I'd like to get a list of all people with admin privileges with powershell. What is the most optimal way to accomplish that?
Which user property should I look at?
get-adgroupmember 'domain admins' | select name,samaccountname
get-adgroupmember 'enterprise admins' | select name,samaccountname
I realize this question is old, and Noah's answer helped get me in the ballpark. I just want to expand on it a little bit more. If you have multiple domains in your environment you can do something like this:
Get-ADGroupMember -Server "domain-name-here" -Identity "Domain Admins" -Recursive | Select Name
If you want to also see if which accounts are enabled or disabled:
Get-ADGroupMember -Server "domain-name-here" -Identity "Domain Admins" -Recursive | Get-ADUser | Select Name, Enabled
Or if you only want to see enabled accounts:
Get-ADGroupMember -Server "domain-name-here" -Identity "Domain Admins" -Recursive | get-aduser -Properties Description | Where {$_.Enabled -eq $true} | Select Name
dsquery * -filter (samaccoutname="domain admin") | dsget group -members -expand >>RESULT.txt
The other examples show how to get the easiest display of who has "admin" access to a domain but don't overlook the fact that "admin" access can be directly assigned to any user or group object on the domain object itself. Simply checking for members of "domain admins" and "enterprise admins" is not going to show you the whole picture.
As a starting point you could start with this and then investigate further:
(Get-ACL 'AD:\DC=MYDOMAIN,DC=local').Access | Format-Table IdentityReference,ActiveDirectoryRights,AccessControlType -AutoSize
Related
So a while back, I managed to make a bat file that would let me enter in somone's username.
Then, it would search the domain for the full name and I could use that for other work. The bat I used would spit out JUST the fullname and put it in a variable.I know I can use the net user /domain $username command, but that doesn't let you single out a result, as far as I'm aware
Unfortunately, I lost it and I can even fine the tutorial I used to help me with it. Does anyone know how this might be done? I did it a few years back on a windows 7 machine, I'm not sure if that changes anything.
Powershell is a much better option for pulling AD info and exporting it. Using the PS AD Module you could do something similar to Get-ADUser -filter $username -properties Name | Select-Object Name From here you could store this info in a variable or write it to a file etc. I will also link to the AD Module documentation for reference on Get-ADUser
If your variable $username is the SamAccountName for the user, just do PowerShell:
$user = Get-ADUser -Filter "SamAccountName -eq '$username'" -Properties DisplayName
You now have an object with these user properties: DistinguishedName, Enabled, GivenName, Name, ObjectClass, ObjectGUID, SamAccountName, SID, Surname, UserPrincipalName, DisplayName
Only DisplayName needs to be asked for, all other properties are returned by default using Get-ADUser
So if you want just the DisplayName ('FullName' as you call it), just return that:
$fullName = (Get-ADUser -Filter "SamAccountName -eq '$username'" -Properties DisplayName).DisplayName
I am trying to search Active Directory for deleted users with PowerShell, but am unable to return any results even though I have used the -IncludeDeletedObjects parameter. Here is the command that I used:
get-adobject -filter{Name -like "$user"} -includedeletedobjects -properties *
The answer that worked for me is the command below will list all the users that were deleted from the Active Directory if your AD recycle bin is enabled and if you have sufficient privileges on Active Directory
Get-AdObject -Filter 'ObjectClass -eq "user" -and IsDeleted -eq $True' -IncludeDeletedObjects -Properties * | Ft Name,IsDeleted,WhenCreated
If you don't have the AD Recycle Bin enabled, you won't be able to find deleted objects.
If $user is expected to an exact match, you should also be using the -eq operator, not -like. If you want a fuzzy match, -like is correct but you should surround $user with * like so: *${user}*.
If $user is supposed to be the logon name, and not the friendly name of the user, then Name isn't the correct property to filter on, you will want to check against SamAccountName, not Name:
Get-ADObject -Filter "SamAccountName -eq '$user'"
If you are only interested in user objects, and not other AD object types, consider usingGet-ADUser in lieu of Get-ADObject. The syntax for what you specified above is the same, but will guarantee you only get ADUser objects, not ADComputer, ADGroup, etc.
Also, you should avoid using -Properties * and -Filter { ScriptBlock } arguments when using the AD cmdlets. Only use the Properties you need to process later, and use a string based filter like so:
Get-ADObject -Filter "Name -like '*$user*'"
See my answer here for best practices when using the -Filter parameter with AD cmdlets (also explains why not to use -Properties *), and this answer here for more details on why you should not use ScriptBlock parameters for AD filters.
I'm struggling trying to grab the latest volume/Drive using PowerShell
I have a result of a PowerShell look like this
PS C:\Users\me> Get-WMIObject Win32_Volume | select Name
Name
----
C:\
D:\
E:\
\\?\Volume{021a6bbd-0b97-4973-824a-7c635e362f09}\
\\?\Volume{bae1c1d6-59c3-44b1-9360-b7d3101c0e92}\
PS C:\Users\me>
If I want to access just this
E:
How can I filter out to :\ with the highest alphabetical order ?
I've been trying so many options using Select-String, but seems to get worse result.
The ones you want don't start with "\\". The drive letters may be returned in any order, so you need to sort them and take the last one:
Get-WMIObject Win32_Volume | Where-Object {$_.Name -NotLike '\\*'} | select Name | Sort-Object -Property Name | Select-Object -Last 1
Or, if the drive letter is known to be in the range A to Z, then it would be more sensible to use -Like '[A-Z]*' instead of -NotLike '\\*'.
Try something like this
Get-WMIObject Win32_Volume | where {$_.Name -eq "E:\"}
this should give you a list of objects wich you can access like an array. Also there is a lot of useful information here https://technet.microsoft.com/en-gb/library/2007.04.powershell.aspx
Can anyone give me some guidance on what PowerShell command I can use to import all the members of a distribution group in Active Directory into a security group?
you could just use this (use your group names for "distributiongroup" and "securitygroup"):
Get-ADGroupMember -Identity distributiongroup | ForEach-Object { Add-ADGroupMember -Identity securitygroup -Members $_ }
Kind regards
To add to stephanb's answer, if you have nested groups under the distribution group you are attempting to copy from, you will need to add the -recursive parameter in order to pull in the users from those sub-groups.
Here is an example that worked for me:
Add-ADGroupMember -Identity 'securitygroup' -Members (Get-ADGroupMember -Identity 'distributiongroup' -Recursive)
I am trying to return a list of all mailboxes that have auditing enabled. I have tried the below, but it is returning all the users and not just those that have auditing enabled on their mailboxes. Can someone please help. Thanks
Get-Mailbox | select Name | where-object {$_.AuditEnabled -eq $true}
You might want check your pipeline and move the where-object before the select eg
get-mailbox | Where-Object {$_.AuditEnabled -eq $true} | select Name
Cheers
Glen