Develop Reference

Active Directory - list full subgroup dependency of a given group and omit subgroups without any user

I have to list full subgroup dependency of specific group - filter -> only subgroups which contain at least 1 user.
I have tried this approach:
dsquery group -samid <specific_group> | dsget group -members -expand | dsquery * -filter "(&(objectclass=group))"

This is an adapted version of my answer here to omit groups without any user object.
Unfortunately, using Get-ADGroupMember together with switch -Recursive will not return members that are groups.
As the docs state:
If the Recursive parameter is specified, the cmdlet gets all members
in the hierarchy of the group that do not contain child objects.
To get an array of nested group objects within a certain parent group, you will need a recursive function like below:
function Get-NestedADGroup {
Param (
[Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 0)]
[ValidateNotNullOrEmpty()]
[Alias ('Identity')]
[string]$Group,
# the other parameters are optional
[string]$Server = $null,
[string]$SearchBase = $null,
[ValidateSet('Base', 'OneLevel', 'Subtree')]
[string]$SearchScope = 'Subtree'
)
$params = #{
Identity = $Group
SearchScope = $SearchScope
Properties = 'Members'
ErrorAction = 'SilentlyContinue'
}
if (![string]::IsNullOrWhiteSpace($Server)) { $params['Server'] = $Server }
if (![string]::IsNullOrWhiteSpace($SearchBase)) { $params['SearchBase'] = $SearchBase }
$adGroup = Get-ADGroup #params
if ($adGroup) {
if (-not $script:groupsHash.ContainsKey($Group)) {
# output this group object only if it has at least one user object
if (#($adGroup.Members | Where-Object {$_.objectClass -eq 'user'}).Count -gt 0) {
$adGroup
}
# avoid circular group references
$script:groupsHash[$Group] = $true
# and recurse to get the nested groups
foreach ($group in ($adGroup.Members | Where-Object {$_.objectClass -eq 'group'})) {
Get-NestedADGroup -Group $group.DistinguishedName -Server $Server -SearchBase $SearchBase
}
}
}
else {
Write-Warning "Group '$($Group)' could not be found.."
}
}
# create a Hashtable to avoid circular nested groups
$groupsHash = #{}
# call the function
$result = Get-NestedADGroup -Group 'SpecificGroup'
# output just the names if you like
$result.Name
# save to CSV
$result | Export-Csv -Path 'X:\Somewhere\SubgroupsWithAtLeastOneUser.csv' -NoTypeInformation

Here is an easy alternative leveraging Active Directory filtering capabilities. See inline comments to understand the logic.
Do note, this answer requires the ActiveDirectory Module available.
# Get the DN of the parent group (this is the initial group)
$parent = (Get-ADGroup parentGroup).distinguishedName
$param = #{
LDAPFilter = "(memberof:1.2.840.113556.1.4.1941:=$parent)"
Properties = "member"
}
# Find, recursively, all child groups Members Of this parent group
# and filter
Get-ADGroup #param | Where-Object {
# For each member of this child group,
# check if this member is an object of the Class `user`,
# if it is, we already can break the pipeline and return
# this child group, since we already know it has
# at least 1 user member
$_.member | Get-ADObject | Where-Object ObjectClass -EQ user |
Select-Object -First 1
}

How save png as jpg without saving the file in dir

I'm using FromFile to get the image out of files, and it has the following error for the png's on the FromFile line:
Exception calling "FromFile" with "1" argument(s): "The given path's
format is not supported."
So, I'm trying to convert the bmp's to jpg, (see convert line above FromFile below) but all the examples I see (that seem usable) are saving the file. I don't want to save the file in the dir. All I need is the image format, so FromFile can use it like this example. I saw ConvertTo-Jpeg, but I don't think this is a standard powershell module, or don't see how to install it.
I saw this link, but I don't think that would leave the image in the format needed by FromFile.
This is my code:
$imageFile2 = Get-ChildItem -Recurse -Path $ImageFullBasePath -Include #("*.bmp","*.jpg","*.png") | Where-Object {$_.Name -match "$($pictureName)"} #$imageFile | Select-String -Pattern '$($pictureName)' -AllMatches
Write-Host $imageFile2
if($imageFile2.Exists)
{
if($imageFile2 -Match "png")
{
$imageFile2 | .\ConvertTo-Jpeg #I don't think this will work with FromFile below
}
$image = [System.Drawing.Image]::FromFile($imageFile2) step
}
else {
Write-Host "$($imageFile2) does not exist"
}
And then I put it in excel:
$xlsx = $result | Export-Excel -Path $outFilePath -WorksheetName $errCode -Autosize -AutoFilter -FreezeTopRow -BoldTopRow -PassThru # -ClearSheet can't ClearSheet every time or it clears previous data ###left off
$ws = $xlsx.Workbook.Worksheets[$errCode]
$ws.Dimension.Columns #number of columns
$tempRowCount = $ws.Dimension.Rows #number of rows
#only change width of 3rd column
$ws.Column(3).Width
$ws.Column(3).Width = 100
#Change all row heights
for ($row = 2 ;( $row -le $tempRowCount ); $row++)
{
#Write-Host $($ws.Dimension.Rows)
#Write-Host $($row)
$ws.Row($row).Height
$ws.Row($row).Height = 150
#place the image in spreadsheet
#https://github.com/dfinke/ImportExcel/issues/1041 https://github.com/dfinke/ImportExcel/issues/993
$drawingName = "$($row.PictureID)_Col3_$($row)" #Name_ColumnIndex_RowIndex
Write-Host $image
$picture = $ws.Drawings.AddPicture("$drawingName",$image)
$picture.SetPosition($row - 1, 0, 3 - 1, 0)
if($ws.Row($row).Height -lt $image.Height * (375/500)) {
$ws.Row($row).Height = $image.Height * (375/500)
}
if($ws.Column(3).Width -lt $image.Width * (17/120)){
$ws.Column(3).Width = $image.Width * (17/120)
}
}
Update:
I just wanted to reiterate that FromFile can't be used for a png image. So where Hey Scripting Guy saves the image like this doesn't work:
$image = [drawing.image]::FromFile($imageFile2)

