I am trying to edit the formatting of a group of user's phone numbers in AD. Specifically, replacing '-' characters with ' '. However, I do not seem to be able to access the existing phone number, which I need to do to replace the characters. I understand the -OfficePhone flag under Set-ADUser sets the telephoneNumber attribute, which seems to be working and the telephoneNumber attribute is there with the expected value in Attribute Editor as well. However when I try to access $user.telephoneNumber it comes up blank.
Here is my code, commented with what works/what doesn't and some behaviors:
foreach ($user in $users) {
# Works. Prints out various basic attributes of user
Write-Output $user
# Doesn't work. Prints blank
Write-Output $user.telephoneNumber
# Works
Set-ADUser -Identity $user -OfficePhone '555555555'
}
As AdminOfThings has stated, you need to make the property accessible. You do this by using the -Properties parameter on the Get-ADUser command. Here is an example:
Get-ADUser -Identity USER_NAME -Properties TelephoneNumber
If you wanted to get all the properties back, you can use:
Get-ADUser -Identity USER_NAME -Properties *
Related
How to get AD-group users list from LDAP using PowerShell without username and password.
Get-ADGroup -LDAPFilter (&(objectCategory=group)((cn=Testgrp"))))
I am trying this way but not fixing can anyone please help me out?
Right now I'm able to get the AD-Group info by using the below PowerShell scripts.
Get the group Info:
Get- ADGroupMember -Identify TEST_GRP_NM | select distinguishName | ft
Get-AdUser -filter{Name -like "GROUP_NM"} -Properties *
Get the user info:
Get-AdUser -Server "DOMAIN" -Identify "NTID" -Properties MemberOf
Note: Need to achieve the list of users from the LDAP group without using LDAP username and password
I personnally use this script to crawl through the AD (from another StackOverFlow question)
In case it becomes somehow a broken link:
# Your filter
$Filter = "(&(objectCategory=group)((cn=Testgrp))))"
# The path you want to scan
$RootOU = "OU=AnotherOU,OU=AnOU,DC=etc,DC=Something"
# The scope Base, One-level or Subtree
# The name is explicit enough
$Scope = "subtree"
# Instanciation and configuration of the directory searcher
$Searcher = New-Object System.DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$($RootOU)")
$Searcher.Filter = $Filter
$Searcher.SearchScope = $Scope
# Getting results from the AD
# A first pipe to get the member property returning a list of member
# A second pipe to display each member of the list in a line
$Searcher.FindAll() | Foreach-Object {$($_.Properties["member"])} | Foreach-Object {"$($_)`n"}
Hope it helps !
So I have a list of users that I need to verify using the RSAT Tools and GetAD-User module within Powershell. As a result, I have determined that the following command will pull out user information, and I am passing another file off for users needing verification. The following command will work and give me user information and see if an email exists:
Get-ADUser -filter * -properties EmailAddress -SearchBase 'DC=xxx-xxxx,DC=xxx,DC=xx,DC=us'| select-object Name, EmailAddress | select-string 'doe,john'
I therefore tried a loop using the following:
cat .\PD.txt | ForEach-Object {Get-ADUser -filter * -properties EmailAddress -SearchBase 'DC=xx-xxxx,DC=xxx,DC=xx,DC=us'| select-object Name, EmailAddress | select-string '$_'}
**I have omitted some of the DC infor in terms of the AD names for security reasons.
Inside PD.txt, I would have something like a text files with usernames in Lastname, Firstname per line.
However, nothing prints back in terms of the information. If I did it without the "$_" and the forEach-Object command it would work, but nothing is printing back. Is my forloop wrong?
I tried it a different way and it still didn't work using the apostrphes for the string to pass a different way, by writing it into the users.txt file called Real.txt. While, I can forloop through it, it doesn't work, when I put in the GetAD-User command.
However, I think my for-loop might have something wrong not sure what it is though.
