What is in powershell the difference between Add-ADGroupMember and Add-ADPrincipalGroupMembership?
According to this Website:
You can only pass group objects to this cmdlet (Add-ADGroupMember) through the pipeline. To pass user objects through the pipeline, use Add-ADPrincipalGroupMembership
Is there more to think of?
Thanks to #Olaf, here is the answer:
Add-ADGroupMember
you can add one or more members to one group
Add-ADPrincipalGroupMembership
you can add one member to one or more groups
If anyone is looking for a command to copy a security groups member of properties instead of members themselves then here is the command:
Get-ADGroup -Identity "Old Group memberships to Clone" -Properties memberof -Verbose | select-object -Expandproperty memberof -Verbose | Add-ADGroupMember -Member "New Group that needs Old Group properties"
In this case we have nested groups for a file server based on specific access to folders for users in certain groups based on their occupation.
So if a certain security group is part of multiple other groups and needs to be cloned/copied then this command comes handy.
Didn't find any specifics for what I was looking for so this is the method I came up with.
Related
I am looking to find a way to write the Object ID of a user to a variable automatically via AzureAD.
Get-AzureAdUser -ObjectId "Contose#contoso.com"
will give the output of the ObjectId, DisplayName, UPN, UserType
I am looking to the write the ObjectId of the user (e.g qwert_1232_trwwqe) to variable such as $UserId for use further in the script.
Lee Dailey provides a good pointer:
the usual way is to keep things in the $Var and simply address the properties when needed. So, assign the call to a $Var and get the value with $Var.ObjectID.
That said, if you do want to store the object ID alone in a dedicated variable, simply access the .ObjectId property on the object returned by Get-AzureAdUser:
$userId = (Get-AzureAdUser -ObjectId 'Contose#contoso.com').ObjectId
In a follow-up comment you mention arriving at:
$Var = Get-AzureAdUser -ObjectId "Contose#contoso.com" | Select ObjectId
However, this use of the Select-Object cmdlet (whose built-in alias is select) is virtually pointless, as this still returns a (new, custom) object that requires you to access its .ObjectId property in order to retrieve the object ID value - and for that you could have just assigned the object returned by Get-AzureAdUser directly to $Var, as Lee suggests.
It is possible to use Select-Object to extract a single property value, namely via the -ExpandProperty <propertyName> parameter:
$Var = Get-AzureAdUser -ObjectId 'Contose#contoso.com' | Select -ExpandProperty ObjectId
However, the (...).ObjectId syntax (dot notation) is not only more convenient, but also faster - and it even works on multiple objects (in PSv3+), in which case an array of values is returned (a feature called member-access enumeration).
In short, Select-Object -ExpandProperty is only needed if you're processing very large collections that must be processed one by one in the pipeline.
I could manage to retrieve user accounts from DC with their time related parameters like lastlogon, whencreated etc and I could manage to change lastLogon parameter to my prefer (dd.MM.yyyy). But I couldn't make the same conversion to "whenCreated" and "PasswordLastSet" dates.
Get-Aduser -Filter * -Properties *|Select name,SamAccountName,PasswordExpired,description,whenCreated,PasswordLastSet,Enabled,DistinguishedName,DisplayName,GivenName,SurName, #{N='LastLogon'; E={[DateTime]::FromFileTime($_.LastLogon).ToString('dd.MM.yyyy')}} |export-csv C:\result.csv
I need your help on this issue. How can I modify the 3 dates format into my preferrings at the same time.
Thanks..
#{N='whenCreated'; E={$_.whenCreated.ToString('dd.MM.yyyy')}}, #{N='PasswordLastSet'; E={$_.PasswordLastSet.ToString('dd.MM.yyyy')}}
Without 'FromFileTime'.
I am trying to create a module for our support team which will contain some tools we use on daily basis but we used CMD until now.
One of the commands we use is net user $username /domain in order to check if the user's password has expired and all the other useful details the command output.
