<< A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

–A–

active directory users, save to CSV

Get-ADUser -Filter {mail -like "*" -and enabled -eq "true" -and Surname -like "*"} | Select-Object GivenName, Surname, Name, UserPrincipalName  | Export-Csv documents\ADusers4.csv

Notice this only gets users with

–B–

–C–

contacts, list

Get-ADObject -filter {objectclass -eq "contact"}

contacts, list all for an OU - see OU, list all contacts for an OU

country code, update

assume you want to update the country code for all users in any OU that contains the string "UK" to "GB"

Get-ADUser -filter * -Properties name, givenName, middleName, sn, mail, co, c, country | `
    where-object {($_.distinguishedname -like "*UK*") -and ($_.c -ne "GB")} | % {Set-ADUser -Identity $_ -replace @{c="GB"}}

verify

Get-ADUser -filter * -Properties name, givenName, middleName, sn, mail, co, c, country | `
    where-object {$_.distinguishedname -like "*UK*"} | Sort-Object co, sn, givenName | select name, co, c, country, givenName, middleName, sn, mail | ft

create user - see user, create

–D–

–E–

email, find AD Object using - see

–F–

find where some entity might reside whether user/group/contact/alias - when I want to search exhaustively through AD, I run the following 5 commands in PowerShell:

$SearchUser = "someone";
Get-ADObject -LDAPFilter "objectClass=Contact" -Properties Name,mail | Where-Object{$_.mail -like "$($SearchUser)*"} | ft Name, mail, distinguishedName;
Get-ADGroup -Filter {(GroupCategory -eq "Distribution") -and (mail -like "$($SearchUser)*")} -Properties name, mail, distinguishedName | ft name, mail, distinguishedName;
Get-ADGroup -Filter {(GroupCategory -eq "Security") -and (mail -like "$($SearchUser)*")} -Properties name, mail, distinguishedName | Sort-Object mail | ft name, mail, distinguishedName;
Get-ADUser -Filter {mail -like "$($SearchUser)*"} -Properties UserPrincipalName, mail, distinguishedName | ft UserPrincipalName, mail, distinguishedName;
Get-ADUser -filter * | where-Object {$_.ProxyAddresses -match "$($SearchUser)" } | fl;

To look for:

Respectively

–G–

Get-ADUser, all properties - see user, all properties

Get-ADUser, filter on a property to be null - see null, filter on property

groups, find to which groups a user belongs

Get-ADPrincipalGroupMembership someUser | select Name, GroupCategory, GroupScope

groups, delete a user from all but one

We don’t want to remove this user from “Domain Users” just yet especially if we’re going to keep his ID around for a while as a shared mailbox accessible by his successor.

There's no provider filter parameter for Get-ADPrincipalGroupMemebership, so we must use late filtering:

Get-ADPrincipalGroupMembership someUser | Where-Object {$_.name -ne 'Domain Users'} | select name, GroupCategory, GroupScope

Remove users from all groups in AD. Go to their ID in ADUC and look what’s in “member of”. To remove his membership in all groups except “Domain Users”. Or, with PowerShell

Get-ADPrincipalGroupMembership someUser | Where-Object {$_.name -ne 'Domain Users'} | % {Remove-ADPrincipalGroupMembership -Identity someUser -MemberOf $_ -confirm:$false}

groups in an OU, display

Get-ADGroup -Filter '*' | select-object * | where -object {$_.distinguishedname -like "*,OU=yourOU,*"} | sort-Object groupCategory,GroupScope,name | ft name,groupCategory,GroupScope, DistinguishedName

or

Get-ADGroup -Filter * -SearchBase 'OU=yourOU,DC=yourdomain,DC=com' | sort-Object SearchBase,groupCategory,GroupScope,name | ft name,groupCategory,GroupScope, DistinguishedName

groups, list by type

Get-ADGroup -filter * | Sort-Object GroupCategory,GroupScope,Name | ft Name,GroupCategory,GroupScope, DistinguishedName

–H–

–I–

–J–

–K–

–L–

–M–

–N–

new user - see user, create

null, filter on property

In this example, we want to find all ADUsers whose msExchHideFromAddressLists property is not set. So we quite reasonably attempt to filter on that filter not equal to the $null variable:

Get-ADuser -filter {msExchHideFromAddressLists -eq $null} -Properties msExchHideFromAddressLists | ft Name, msExchHideFromAddressLists

But that fails with:

Get-ADuser : Variable: 'null' found in expression: $null is not defined.

So, instead filter on -notlike "*":

Get-ADuser -filter {msExchHideFromAddressLists -notlike "*"} -properties msExchHideFromAddressLists | ft Name, msExchHideFromAddressLists

You can actually still filter on the $null variable. Just not in the very first part of the command where you're using the -filter. Instead, use later after a pipe:

Get-ADuser -filter * -properties msExchHideFromAddressLists | ? {$_.msExchHideFromAddressLists -eq $null} | ft Name, msExchHideFromAddressLists

I like to think that the first method of filtering on -notlike "*" is more efficient and elegant.

