Monday, November 16, 2015

List recursive group memberships


This script prompts for the username and returns a recursive list of the users group memberships.  It uses the Object Identifier (OID) 1.2.840.113556.1.4.1941 to call the extensible match matching rule LDAP_MATCHING_RULE_IN_CHAIN.  See the links below for further information on how this query operates.

http://ldapwiki.willeke.com/wiki/1.2.840.113556.1.4.1941

https://msdn.microsoft.com/en-us/library/aa746475%28v=vs.85%29.aspx


param (
    [Parameter (ValueFromPipeline=$true, Mandatory=$true)]
    [string]$username = $null
       )

$dn = (Get-ADUser $username).DistinguishedName
Get-ADGroup -LDAPFilter ("(member:1.2.840.113556.1.4.1941:={0})" -f $dn) | select -expand Name | sort name


replace sort name with measure to return the number of groups.  This script can be modified to apply to machine names by the use of the Get-ADComputer cmdlet

Consider expanding this to compare recursive group memberships of two users.

The above is also an example of an argument/parameter prompt.  To produces multiple prompts for augments to turn in to variables try 

param (
    [Parameter (ValueFromPipeline=$true, Mandatory=$true)]
    [string]$username = $null,
    [Parameter (ValueFromPipeline=$true, Mandatory=$true)]
    [string]$PartialGroupName = $null
      )

Posted by at

Sunday, November 15, 2015

Get-ADObject with an LDAPfilter


Powershell command to determine the contents matching membership of 2 groups and fitting a specified pattern. The output is then controlled using the format table cmdlet. Out-File can be used the write the output to a file.

Get-ADObject -LDAPFilter "(&(memberOf=cn=GROUPNAME1,ou=Live,ou=Applications,ou=Groups,dc=dom1st,dc=dom2nd,dc=local)(memberOf=cn=GROUPNAME2,ou=Live,ou=Applications,ou=Groups,dc=dom1st,dc=dom2nd,dc=local))" | where {$_.name -like "DW*"} | Format-Table Name


This is a similar command which lists the groups which both users are a member of i.e. common groups.  It is not recursive.

get-adobject -LDAPFilter "(&(member=CN=User1,OU=TestAccounts,OU=GenericAccounts,OU=Users,OU=firm,DC=DC1,DC=DC2,DC=local)(member=CN=user2,OU=LU,OU=Users,OU=firm,DC=DC1,DC=DC2,DC=local))"


To list uncommon group place the NOT operator just inside the bracket of the second condition, just before "member" in this case.

LDAP Query basics
https://technet.microsoft.com/en-us/library/aa996205%28v=exchg.65%29.aspx (broke)

https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

Building on the first query above this script obtains the users which are in both groups and then removes the resulting user accounts from a specified group.... script to be added..... 
Posted by at

Script to copy user accounts from one group to another

# Powershell Script to COPY AD User accounts from one group to another

# Usage Launch a powershell command window in a user context with permissions to the change the AD
# .\<path>\CopyUsersToUpdateAppGroup.ps1 <OldGroupName> <NewGroupName>


$split = $args.split(" ")
$OldGroupName = $split[0]
$NewGroupName = $split[1]
$Domain = "FQDN of AD Domain Goes Here"

$UserNames = Get-ADGroupMember $OldGroupName  | Get-ADUser | Select-Object `
-ExpandProperty SamAccountName

# Add each user to the newly created AD group
ForEach ($UserName in $UserNames) {
echo $User
$User = [ADSI]("WinNT://$Domain/$UserName")
$Grp = [ADSI]("WinNT://$Domain/$NewGroupName")
$Grp.PSBase.Invoke("Add",$User.PSBase.Path)
}


Posted by at

Outputing to a variable and text file

Outputing to a text file which is written to the root of the current userprofile.

get-appvclientconfiguration -outvariable vname 
$vname | Out-File vname.txt


Out-File is often useful but is usually quite frustrating without the -width x parameter added.  By default it restricts the width of the outputed lines to the same as the console which is 80 characters in a default console window.  The result is that lines are truncated with ... added where they are longer.  Override the problem but setting a larger width value.
Posted by at

Get-WMIObject - WMI query example


Powershell command to retrieve the productcode guids of the installed MSIs

Get-WmiObject -Namespace root\ccm\CIModels -Class CCM_MSIProduct | Sort-Object ProductName |Format-Table ProductName,ProductCode,ProductVersion -auto

Use this tool to browser the WMI items to query

 http://www.microsoft.com/en-us/download/details.aspx?id=8572

Posted by at

Get-ADPrincipleGroupMembership - lists the groups that a user, computer or group is a member of.



While this command can be used to obtain the list of groups a user  or a group is a member of, it will not do recursion i.e. it will not list the groups a user is in as a result of groups.