I figured out that the $imageFile2 path has 2 filenames in it. It must be that two met the Get-ChildItem/Where-Object/match criteria. The images look identical, but have similar names, so will be easy to process. After I split the names, it does FromFile ok.

Powershell: Why are my RegKey value checks failing using Get-ItemProperty when the value I am checking for is 0?

I have been tasked with scripting regkey checks to make sure a sampling of machines are compliant with our security posture.
The script works great when checking for any non-zero value (such as the example input below).
however, there is a consistent theme where my code if erroneously reporting that the checks have failed if the desired value is 0. See example code below:
$failReview = "" #String to track compliance issues
$OutFile = "C:\local\file.text"
Function Test-STIG_SingleKey {
#check for single acceptable key value
#up to 3 additional acceptable key values may be checked for single key
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[string[]] $CV, #Check Vulnerability number
[string[]] $Path, #RegKey Path
[string[]] $Key, #Key to check
[int] $value, #Expected Regkey value for compliance
$FailReview,
[Parameter(Mandatory=$false)]
[int] $value1, #optional acceptable value
[int] $value2, #optional acceptable value
[int] $value3 #optional acceptable value
)
Begin {}
Process {
$KeyObject = Get-ItemProperty $Path #Obtain RegKey object values using RegKey Path
$Exist = ([bool]($KeyObject.PSObject.Properties.name -imatch $Key)) #Check for match of key value property name and cast to boolean
If(!($Exist)){ #If does NOT exist
Write-Host " !!! $CV is a finding !!!" -ForegroundColor "Red"; $Global:failReview += "$CV, "} #This IS a finding, append CV to list for review
ElseIf (($KeyObject)."$Key" = $value){ #checks relevant object property value and compares to Primary expected value
Write-Host " $CV is not a finding" -ForegroundColor "Green"
}
ElseIf (((($KeyObject)."$Key" = $value1) -or (($KeyObject)."$Key" = $value2) -or (($KeyObject)."$Key" = $value3))) { #alternate acceptable value check
Write-Host " $CV is not a finding, alternate acceptable values used" -ForegroundColor "Green" #not a finding, but indicates alt value present
}
else {Write-Host " !!! $CV is a finding !!!" -ForegroundColor "Red"; $Global:FailReview += "$CV, "} #This IS a finding, append CV to list for review
}
End {Return $CV, $Path, $Key, $value, $KeyObject, $failReview | Out-File $OutFile -Append} #Pass all variable values to out-file for review if needed
}
#EXAMPLE INPUT:
Test-STIG_SingleKey -CV "V70955" `
-Path "HKLM:\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" `
-Key "excel.exe" `
-value 1
I can obtain the value manually by looking at $KeyObject.Key, but can't seem to get the output to evaluate to true if I'm looking for a 0.
I think this is likely because it's evaluating the 0 to $false at some point, but it's an int.
I've already tried casting to [int] and converting it to hex.
Any advice would be appreciated, because I've almost spent more time trying to figure this out then it would take to just manually look at the keys for the sampling that we require.
Thanks!

This is because in your if statements, you are setting ($KeyObject)."$Key" equal to something instead of checking if it is set to a particular value.
So
... ElseIf (($KeyObject)."$Key" = $value){ ...
should be
... ElseIf (($KeyObject)."$Key" -eq $value){ ...

