Powershell: Common Active Directory Uses
I wanted to share some Common use Powershell scripts for Active Directory. I use Powershell a lot for work since its widely available on most of the servers I work on. So here is some commonly used Powershell scripts I personally use with Active Directory.
Removing All group memberships from disabled users in Active Directory
This script will remove all AD Groups from all disabled accounts found in Active Directory search path.
$users= get-aduser -Filter * -SearchBase "ou=Disabled Accounts,dc=foo,dc=bar"
Function RemoveMemberships {
param([string]$SAMAccountName)
$user = Get-ADUser $SAMAccountName -properties memberof
write-host "Found user: " $SAMAccountName
$userGroups = $user.memberof
$userGroups | %{get-adgroup $_ | Remove-ADGroupMember -confirm:$false -member $SAMAccountName}
$userGroups = $null
}
$users | %{RemoveMemberships $_.SAMAccountName}
Edit the Users description on User Object
# Add description to ad account
$desc = "This is a sample description"
$username = "AD_USERNAME"
$uInfo = Get-ADUser $username -Properties Description
foreach ($i in $uInfo) {
write-host "Editing active directory description on" $username
$Description = $i.Description
write-host "Saved description as" $desc
Set-ADUser $username -Description $desc
}
Find all Disabled Users in Active Directory
$OU_Path = "ou=Users,dc=foobar,dc=com"
$outfile_csv = "disabled.csv"
$users = Get-ADUser -Filter * -SearchBase $OU_Path | Where-Object {$_.Enabled -eq $false} | Select-Object Name, SAMAccountName, DistinguishedName | Export-Csv -Path $outfile_csv -NoTypeInformation
Find who belongs in a Active Directory Group
$groups = @("My Group1","My Group2")
$UserList = Get-ADUser -SearchBase "OU=Users,DC=foobar,DC=com" -Filter * | Select Name
foreach ($g in $groups) {
$members = Get-ADGroupMember -Identity $g -Recursive | Select -ExpandProperty Name
ForEach ($user in $UserList) {
If ($members -contains $user.Name) {
Write-Host $user.Name "exists in the group" $g
} Else {
Write-Host $user.Name "does not exists in the group" $g -foreground "yellow"
}
}
}
Obtain the TerminalServicesProfilePath path from an User Object
Function GetUserObject ($InputString) {
Write-Verbose "Retrieving ADUser Object for '$($InputString)'"
Try {
$TempObject = Get-ADUser $InputString -Properties userParameters -ErrorAction Stop
} Catch {
If (!($Quiet)) {
Wite-Error $TempObject -Category ObjectNotFound -TargetObject $InputString
}
Return
}
$TempObject
}
Function GetProps ($UserObject) {
If ($UserObject.userParameters -eq $Null) {
$Props = @{
"TSProfile" = ""
"TSHomeDirectory" = ""
}
} Else {
$UserDN = $UserObject.DistinguishedName
$OU = [adsi]"LDAP://$($UserDN.SubString($UserDN.IndexOf(",")+1))"
$UserInfo = $OU.PSBase.get_children().find($UserDN.SubString(0,$UserDN.IndexOf(",")))
$Props = @{
"TSProfile" = $UserInfo.PSBase.invokeget("TerminalServicesProfilePath")
"TSHomeDirectory" = $UserInfo.PSBase.invokeget("TerminalServicesHomeDirectory")
}
}
$UserResult += New-Object PSObject -Property $Props
return $UserResult
}
# Add a username
$username = "ENTER_USERNAME"
$GObject = GetUserObject -InputString $username
if ($GObject -ne $null) {
$ADTSFolders = GetProps -UserObject $GObject
}
$ADTSFolders.TSProfile
$ADTSFolders.TSHomeDirectory
Find Windows XP computers in Active Directory
$Get_AD_Comps = Get-ADComputer -Filter * -Properties OperatingSystem
foreach($comp in $Get_AD_Comps) {
if($comp.OperatingSystem -like "Windows XP*") {
write-host $comp.Name $comp.OperatingSystem $comp.DistinguishedName
$results += '"' + $comp.Name + '","' + $comp.OperatingSystem + '","' + $comp.DistinguishedName + '"' + "`n"
}
}
$results | out-file "OLD_Computers.csv"