I tried to put that command in a function like this:
function Get-UserDetails {
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true)]
[string]$UserName
)
net user $UserName /domain
}
The function works fine but I want to filter the output for a few details only.
The problem is that net user is not a PowerShell cmdlet and it has no properties so I cant select any of it.
So my questions is:
Do you know a better way to get all that data in one command? because the Get-ADUser outputs less data then net user.
You can use Get-ADUser and pick the msDS-UserPasswordExpiryTimeComputed property from it. Problem is - this property may not enumerate even when using -Properties *, so it might not be apparent when trying to inspect the returned object. To make matters even better, the timestamp is not in a human-readable format.
Nonetheless, you can get the password expiration date fromthe AD cmdlets and also make it human-readable as follows:
# Get ADUser
$user = Get-ADUser username -Properties msDS-UserPasswordExpiryTimeComputed
# Get expiry timestamp and convert it from file time format
$userCredExpiryDate = [DateTime]::FromFileTime( $user.'msDS-UserPasswordExpiryTimeComputed' )
Here is the MSDN documentation for that AD DS attribute.
For other field values that show up in net user /domain but not in Get-ADUser - there should be other AD DS attributes you can search on if they don't show up with -Properties *. For these you will need to look for the appropriate property in the AD DS documentation.
UPDATE: Someone linked me to this page on another question (related to this behavior) and this seems to list additional properties that are available for processing, but are not returned when trying to look at "all" AD DS properties on an object. I don't know how complete this list is but it is a good starting point for understanding what additional AD attributes you have to work with.
How can I extract the user name in my active directory when I only have the computer name.
Obviously, no relation whats or ever between the computer name and the user name in terms of naming.
ArcSet's answer is great (it's what I'd do) but for basic PowerShellers, I'd have pushed them towards the AD-cmdlets like (Mitchell did):
Get-ADUser -Property samaccountname
or even:
Get-ADObject -ldapfilter '(objectcategory=user)' -Property samaccountname
This will get you all users from the domain the current computer is joined to:
(([adsisearcher]“objectcategory=user”).FindAll()).Properties.samaccountname
I recommend utilizing this cmdlet: Get-ADComputer. After getting the AD information associated with this you can pipe the data out and utilize filters to get the information you require. The filter code is also specified within the documentation.
Documentation can be found here: https://technet.microsoft.com/en-us/library/ee617192.aspx
Hope this helps (I'm not 100% sure if this is what you are looking for... The more details in your question the better)!
I'm trying to get a method to find the name of an OU dynamically.
The problem is, that the company-name-OU is always there, but the contents can change.
For example:
In this case, the company name I have to retrieve (in my script) is 'Microsoft'.
I however haven't found a method that can do this dynamically.
Since the subOU's may vary (per client, not all clients have the same OU's) it's kind of difficult to find a good method to retrieve the company-name.
I have thought about retrieve the OU that is made by an Admin and has more than 10 objects but the Get-ADOrganizationalUnitcmdlet doesn't have a parameter that sounds like created by:
Do I need to give up or is there some sort of way?
EDIT
I have tried for a workaround 'algorithmicish' kind of thing:
Since the OU will most probably contain users, I check the distinguished names of all the users which will reply
Get-ADUser -Filter {Description -like "Member"} | Select DistinguishedName
CN=User1,OU=User,OU=Microsoft,DC=domain,DC=local
how could I start doing calculations (counts) of each of the OU's?
If you created all your OUs, then you would get domain admins. When I run
Get-ADOrganizationalUnit -Filter * -Properties * | Select #{N="Owner";E={$_.nTSecurityDescriptor}}
I get the attached picture (truncated)
If you can determine if the OU was created after all the default OUs, you could filter on WhenCreated with a Where statement, like this:
$DefaultOUCreationDate = Get-ADOrganizationUnit CN=Users,DC=domain,DC=local -Properties * | Select -ExpandProperty WhenCreated
Get-ADOrganizationalUnit -Filter * -Properties * | Where { $_.WhenCreated -ge $DefaultOUCreationDate }