Speed up CSV Powershell script

I've got a Powershell script that functions but it takes ages to complete. I'm a newbie with Powershell and i can't find a solution to speed up the proces. Hopefully somebody can show me to the right direction.
Example. I've got 2 csv files.
CSV 1:
CI Name,Last Logon Account
Computer1, User1
Computer2, User2
Computer3, User3
CSV 2:
Device Display Label,Subscriber Employee Id
Computer1, User1
Computer2, User2
Computer3, User6
I want to have all the Ci names in the first column with the last logon account in the second column and match subscriber employee id with ci name from the first file.
Resulting in:
Ci name, Last logon Account, Subscriber Employee Id
Computer1,User1,User1
Computer2,User2,User2
Computer3,User3,User6
I have the following script in Powershell:
$Data = Import-csv 'C:\Temp\Excel\CSV\file1.csv'
$Data2 = Import-Csv 'C:\Temp\Excel\CSV\file2.csv'
$combine = #()
foreach ($first in $Data) {
foreach ($second in $Data2) {
if ($second.'Device Display Label' -eq $first.'CI Name') {
$match = New-Object PSObject
$match | Add-Member Noteproperty "Ci Name" $first.'CI Name'
$match | Add-Member Noteproperty "Last Logon Account" $first.'Last Logon Account'
$match | Add-Member Noteproperty "Subscriber Employee Id" $second.'Subscriber Employee Id'
$combine += $match
}
}
}
$Combine
It works and it gives the desired result.
The only problem is that both csv files have 15000 lines. So it takes ages to finish the script.
Is there a way to speed up the proces. I hope somebody can point me to the right direction.

Use a hashtable to build an index out of one of the CSV files - this way you don't need the nested loops and the runtime should drop significantly:
# Build index/reference table from first data set
$DataTable = #{}
Import-csv 'C:\Temp\Excel\CSV\file1.csv' |ForEach-Object {
$DataTable[$_.'CI Name'] = $_
}
# No need to store the second data set in an intermediate variable
$combine = Import-Csv 'C:\Temp\Excel\CSV\file2.csv' |ForEach-Object {
if($DataTable.ContainsKey($_.'Device Display Label')){
# Take the existing object from the first data set
# and add the subscriber from the second data set
$DataTable[$_.'Device Display Label'] |Add-Member NoteProperty "Subscriber Employee Id" $_.'Subscriber Employee Id' -PassThru
}
}

Avoid duplicate Bulk-New-ADUser Creation via a csv file

I have some modifications for this script. UserID is normally a user’s first name followed by their last name.
What I need to do is to compare the proxy address & SAMAccountName attribute associated with each Username before it create.
So I mean lets say Jack Sparrow , if jsparrow already in use then script will try as jasparrow (first and second letter of firstname) and in use jasparrow as well , will be jacsparrow and so on. I want to avoid duplicate usernames.
2-I decided that it would be better to make 'fun' passwords that use the first two letters of the FirstName , day/month , first two letters of the Lastname. The end result is that users get a password like "Ja1009Sp".
Firstname,LastName,Department,Manager,MobilePhone
Jack,Sparrow,IT,jsmith,1 88 635 5254-0551
John Smith,Sparrow,Finance,jsmith,188 635 5254-0554
Script :
Import-Module ActiveDirectory
$UserList = Import-CSV -Path C:\Temp\CreateUsers.csv
$targetOU='OU=usersOU,DC=My,DC=Domain,DC=org'
$upnDomain='sec.local'
foreach($Person in $UserList){
$useritems=#{
GivenName=$Person.Firstname
Surname=$Person.LastName
Department=$Person.Department
AccountPassword=ConvertTo-SecureString -String $Person.Password -AsPlainText -force
ChangePasswordAtLogon=$false
Enabled=$true
DisplayName="$($Person.Firstname) $($Person.Lastname)"
Manager=$Person.Manager
MobilePhone=$Person.MobilePhone
Name="$($Person.Firstname) $($Person.Lastname)"
SamAccountName="$($Person.Firstname+$Person.LastName.Substring(0,1))"
UserPrincipalName="$($Person.FirstName+$Person.LastName.Substring(0,1))#$upnDomain"
Company="Contoso"
}
New-ADUser #useritems -Path $targetOU
}

Try something like this.. I don't have AD available atm. to test the Get-ADUser-query used to look for existing account so it might need some tuning.
foreach ($Person in $UserList) {
#Reset counters
$i = 1
$n = 1
do {
if($i -le $person.Firstname.Length) {
$user = "$($Person.Firstname.Substring(0,$i)+$Person.LastName)"
$i++
} else {
#All combinations in use, adding number
$user = "$($Person.Firstname.Substring(0,1)+$Person.LastName+$n)"
$n++
}
} while ((Get-ADUser -Filter "(samAccountName -eq '$user') -or (proxyaddresses -like '$user*')"))
#Result username
#$user
#$useritems = #{
#.....
#SamAccountName=$user
#UserPrincipalName="$user#$upnDomain"
#....
#}
}
If all combinations are in use including jacksparrow, it tries jsparrow1 ++ until it finds a free number.
The password can be generated using:
$Password = "{0}{1}{2}" -f $Person.Firstname.Substring(0,2), (Get-Date).ToString("ddMM"), $Person.Lastname.Substring(0,2)