Using either Powershell or VBS, how can I make all of the users within my domain who have an email address a member of a specific security group?
import ActiveDirectory
$Group = Get-ADGroup -filter {Name -eq "GroupName"}
Get-ADUser -filter {EmailAddress -like "*"} | % {Add-ADGroupMember $Group $_}
Related
I want a list of users in ATL Users that have direct reports.
Part 1: Group Membership
I can get the users in a group.
Get-ADGroupMember "ATL Users" | Where objectClass -eq "user"
Part 2: Filter for Direct Reports
I can get a list of users with direct reports, but very slowly (scans entire tree).
Get-ADUser -Filter "DirectReports -like '*'"
Question
How can I get the list of users in ATL Users then -Filter those users by if they have direct reports?
This is readily done with an LDAP filter using memberOf. If this is a one-off query and you know the group's distinguished name (cn=ATL Users,ou=groups,dc=domain,dc=gTLD in this example), you can use:
get-aduser -LDAPFilter "(&(memberOf=cn=ATL Users,ou=groups,dc=domain,dc=gTLD)(directReports=*)(objectClass=user))"
If you will be running this query repeatedly, it would be best to get the group object from a search so directory restructuring won't break your query.
PS> $groupFQDN = (get-adgroup -identity "ATL Users").distinguishedName
PS> $groupFQDN
CN=ATL Users,OU=NewGroupsOU,DC=company,DC=gTLD
PS> get-aduser -LDAPFilter "(&(memberOf=$groupFQDN)(directReports=*)(objectClass=user))"
You can just pipe a foreach into Get-ADUser -filter after Get-ADGroupMember
Example:
Get-ADGroupMember "ATL Users" | Where-Object {$_.ObjectClass -eq "user"} | foreach {Get-ADUser $_.samaccountname -properties Name, DirectReports | Where-Object {$_.DirectReports -like "*"} |Select Name, DirectReports}
I'm trying to retrieve only enabled users in the AD. When I run this code line it returns the error. I tried using a filter as well to filter only enabled users for the requested info but it returns ALL users from every domain instead of just the single id.
Get-ADUser : A positional parameter cannot be found that accepts argument 'enabled -eq 'true''.
This is my code that is throwing the error.
Get-ADGroupMember -Identity 'Animal Shop A' | Get-ADUser -Filter '*' | Get-ADUser Where "enabled -eq 'true'" | Get-ADUser -Properties ('Mail')
This one returns ALL users from every domain
Get-ADGroupMember -Identity 'Animal Shop A' | Get-ADUser -Filter "enabled -eq'true'" | Get-ADUser -Properties ('Mail')
Is my syntax wrong on both of them? If I just want to return values from say "Animal shop A" and then "Animal Shop B"
.. or a little bit shorter this way:
Get-ADUser -Filter 'enabled -eq $true' -Properties mail |
Select-Object -Property Name,samaccountname,mail
Besides this I would recommend to use a -SearchBase. That's less stressful for the AD. ;-)
Get-ADUser -Filter * -Properties mail | Where { $_.Enabled -eq $True} | Select Name,samaccountname,mail
That will get all enabled users in your target domain that are enabled and display the name, username, and mail properties
Important to know for both commands:
You must work with an elevated powershell process.
Otherwise the result may not be complete.
get-aduser -filter 'enabled -eq "true"' -ResultSetSize $Null
simply try below commands in powershell as administrator permission.
As a guide, the first part will filter users, second part filtered enabled users and last part will give you export of results.
Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like “false”} | Export-Csv -Path C:\eport.csv -Encoding ascii -NoTypeInformation
hope to be useful for you.
I'm writing a script in PowerShell that creates users. This script adds the user to groups based on a template user with the department name. When used in my script like so:
Get-ADUser -Filter {name -eq "Temp$($Department.LookupValue)"} -Properties memberof |
Select-Object -ExpandProperty memberof |
Add-ADGroupMember -Members $sAMAccountName
this unfortunately doesn't work, nor does it give any errors.
However, when I run just the line of code it works just fine
Get-ADUser -Filter {name -eq "TempICT"} -Properties memberof |
Select-Object -ExpandProperty memberof |
Add-ADGroupMember -Members usern
As noted in the comments, you can cycle through the group names with foreach-object using Add-ADGroupMember, but this is going to result in a call to AD for every group the user needs to be added to. It may be more efficient to use the Add-ADPrincipalGroupMemebership cmdlet, which will add the user to multiple groups in a single operation:
$Groups = Get-ADUser -Filter {name -eq "TempICT"} -Properties memberof |
Select-Object -ExpandProperty memberof
Add-ADPrincipalGroupMembership -Identity $sAMAccountname -MemberOf $Groups
The following line of code does work, I guess the problem was with the filter not being able to process the dot notation. Get-ADUser "Temp$departmentsn" -Properties memberof | Select-Object -ExpandProperty memberof | Add-ADGroupMember -Members $gebruiker
It's not 100% how I wanted it since I now search for the netbiosname instead of the name property but it works. Because of the 20 character limitation for netbiosnames I had to make a substring to make it work for all my departments.
I receive task on studies to create command that will find a specific users in specific OU in Active Directory.
More precise, find all persons that name is A* and are located in OU *es.
After hours of researching I created such commands:
For finding all A* users:
Get-ADUser -filter {name -like "A*"}
For finding all *es OU
Get-ADObject -filter {OU -like "*es"}
And I don't have idea how to connect those outputs.
I was thinking about such resolutions, but they don't work for me.
$var = Get-ADObject -filter {OU -like "*es"} | Select DistinguishedName
Get-ADUser -filter {name -like "A*"} -SearchBase $var
Or
Get-ADUser -filter {name -like "A*" -and OU -like "*es"}
I'm lost, please advice.
You could first use the server filter to get all A*users and then filter the OU on the client using the Where-Object cmdlet:
Get-ADUser -filter {Name -like 'A*'} | Where-Object DistinguishedName -like '*OU=*es*'
If you know all your OU you want to filter, consider using the -SearchBase Parameter. More information here.
So I have a script with the purpose of scanning devices that start with a certain name, then return results of computers missing a group. My problem is, the device I need it to run from turns out not to be in the same tree. I have seen some commands, but I wanted to be sure I had the syntax right. I will include part of the script for context:
Import-Module ActiveDirectory
$Group = "A-Certain-Group"
$Groupname = (Get-ADGroup $Group).distinguishedName
$Computers = Get-ADComputer -filter "name -like 'Big*'" -Prop MemberOf | Where{$_.MemberOf -notcontains $Groupname}
So let's say I am running it from "company.net", and it needs to perform the above script on "companynet.net" instead. What is the proper method?
The AD cmdlets all have a -server parameter which lets you specify other domains. Just use it to specify the other domain assuming there is a trust.
$Groupname = (Get-ADGroup $Group -Server companynet.net).distinguishedName
$Computers = Get-ADComputer -Server companynet.net -filter "name -like 'Big*'" -Prop MemberOf | Where{$_.MemberOf -notcontains $Groupname}
Note that if you don't have permission to perform actions in the domain you will also need to use the -credential parameter.