PS C:\Users\richard.barrett\Git> cat .\Real.txt | ForEach-Object {echo $_}
'Doe, John'
'Doe, Jane'
Comparative For-Loop:
PS C:\Users\richard.barrett\Git> cat .\Real.txt | ForEach-Object {Get-ADUser -filter * -properties EmailAddress -SearchBase 'DC=xx-xxxx,DC=xxx,DC=xx,DC=us'| select-object Name, EmailAddress | select-string $_}
So I found out the problem to my issue.
I was not passing the variable correctly into the select-string at the end.
Since I am taking this from a .txt file, I decided to set a variable and forgo the for loop just calling the list directly over the file instead of iterating over the Get-ADUser command for each user...very slow. As a result, the following worked for me:
echo "Users for AD Verification" ;
echo "============ LIST ============" ;
cat .\PD.txt | ForEach-Object {echo $_} ;
echo "============ END LIST ========" ;
echo "Executing Active Directory Verification" ;
echo "============ PROCESS =========" ;
$list = cat .\PD.txt;
Get-ADUser -filter * -properties EmailAddress -SearchBase 'DC=del-valle,DC=k12,DC=tx,DC=us'| select-object Name, EmailAddress | select-string $list
echo "============ END PROCESS =====" ;
This gave me the list that was defined within the .\PD.txt.
Despite my initial hesitance, I have included my Identity OU for users to understand where the OUs should go in the command to pull out users and their email accounts within the AD.
Hopefully this helps someone else, I often get asked to verify users within my Active Directory.
I forgot to add, but the initial issue was with how I was placing the variable into the select-string I should not have used apostrophes. Here is the actual command that works as well, but it is slightly longer as it iterates and executes a command for each line...really long.
cat .\PD.txt | ForEach-Object {Get-ADUser -filter * -properties EmailAddress -SearchBase 'DC=del-valle,DC=k12,DC=tx,DC=us'| select-object Name, EmailAddress | select-string $_}
I wanted to ask as I'm querying all users from AD whose Home Directory is in a certain directory from Powershell using Get-ADuser , and for most cases it retrieves null result.
The query I run is this:
$DirectoryInfo = Get-Item \\Fileserver\Users
$strFilter = $DirectoryInfo.FullName.Replace('\','\5c')
$AdUser = Get-AdUser -Filter {homeDirectory -like $strFilter}
echo $AdUser
If I look from AD admin center panel for a specific user, I can see it has set Home Directory inside path i've queried before in Powershell indeed.
Another thing that seems to me strange is that there are some users that appear in the query, so the previous case doesn't apply for all users.
Is it that AD admin center panel shows Home Directory of Group where this user belongs for example, or is just that I'm running a wrong query from Powershell?
Thanks in advance,
Juan Pablo.
I think because the HomeDirectory attribute is not in the default output set from Get-ADUser, you need to add it to the required Properties aswell.
This may be part of a larger script, but from the question I fail to see why you would need this:
$DirectoryInfo = Get-Item \\Fileserver\Users
$strFilter = $DirectoryInfo.FullName + '\*'
since you already have the UNC path for the users home directories.
I cannot test this right now, but you could try like this:
$strFilter = '\\Fileserver\Users\*'
$AdUser = Get-AdUser -Filter "HomeDirectory -like $strFilter" -Properties HomeDirectory
$AdUser
or use a Where-Object to get what you want:
$strFilter = '\\Fileserver\Users\*'
$AdUser = Get-AdUser -Filter * -Properties HomeDirectory | Where-Object { $_.HomeDirectory -like $strFilter }
$AdUser
If you prefer using the -LDAPFilter rather then -Filter, then you need to escape the special characters your string may contain.
* \2A
( \28
) \29
\ \5C
NUL \00
You do this by prepending a backslash \ to each of these characters and replacing the characters themselves by their ASCII code in hex.
The ( becomes \28, the backslash \ becomes \5c etc.
