Powershell: Common Active Directory Uses
I wanted to share some Common use Powershell scripts for Active Directory. I use Powershell a lot for work since its widely available on most of the servers I work on. So here is some commonly used Powershell scripts I personally use with Active Directory.
Removing All group memberships from disabled users in Active Directory
This script will remove all AD Groups from all disabled accounts found in Active Directory search path.
$users= get-aduser -Filter * -SearchBase "ou=Disabled Accounts,dc=foo,dc=bar" Function RemoveMemberships { param([string]$SAMAccountName) $user = Get-ADUser $SAMAccountName -properties memberof write-host "Found user: " $SAMAccountName $userGroups = $user.memberof $userGroups | %{get-adgroup $_ | Remove-ADGroupMember -confirm:$false -member $SAMAccountName} $userGroups = $null } $users | %{RemoveMemberships $_.SAMAccountName}
Edit the Users description on User Object
# Add description to ad account $desc = "This is a sample description" $username = "AD_USERNAME" $uInfo = Get-ADUser $username -Properties Description foreach ($i in $uInfo) { write-host "Editing active directory description on" $username $Description = $i.Description write-host "Saved description as" $desc Set-ADUser $username -Description $desc }
Find all Disabled Users in Active Directory
$OU_Path = "ou=Users,dc=foobar,dc=com" $outfile_csv = "disabled.csv" $users = Get-ADUser -Filter * -SearchBase $OU_Path | Where-Object {$_.Enabled -eq $false} | Select-Object Name, SAMAccountName, DistinguishedName | Export-Csv -Path $outfile_csv -NoTypeInformation
Find who belongs in a Active Directory Group
$groups = @("My Group1","My Group2") $UserList = Get-ADUser -SearchBase "OU=Users,DC=foobar,DC=com" -Filter * | Select Name foreach ($g in $groups) { $members = Get-ADGroupMember -Identity $g -Recursive | Select -ExpandProperty Name ForEach ($user in $UserList) { If ($members -contains $user.Name) { Write-Host $user.Name "exists in the group" $g } Else { Write-Host $user.Name "does not exists in the group" $g -foreground "yellow" } } }
Obtain the TerminalServicesProfilePath path from an User Object
Function GetUserObject ($InputString) { Write-Verbose "Retrieving ADUser Object for '$($InputString)'" Try { $TempObject = Get-ADUser $InputString -Properties userParameters -ErrorAction Stop } Catch { If (!($Quiet)) { Wite-Error $TempObject -Category ObjectNotFound -TargetObject $InputString } Return } $TempObject } Function GetProps ($UserObject) { If ($UserObject.userParameters -eq $Null) { $Props = @{ "TSProfile" = "" "TSHomeDirectory" = "" } } Else { $UserDN = $UserObject.DistinguishedName $OU = [adsi]"LDAP://$($UserDN.SubString($UserDN.IndexOf(",")+1))" $UserInfo = $OU.PSBase.get_children().find($UserDN.SubString(0,$UserDN.IndexOf(","))) $Props = @{ "TSProfile" = $UserInfo.PSBase.invokeget("TerminalServicesProfilePath") "TSHomeDirectory" = $UserInfo.PSBase.invokeget("TerminalServicesHomeDirectory") } } $UserResult += New-Object PSObject -Property $Props return $UserResult } # Add a username $username = "ENTER_USERNAME" $GObject = GetUserObject -InputString $username if ($GObject -ne $null) { $ADTSFolders = GetProps -UserObject $GObject } $ADTSFolders.TSProfile $ADTSFolders.TSHomeDirectory
Find Windows XP computers in Active Directory
$Get_AD_Comps = Get-ADComputer -Filter * -Properties OperatingSystem foreach($comp in $Get_AD_Comps) { if($comp.OperatingSystem -like "Windows XP*") { write-host $comp.Name $comp.OperatingSystem $comp.DistinguishedName $results += '"' + $comp.Name + '","' + $comp.OperatingSystem + '","' + $comp.DistinguishedName + '"' + "`n" } } $results | out-file "OLD_Computers.csv"