In PowerShell, I already know how to use DirectoryEntry and DirectorySearcher to get a list of users in a certain OU. The results of this method are mostly what I am looking for in AD, but it seems easier to get the same information by using a WMI query Win32_UserAccount. I like the properties of this class better and the SID is already in the correct string format (in the first method it needs to be converted from a hex byte array to string).
The problem I have with using Win32_UserAccount is that I cannot find a way to filter it by an OU. I can successfully filter by domain and name, and have tried several guesses with WQL, but can't seem to find any syntax for an OU filter. Most of my attempts result in "Invalid query." The following is an example of a query that works:
$user = gwmi Win32_UserAccount -filter "name='somebody' AND domain='mydomain'"
If there is no way to filter this by OU then I will go back to using the DirectoryEntry/DirectorySearcher.
Given that there are no LDAP related properties for the Win32_Account class I think you're out of luck unfortunately.
You could of course use this to get the SID in the format you want in addition to the directory searching to get the LDAP related data.
Are you familiar with the free AD cmdlets from Quest?
http://www.quest.com/powershell/activeroles-server.aspx
You can filter users based on OU and get the SID in various formats:
PS> Get-QADUser SizeLimit 0 -SearchRoot <OU_DistinguishedName>' | fl *sid*
objectSid : 0105000000000005150000006753F33372134F3FF673476FF4023001
Sid : S-1-5-21-54781788-1045369324-1866953526-501
(...)
Related
I've built a filter to look for a number of AD fields and properties that works well until I try to add a section looking for 'enabled -eq $true.'
Here is the filter that works successfully:
$filter = "(&(msExchMailboxguid=*)"+"(facilityID=12345)"+"(|(jobCodeID=0001)"+"(jobCodeID=0002)"+"(jobCodeID=0003)(jobCodeID=0004)"+"(jobCodeID=0005)"+"(jobCodeID=0006)))"
Get-ADUser -SearchBase "dc=acme,dc=corp" -LDAPFilter $filter
This works, and produces the correct AD user objects (four total).
But if I try looking for enabled accounts only, like so:
$filter = "(&(msExchMailboxguid=*)"+"(facilityID=12345)"+"(enabled=$true)"+"(|(jobCodeID=0001)"+"(jobCodeID=0002)"+"(jobCodeID=0003)(jobCodeID=0004)"+"(jobCodeID=0005)"+"(jobCodeID=0006)))"
It either fails with "the search filter can not be recognized," or it returns nothing at all depending on whether there are 3 or 4 closed parentheses. I've tried a bunch of variations like (enabled=true), (enabled -eq true) but none of them work.
The issue is that you are using an LDAP filter which is different than a native PowerShell filter and so has a different syntax. Even though most LDAP fields match pretty closely to their normal names, the Enabled field is not stored as a "normal" property (e.g. boolean true/false). Instead, it is held in a part of a bitmasked property userAccountControl. That means you have to use the "intuitive" filter:
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
To filter out only the enabled accounts.
So that makes your filter for your example to become:
$filter = "(&(msExchMailboxguid=*)"+"(facilityID=12345)"+"(!(userAccountControl:1.2.840.113556.1.4.803:=2))"+"(|(jobCodeID=0001)"+"(jobCodeID=0002)"+"(jobCodeID=0003)(jobCodeID=0004)"+"(jobCodeID=0005)"+"(jobCodeID=0006)))"
It might look silly but I'm struggling with finding user with Powershell by providing his full name and his manager full name. Purpose of script is to get SamAccountName and Email Address by using mentioned values which are provided by other team (these are the only unique values I get - getting user by Full Name is not any kind of problem, but it's possible that it'll return multiple results, and that's why Manager Full Name would determine appropriate result).
First I was using simple command
Get-ADUser -server $gc -Filter { (CN -eq $uFullName) -and (extensionAttribute4 -eq $mFullName) }
It worked great, but unfortunately I noticed that not all accounts use extensionAttribute4 to hold manager full name. I thought of using Filter on manager property but when I tried to use (Manager -like "*value*") it returned that like operator isn't supported by this attribute.
I'm still trying to find solution for this but maybe someone will have some solution to this situation.
Thank you in advance.
Because we don't have the active directory module available on all our systems we're using ADSI instead. The following code retrieves a user object from AD by using the AdsiSearcher:
$ADUser = ([AdsiSearcher]"(samaccountname=$SamAccountName)").FindOne()
This results in finding the property primarygroupid which represents the domain primary group for user, usually number 513. When we have this number we would like to find the distinguishedName of the group. However, the code below does that just fine I was wondering if there is a better filter that can be used instead of filtering after the FindAll() method?
$searcher = [adsisearcher]'objectclass=group'
$searcher.PropertiesToLoad.Add('primarygrouptoken')
$searcher.PropertiesToLoad.Add('distinguishedName')
$searcher.FindAll() |
Where-Object { $_.Properties.primarygrouptoken -eq 513}
Something like this would be great but it's not possible:
([adsisearcher]”(&(objectCategory=group)(primaryGroupid=513))”).FindOne()
The primaryGroupToken is a constructed attribute, meaning that it's not actually materialized in the database, and can't be filtered using LDAP.
In order to build an equivalent filter we'll need to look at how it is constructed - and the primary group token in Active Directory is always the same as the group's RID part (the relative identifier) of the objectSid attribute.
So, if we want to search by it, we can simply filter by objectSid instead:
# Obtain domain SID
$dncDN = ([adsi]"LDAP://RootDSE").defaultNamingContext
$dnc = [adsi]"LDAP://$dncDN"
$domainSID = [System.Security.Principal.SecurityIdentifier]::new($dnc.objectSid.Value, 0)
# Set the group ID we're looking for
$RID = 513
# Search for group by objectSid value:
([adsisearcher]"(&(objectCategory=group)(objectSid=${domainSID}-${RID}))").FindOne()
I am building a report on our active directory groups and am having a hard time when it comes to different forests.
We have groups from forestA with users inside from forestB. I was able to pull those groups using Quest AD:
$GroupUsers = Get-QADGroupMember $GroupName -Type 'user' -Indirect
The only problem is that even though the users inside are from forest B, they come up showing they are from forestA. They do exist in both forests, don't know if that's a problem.
Any clue on why this happens?
Thanks in advance.
There is -Server parameter of Get-ADGroupMember cmdlet where you may specify domain controller from another domain/forest. Something like:
Get-ADGroupMember -Identity $GroupName -Server DC.AnotherDomain.com
you can query forest for domains or all global catalogs: get-adforest (properties GlobalCatalogs,Domains) - I often did something like this:
I pulled the list of all SIDs in the group then checked which one belongs to my domain/forest, the rest was searched in external forest.
So I have an interesting script I am trying to figure out, basically I need to change a custom attribute value to a new one. The problem is its for both users and computers and not specific to the groups. So for instance the value might be Billing1 for several users in an OU and this need to be Billing2. So I need to find any instance of the Value of Billing1 and change it to Billing2 not knowing the user or computer object. I can successfully change one at a time if I know who the user is by using Set-ADUser, Set-ADComputer and even with Set-AdObject but I need to figure out a Find and replace function.
I have searched for this and I have found examples of where I can use CSV for users and computers but again I don't know who has what since the value in the attribute can vary and also changes if a reorg happens.
got the correct script...
Get-ADComputer -Properties enterattributename -Filter {enterattributename -like "value to search" } |Set-ADComputer –replace #{ enterattributename =”value to change”}
this also can be applied to Get-ADUser and Get-ADObject