This uses a small function to escape these characters for a LDAP search filter:
function Escape-LdapSearchFilter([string] $Filter) {
return $Filter -creplace '\*', '\2a' `
-creplace '\(', '\28' `
-creplace '\)', '\29' `
-creplace '/' , '\2f' `
-creplace '`0', '\00' `
-creplace '\\(?![0-9A-Fa-f]{2})', '\5c'
}
$strFilter = Escape-LdapSearchFilter "\\Fileserver\Users\"
# for LDAP you must use the correct attribute name, so `homeDirectory` with a lower-case `h`
$AdUser = Get-AdUser -LDAPFilter "(homeDirectory=$strFilter*)" -Properties HomeDirectory
$AdUser
I don't know what \5c is doing in that code, so please forgive my ignorance.
if \Fileserver\Users is the root directory that contains home directories, then the following code should work:
$DirectoryInfo = Get-Item \\Fileserver\Users
$strFilter = $DirectoryInfo.FullName + '\*'
$AdUser = Get-AdUser -Filter {homeDirectory -like $strFilter}
$AdUser
The -like operator needs asterisks if your string is not an exact match.
I don't understand what I do wrong:
Get-ADPrincipalGroupMembership UserName | select name | where {$_.name -like "nac*"} | Add-ADGroupMember -Identity **$_.name** -Members UserName
This is the error I get:
Add-ADGroupMember : Cannot validate argument on parameter 'Identity'.
The argument is null. Provide a valid value for the argument, and then
try running the command again.
What should I put in the $_.name?
If you have a value stored in $Username be sure to include the $ character so PowerShell will recognize it as a variable. You also might want to remove the *s from the last cmdlet. This may not work as a one-liner. Try this:
$Group = Get-ADPrincipalGroupMembership $UserName | select name | where {$_.name -eq "nac*"}
Add-ADGroupMember -Identity $Group.Name -Members $UserName
Try this:
$groups = get-adprincipalgroupmembership $sourceuser | ? Name -like "nac*"
#check content of $groups
$groups | select Name
add-adprincipalgroupmembership $targetuser -memberof $groups
I'm sure this will work. Otherwise please post your error message.
You need to take care of the -Identity parameter the cmdlets can handle:
The Identity parameter should be one of:
A distinguished name (DN)
A GUID,
A security identifier (SID) or
A Security Accounts Manager (SAM) account name
Both cmdlets also allow an object to be sent through the pipeline to the Identity parameter.
For Add-ADGroupMember this would be a group object.
For Get-ADPrincipalGroupMembership you can use a user, group, or computer object.
This part of the code returns the group objects $UserName is a member of.
(remember: $UserName is the distinguished name, GUID, security identifier, or SAM account name of the user.)
Get-ADPrincipalGroupMembership $UserName | Where-Object { $_.Name -like "nac*" }
Next you want to add a different user to the groups $UserName is a member of, right?
In that case, set up a variable to store the second user in, again use the distinguished name,
GUID, security identifier, or SAM account name and then use something like this:
Get-ADPrincipalGroupMembership $UserName | Where-Object { $_.Name -like "nac*" } | Add-ADGroupMember -Members $AnotherUserToAddToThisGroup
I am trying to resolve a PowerShell problem that has proved to be more complicated than I first thought. When trying to copy the objectGUID of each domain user into the same users ms-ds-consistencyguid the values do not match. Can anybody help?
I have tried this rough method below but the GUID's do not match:
$SGSADUser=get-aduser -filter {samaccountname -eq 'Test10_User'} -Properties objectguid,samaccountname,ms-ds-consistencyguid | Select Samaccountname,Objectguid,ms-ds-consistencyguid
[guid]$SGSADMSDSConsistencyguid = ($SGSADUser.objectguid).ToString()
$SGSADbase64 = [System.Convert]::ToBase64String($SGSADMSDSConsistencyguid.ToByteArray())
set-aduser -Identity 'Test10_User' -replace #{'ms-ds-consistencyguid' = $SGSADbase64}
ObjectGUID
ms-ds-ConsistencyGuid
I just ran through this and when you convert to base 64, the value changes.
Try
set-aduser -Identity 'Test10_User' -replace #{'ms-ds-consistencyguid' = $SGSADMSDSConsistencyguid}
This came out as the correct value when I checked.
Thanks, Tim.