADUser -SearchBase $_.DistinguishedName -Filter *).Count -gt 0} |
Select-Object -ExpandProperty DistinguishedName
Simply pull the OU from each user object. Then find unique values.
Get-ADUser -Filter * |
ForEach-Object {$_.DistinguishedName -replace '(^.*?)(OU=.*)','$2'} |
Sort-Object -Unique
Note: this makes the assumption that you are not storing user objects in Containers rather than OUs
I need to retrieve a list of Distribution groups with their x400 and x500 addresses. I have determined the attributes are proxyaddresses and TextEncodedORAddress. We are running Exchange 2013. When I look at a high level searchbase like "OU=Exchange,OU=company,DC=company,DC=com" and use Get-ADUser it returns the user accounts, however I need Distribution Groups.
Using the following returns the users with the attributes I need, but I need distribution groups, not users.
Get-ADUser -SearchBase "OU=Exchange,OU=company,DC=company,DC=com" `
-Filter * -Properties * | Select * |
FT CN,distinguishedName,proxyaddresses,textEncodedORAddress
I tried Get-Mailbox, Get-DistributionGroup, but I get an error saying it's not a cmdlet. I also tried using the attribute groupType to filter, but it didn't work. I'm not sure if I'm able to use Get-ADObject as I'm not quite sure how I'd use that cmdlet. Any help would be appreciated.
Because there are multiple values in that proxyaddresses, I was receiving Microsoft.ActiveDirectory.Management.ADPropertyValueCollection, therefore I had to use the following.
Get-ADGroup -SearchBase "OU=Exchange,OU=Company,DC=company,DC=com" `
-Filter * -Properties proxyAddresses | Select CN,distinguishedName,textEncodedORAddress,`
#{L=’ProxyAddress_1′; E={$_.proxyaddresses[0]}},
#{L=’ProxyAddress_2′; E={$_.ProxyAddresses[1]}},
#{L=’ProxyAddress_3′; E={$_.proxyaddresses[2]}},
#{L=’ProxyAddress_4′; E={$_.proxyaddresses[3]}},
#{L=’ProxyAddress_5′; E={$_.proxyaddresses[4]}}|
Export-CSV C:\temp\x500_Export.csv
The only thing I can't figure out for the output, is why I see the various proxyaddresses and the distinguishedname, however it won't show CN, or displayname. Those are blank.
get-adgroup -filter "GroupCategory -eq 'Distribution'"
As a process to disable users, I have a CSV where users are identified by employeeID and not username. I need to loop through and compare the CSV to AD users, and any AD user not in the CSV needs to be disabled. This is what I have so far, but it's not working. I'll admit I'm still fairly new to powershell scripting, so any help would be much appreciated.
Import-Module ActiveDirectory
Import-Csv -Path c:\ADTerm.csv | foreach {Get-ADUser -filter * -SearchBase "ou=Test,ou=Logins,dc=domain,dc=com" -Identity $_.employeeID} | Where {$_ -ne $null} | Disable-ADAccount -Identity $_.employeeID
I cant really fit this all in a comment without it looking horrible so lets start with this.
You are combining -Filter and -Identity which most likely wont net the results you are looking for. Use Identity to get one specific user or filter to get one to many. Looking at TechNet for Get-AdUser you will see Identity only matches values to:
DistinguishedName
objectGUID
objectSid
sAMAccountName
In that regard I see you have a column for EmployeeID. I'm guessing that those are not SamAccountName which is one of the values that -Identity supports. I feel that you could do with the following changes.
$IDs = Import-Csv -Path c:\ADTerm.csv | Select-object -ExpandProperty EmployeeID
Get-ADUser -filter * -SearchBase "ou=Test,ou=Logins,dc=domain,dc=com" -Properties EmployeeID |
Where-Object{$_.EmployeeID -and ($IDs -notcontains $_.EmployeeID)} | Disable-ADAccount
Update the get-aduser to get all users in that OU. Get-Aduser does not return the EmployeeID by default so we use -Properties to specify it. Filter all those users that have employeeID but not one in the list. Disable-ADAccount will take the output of Get-AdUser nicely so there is not need to specify the account again.
Depending you might be storing this value as EmployeeNumber in AD. This is also dependent on your having a csv file with a column for EmployeeNumber
I have a small script in powershell written to query user groups in a specific OU in AD to get the name of those groups and to also try and get the ManagedBy attribute of those groups. I've been searching online and here for solutions to why the ManagedBy attribute is not populated results but I have had no luck. Every solution I have found has been written in C# (or another language) and I have tried using the Quest software for AD which doesn't seem to help.
$test = 'OU=example,DC=example,DC=test'
$test | ForEach {Get-ADGroup -Filter * -Properties ManagedBy -SearchBase $_ } | Select Name, Properties | Sort -Property Name | Out-File C:\test.csv
I am only getting results of the name of the groups and empty brackets for the ManagedBy attribute. My question is, is there anyway to query the managedby attribute in powershell without using another language or integrating different plugins? I've never written in C and I would prefer using native powershell if possible.
You've got an error in your Select. Properties should be ManagedBy.
$test = 'OU=example,DC=example,DC=test'
$test | ForEach {Get-ADGroup -Filter * -Properties ManagedBy -SearchBase $_ } |
Select Name, ManagedBy |
Sort -Property Name |
Out-File C:\test.csv