–O–

OU, list all contacts for an OU

Get-ADObject -filter {objectclass -eq "contact"} -Properties name, givenName, middleName, sn, mail | `
where-object {$_.distinguishedname -like "*yourOU*"} | Sort-Object sn, givenName | select name, givenName, middleName, sn, mail | ft

And perhaps also sort first by email domain

Get-ADObject -filter {objectclass -eq "contact"} -Properties name, givenName, middleName, sn, mail | `
where-object {$_.distinguishedname -like "*yourOU*"} | `
Select-Object @{n="Dom";e={$_.mail.split("@")[1]}}, name, givenName, middleName, sn, mail | `
Sort-Object Dom, sn, givenName | ft

list emails

Get-ADObject -SearchBase 'OU=MyOu,DC=myDomain,DC=com' -Filter {objectclass -eq "contact" } -Properties mail | Select-Object Name, mail

OUs (Organizational Units), list

Get-ADOrganizationalUnit -filter * | ft Mame, DistinguishedName

OUs for contacts (just the lowest level)

Get-ADObject -filter {objectclass -eq "contact" } -Properties targetaddress,distinguishedName | Sort-Object {((($_.DistinguishedName.Split(',', 2))[1]).Split(',', 2))[0]},name | select name, targetaddress,@{Name='OU';Expression={((($_.DistinguishedName.Split(',', 2))[1]).Split(',', 2))[0]}} | ogv

–P–

properties, see all - sometimes by default, when you do a get "-" even with a "fl" appended, you don't get all the properties

Get-ADUser somauser -Properties *

property - is a property missing for a user?

You might think this might work

if (($contact.$property -eq $null) -or ($contact.$property -eq ''))

But it doesn't. Use this instead.

if (-not($contact.$property))

–Q–

–R–

rename a user

Seems like this ought to be simple, right? But problem: it seems that you need to use the Rename-ADObject and that command wants an identity. And all you might have is a name. So you have to pipe the Get-ADuser into a Set-ADuser (in order to get an object with an identity) and then finally pipe that into Rename-ADObject. The first two commands are probably superfluous; included here in case you already had $DepartingUserIdentity as a variable earlier in a script. The last command is what you really need.

$DepartingUserIdentity = "someUser";
$DepartingUserName = (Get-ADUser $DepartingUserIdentity).Name
Get-ADUser $DepartingUserIdentity | Set-ADUser -PassThru | Rename-ADObject -NewName "departed $DepartingUserName" -PassThru

make sure display name matches

Change the display name. Otherwise, will retain the old name when looking at shared mailboxes in Exchange Online

Get-ADUser $DepartingUserIdentity -Properties DisplayName | select name, DisplayName

It's kind of weird having to invoke "Foreach-Object" (%) for just one user. But doesn't work with merely "| Set-ADUser -DisplayName $_.name" - puts in a null

Get-ADUser $DepartingUserIdentity -Properties DisplayName | Set-ADUser -DisplayName $_.name

so invoke "Foreach-Object" (%) - even if we're doing this for just one user

Get-ADUser $DepartingUserIdentity -Properties DisplayName | % {Set-ADUser -Identity $_ -DisplayName $_.name}

–S–

search for where some entity might reside whether user/group/contact/alias - see find where some entity might reside whether user/group/contact

SID, find name for

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-21-898656534-286731432-926709055-10765");

$objUser = $objSID.Translate( [System.Security.Principal.NTAccount]);

$objUser.Value

–T–

trust relationship broken

Test-ComputerSecureChannel -credential yourdomain\someadmin -Repair

–U–

user, all properties

if you try to get a "full list" of all the properties for a user, you'll end up with a rather disappointingly small list:

Get-ADUser someuser

You know there's more stuff buried in there! So use this instead:

Get-ADUser someuser -Properties *

user, compare all properties for a list

("user1", "user2") | %{Get-ADUser $_ -Properties *} | export-csv "c:SomeFile.csv"

user, create

$UserName = "$FirstName $LastName"
$sAMAccountName = "$FirstName.$LastName"
$DefaultPassword = "topSecret"
$UPN = "$sAMAccountName@$UserDomain"
$NewUserParams = @{
'UserPrincipalName' = $UPN
'Name' = $UserName
'DisplayName' = $UserName
'GivenName' = $FirstName
'Surname' = $LastName
'Title' = $Title
'Department' = $Department
'SamAccountName' = $sAMAccountName
'AccountPassword' = (ConvertTo-SecureString $DefaultPassword -AsPlainText -Force)
'Enabled' = $true
'Initials' = $MiddleInitial
'Path' = "$OU"
'ChangePasswordAtLogon' = $false
'EmailAddress' = $UPN
}
New-ADUser @NewUserParams

userParameters, find users whose userParameters is not null

Get-ADUser -Filter * -Properties samAccountName, userParameters | where {$_.userParameters -ne $null} | Sort-Object samAccountName | fl samAccountName, userParameters

–V–

–W–

–X–

–Y–

–Z–