I am trying to add a bulk of users from a CSV file to a MsolGroup via PowerShell. I have only the username of the users. (User.name)
This is what I tried:
1. Read the CSV file with the userName and get the Msol user object from it:
$group | % {Get-MsolUser -UserPrincipalName $_.name}
2. Add these ObjectID's to the requested MsolGroup:
$group | % {Get-MsolUser -UserPrincipalName $_.name} | % {Add-MsolGroupMember -GroupObjectId 86bbcf6b-feb6-4fe3-a9db-eb1e0b81ed55 -GroupMemberObjectId $_.objectid
This is the Error I get:
Add-MsolGroupMember : You cannot update mail-enabled groups using this
cmdlet. Use Exchange Online to perform this operation.
Is there a better way to do it? What am I doing wrong?
As noted in the error message, this cmdlet will only work against "regular" security groups. For mail-enabled security groups, use the Exchange remote PowerShell and Add-DistributionGroupMember
Refer documentation
We could use
$group | % {Get-MsolUser -UserPrincipalName $.name} | % {Add-DistributionGroupMember -Identity "86bbcf6b-feb6-4fe3-a9db-eb1e0b81ed55" -Member $.objectid
Related
This question already has an answer here:
Add a where-object on a table construct?
(1 answer)
Closed 3 years ago.
I'm currently stuck getting a PowerShell error when trying to run a script I have written (Read stolen from the internet)
What I am trying to achieve is to search for a specific users e-mail address within one of the multiple O365 distribution Groups and then remove that user from the group if the group is one that meets the criteria.
The groups are all prefixed with the text "EX_SIG" and I am able to identify the one group the user is a member of but I'm struggling to then translate this into remove the user from the identified group.
I am a complete PowerShell newbie so any help would be appreciated.
Code:
$UAC_email = "sarah.connor#skynet.com"
$UAC_EX_GROUP = Get-DistributionGroup -identity "EX_SIG*" | where { (Get-DistributionGroupMember $_.name | foreach {$_.PrimarySmtpAddress}) -contains "$UAC_email"} | FT name -HideTableHeaders
Remove-DistributionGroupMember -Identity $UAC_EX_GROUP -Member "$UAC_email"
Error:
Cannot bind argument to parameter 'Identity' because it is null.
The FT (Format-Table) cmdlet is likely causing most of your problems. You shouldn't try to use output from formatting cmdlets except with out-* commands.
Format- cmdlets output "typesetting" objects which the host uses to format the display, not usable objects for the pipeline.
$UAC_email = "sarah.connor#skynet.com"
$UAC_EX_GROUP = Get-DistributionGroup -identity "EX_SIG*" | where { (Get-DistributionGroupMember $.name | foreach {$.PrimarySmtpAddress}) -contains "$UAC_email"}
Remove-DistributionGroupMember -Identity $UAC_EX_GROUP -Member "$UAC_email"
Try this as it is a lot cleaner than the code you posted but should accomplish your goal.
$UAC_email = "sarah.connor#skynet.com"
#Get list of distribution groups where identity matches "EX_SIG*" and the email address your looking for is in the list of the group members's primary smtp addresses
$UAC_EX_GROUPS = (Get-DistributionGroup -Identity "EX_SIG*") | Where-Object{(Get-DistributionGroupMember -Identity $_.Name).PrimarySmtpAddress -contains $UAC_email}
#Iterate over returned groups and remove the member from the group. I put a WHATIF in there so you can verify the output before just running it. You can also pipe this directly before the closing '}' in the previous command but it's less readable that way
$UAC_EX_GROUPS | Remove-DistributionGroupMember -Identity $_.Name -Member $UAC_email -WhatIf
I am trying to search Active Directory for deleted users with PowerShell, but am unable to return any results even though I have used the -IncludeDeletedObjects parameter. Here is the command that I used:
get-adobject -filter{Name -like "$user"} -includedeletedobjects -properties *
The answer that worked for me is the command below will list all the users that were deleted from the Active Directory if your AD recycle bin is enabled and if you have sufficient privileges on Active Directory
Get-AdObject -Filter 'ObjectClass -eq "user" -and IsDeleted -eq $True' -IncludeDeletedObjects -Properties * | Ft Name,IsDeleted,WhenCreated
If you don't have the AD Recycle Bin enabled, you won't be able to find deleted objects.