Get-ADPrincipalGroupMembership -Identity <userORgroupORComputer> | Select-Object -ExpandProperty SamAccountName | Sort-Object SamAccountName

in the above command place a where filter before select object cmdlet to narrow the results. 

https://technet.microsoft.com/en-us/library/ee617259.aspx 

This script removes an account from all groups with a name matching a string.  Note that the confirmation has been knocked out! Be careful.

 $AccountDN = "CN=MACHINENAME,OU=xxx,OU=xxx,OU=xxx,OU=xxx,OU=XXX,DC=xxx,DC=xxx,DC=xxx"
$grouplist = Get-ADPrincipalGroupMembership -id $AccountDN | where {$_.name -like "*string*"} | select -expand name

echo $grouplist

$ConfirmPreference = "none"

ForEach ($group in $grouplist)

{
echo $group
Remove-ADPrincipalGroupMembership -id $AccountDN -MemberOf $group
}
Posted by at

Get-ADComputer - list and return the computers matching the query


Command to obtain the list of computers in a specified AD OU - could be done with Get-ADUser as well probably.

Get-ADComputer -filter * -SearchBase "OU=Live,OU=Laptops,OU=Physical,OU=Desktops,OU=1,DC=name2,DC=name1,DC=local" | select name | sort name

In the above command if you replace the sort name with measure the output will count the total number of items and return that as the count.
Posted by at

Get-ADGroupMember - lists machines or user members of groups


Commands to output the members of a group

Get-ADGroupMember -Id <GroupName> | Export-CSV c:\temp\GroupOutput.CSV -NoTypeInformation 

this one uses the -recursive switch which lists the members of groups within the group.  Note the use of multiple -notlike items

Get-ADGroupMember -Identity <GroupName> -recursive | Select name | sort name | where {$_.name -notlike "MACH*" -and $_.name -notlike "VW*"}
Posted by at

Command Lines


Command lines:
powershell
-file "filename.ps1" (specifiies which script file to run)
-NonInteractive (prevents output to the command window)
-executionpolicy bypass -file "filename.ps1"  (enables script files to execute when the execution policy is restricted)

 C:\Windows\System32\WindowsPowerShell\v1.0 is added to the system path when powershell is installed.  Any custom scripts that you write can be placed in this location and easily called from a powershell command prompt.
Posted by at

Cmdlet reference and tutorial pages

References

Powershell 5.0 is the current version at the time up update December 2015.  These links refer to the version 5.0 release unless shown. 

Technet Library Scripting with Windows Powershell
https://technet.microsoft.com/en-us/library/bb978526.aspx

Technet Archive Windows Powershell 1.0 Basic Cmdlets
https://technet.microsoft.com/en-us/library/hh848794.aspx

Technet Library Windows Powershell 5.0 Modules and Cmdlets
https://technet.microsoft.com/en-us/library/hh847741.aspx

AD Cmdlets
https://technet.microsoft.com/en-us/library/ee617195.aspx

Managing App-V 5.0
https://technet.microsoft.com/en-us/library/jj713419.aspx

Text Manipulation
http://newdelhipowershellusergroup.blogspot.co.uk/p/tutorial-series.html

Special Characters and Tokens
http://www.neolisk.com/techblog/powershell-specialcharactersandtokens

Tutorials
https://www.simple-talk.com/sysadmin/powershell/powershell-one-liners--accessing,-handling-and-writing-data-/

https://www.simple-talk.com/sysadmin/powershell/powershell-one-liners--collections,-hashtables,-arrays-and-strings/

http://www.howtogeek.com/137803/geek-school-learn-how-to-automate-windows-with-powershell/

http://www.computerperformance.co.uk/powershell/
Posted by at

Filter Types



Filter Types - cmdlets may not support all of these

-lt -- Less than
-le -- Less than or equal to
-gt -- Greater than
-ge -- Greater than or equal to
-eq -- Equal to
-ne -- Not equal to
-like - Like; uses wildcards for pattern matching
-notlike -- Equal to
-clike -- case sensative like
-approx -- ?
-bor -- ?
-band -- ?
-recursivematch -- ?

http://www.itprotoday.com/management-mobility/powershell-basics-filtering-objects

LDAP Query Operators

= equal
! not
& and
| or
* wildcard

more here
http://windowsitpro.com/powershell/windows-powershell-operators
Posted by at

Thursday, November 12, 2015

Get-ADGroup queries the AD for group object items eg names


Get-ADGroup

Command to obtain group names containing 2 specified strings which is then further filtered for the case sensitive instances by the where cmdlet using the -clike operator, the case sensitive version of -like in the where cmdlet.

Get-ADGroup -filter {Name -like "*string1*" -and Name -like "*STrIng2*"} | where {$_.name -clike "*STrIng2*"} | Select-Object name | Sort-Object name

Notes
where is short for Where-Object
Select-Object and Sort-Object can be shortened to Select and Sort
-notlike is also a valid operator for the where object.

This command is useful to include the group description in the output

 get-adgroup -filter {name -like "*mystring*"} -Properties description | select name,description
Posted by at
Subscribe to: Posts (Atom)