If $user is expected to an exact match, you should also be using the -eq operator, not -like. If you want a fuzzy match, -like is correct but you should surround $user with * like so: *${user}*.
If $user is supposed to be the logon name, and not the friendly name of the user, then Name isn't the correct property to filter on, you will want to check against SamAccountName, not Name:
Get-ADObject -Filter "SamAccountName -eq '$user'"
If you are only interested in user objects, and not other AD object types, consider usingGet-ADUser in lieu of Get-ADObject. The syntax for what you specified above is the same, but will guarantee you only get ADUser objects, not ADComputer, ADGroup, etc.
Also, you should avoid using -Properties * and -Filter { ScriptBlock } arguments when using the AD cmdlets. Only use the Properties you need to process later, and use a string based filter like so:
Get-ADObject -Filter "Name -like '*$user*'"
See my answer here for best practices when using the -Filter parameter with AD cmdlets (also explains why not to use -Properties *), and this answer here for more details on why you should not use ScriptBlock parameters for AD filters.
I have a script for people who leave my organization. It basically creates a user backup folder and file before changing the password, removing the manager, backing up all member of groups, removing all group memberships, disabling the account and moving to different OU.
The part that i seem to be stuck on is the membership removals. This is what i have for that task:
Get-ADPrincipalGroupMembership -Identity "$Username" | % {Remove-ADPrincipalGroupMembership -Identity "$Username" -MemberOf $_}
This DOES work but I am prompted to confirm Yes or No to each group. When i add:
-confirm $false
at the end, none of the groups are removed. How can I get it to not ask for confirmation while still removing the groups?
Thank You!
This worked for me:
Get-ADPrincipalGroupMembership -Identity "$Username" | % {Remove-ADPrincipalGroupMembership -Identity "$Username" -MemberOf $_ -Confirm:$False}
No prompts and all of the removals worked just fine.
I wonder if there is a way to suppress the error message thrown up with respect to the user's Primary Group -- DomainMembers, in our case. I'm perfectly happy with the result (the command won't remove the user from his primary group, while the user is removed from all others), but the error message just looks ugly.`
Can anyone give me some guidance on what PowerShell command I can use to import all the members of a distribution group in Active Directory into a security group?
you could just use this (use your group names for "distributiongroup" and "securitygroup"):
Get-ADGroupMember -Identity distributiongroup | ForEach-Object { Add-ADGroupMember -Identity securitygroup -Members $_ }
Kind regards
To add to stephanb's answer, if you have nested groups under the distribution group you are attempting to copy from, you will need to add the -recursive parameter in order to pull in the users from those sub-groups.
Here is an example that worked for me:
Add-ADGroupMember -Identity 'securitygroup' -Members (Get-ADGroupMember -Identity 'distributiongroup' -Recursive)
I'd like to get a list of all people with admin privileges with powershell. What is the most optimal way to accomplish that?
Which user property should I look at?
get-adgroupmember 'domain admins' | select name,samaccountname
get-adgroupmember 'enterprise admins' | select name,samaccountname
I realize this question is old, and Noah's answer helped get me in the ballpark. I just want to expand on it a little bit more. If you have multiple domains in your environment you can do something like this:
Get-ADGroupMember -Server "domain-name-here" -Identity "Domain Admins" -Recursive | Select Name
If you want to also see if which accounts are enabled or disabled:
Get-ADGroupMember -Server "domain-name-here" -Identity "Domain Admins" -Recursive | Get-ADUser | Select Name, Enabled
Or if you only want to see enabled accounts:
Get-ADGroupMember -Server "domain-name-here" -Identity "Domain Admins" -Recursive | get-aduser -Properties Description | Where {$_.Enabled -eq $true} | Select Name
dsquery * -filter (samaccoutname="domain admin") | dsget group -members -expand >>RESULT.txt
The other examples show how to get the easiest display of who has "admin" access to a domain but don't overlook the fact that "admin" access can be directly assigned to any user or group object on the domain object itself. Simply checking for members of "domain admins" and "enterprise admins" is not going to show you the whole picture.
As a starting point you could start with this and then investigate further:
(Get-ACL 'AD:\DC=MYDOMAIN,DC=local').Access | Format-Table IdentityReference,ActiveDirectoryRights,AccessControlType -AutoSize