Tag: AD

Default Domin Password Policy

Author Leave a comment

Do you want to find out the default policy set up on your company?

You can use this PowerShell command you will get the Default Domin Password Policy

Get-ADDefaultDomainPasswordPolicy

The variable you will get back should look something like this, plus a value in the end of course

ComplexityEnabled :
DistinguishedName :
LockoutDuration :
LockoutObservationWindow :
LockoutThreshold :
MaxPasswordAge :
MinPasswordAge :
MinPasswordLength :
objectClass :
objectGuid :
PasswordHistoryCount :
ReversibleEncryptionEnabled :

Powershell Disabel or Delete user

Author

Here we have an Offboarding Script, to help you to save time.
But takes a backup on access rights in the ad in case the user comes back later or if someone needs to know what the user had access to.

If you have sync with office365 when user removed will sync stop with that account, depends on the federation setup it hopefully removes the account in office365 without you need to do anything.

#Import-Module activedirectory

$userid = Read-Host "Whats the USERID"
$dateString = Get-Date -Format "yyddMM-hhmm"


Set-ADUser $userid -Description "Disable $dateString by $env:USERNAME"
#Its edit users description with information who and when this account was disable

Get-ADPrincipalGroupMembership $userid | select name > "\\server.share.store\$userid-$dateString.txt" #Copy all the users memberships to text fil
#The plan is to remove the membership from the user but have a text file to fall back on, if someone needs to know the users membership
#}


#https://technet.microsoft.com/sv-se/library/dd378944(v=ws.10).aspx
Get-ADPrincipalGroupMembership -Identity $userid | % {Remove-ADPrincipalGroupMembership -Identity $userid -MemberOf $_ -Confirm:$false} #Remove all membership
#-confirm:$false does that all prompt messeage will be answeard with Yes due to the command is about removing memberships

#It has to remove membership before it moves the account or else it cant find the account without a new Get-ADPrincipalGroupMembership $userid
Disable-ADAccount -Identity $userid #Disable the account
Get-ADUser $userid| Move-ADObject -TargetPath 'OU=DisabledUsers,DC=company,DC=com' 
#Moves the account to OU DisableUsers

Remove-ADUser -Identity $userid
#This will remove user from AD
#https://docs.microsoft.com/en-us/powershell/module/addsadministration/remove-aduser?view=win10-ps

If the accident still happens to happen and you happen to remove someone who would not be removed.

Here’s how to restore the account

Powershell Get Users from OU

Author

Let try something a little bit harder, we have a script that can export user from specific OU with values like Name, Email, Manager, and departmentnumber

I can be good nowadays with all the reorganization that is now done prematurely at companies.

Not values might need to change it depends where your company stores things in your ad attribute on the user.

Enjoy!

#Import-Module activedirectory

$SearchOU = "OU=YourUsers,OU=Company,DC=company,DC=domain"

#All extended AD-Attributes
$ADAttributes = @(
    "Name",
    "EmailAddress",
    "Manager",
    "departmentnumber",
    "employeeNumber"
)
$Users = Get-ADUser -SearchBase $SearchOU -Filter {employeenumber -like "*"} -Properties $ADAttributes
$counter = 0

$dateString = Get-Date -Format "yyddMM-hhmm"
"Name,Email,Costcenter,Approver"  | Out-File C:\TEMP\Export-$dateString.txt
Foreach ($User in $Users)
{
    $name = ""
    $email = ""
    $departmentnumber = ""
    $manager = ""

    $departmentnumber = $user.departmentnumber
    [string]$name = $user.Name
    [string]$email = $user.EmailAddress
try {
      [string]$managerDN = $user.manager
      [string]$manager = (Get-ADUser $managerDN).name
    }
   #Can be good to activate if you get probelem, for example 
   #some user might not have a manager
   #
   # Catch 
   # {
   # Write-Output $name
   # }

    [string]$employeeNumber = $user.employeeNumber
    [string]$results = $Name +","+ $email + ","+ $departmentnumber +"," + $manager
    [string]$results | Out-File C:\TEMP\export-$dateString.txt -Append        
}

Copy Users groupmember to another user Powershell

Author

Copy or clone one user’s ad membership to another user

For example, there is a new user at the office and need the same access as someone else this script can help you copy all-access easy from one person to the other one.


[cmdletbinding()]
PARAM(
    [Parameter(Mandatory=$true, Position=0)]
    [String]$UserToCopyFrom,
    [Parameter(Mandatory=$true, Position=1)]
    [String]$UserToCopyTo
)

-Get All members from user $UserToCopyFrom
try{

     $Members1 = Get-ADGroupMember -identity $UserToCopyFrom -Recursive | Get-ADUser -Property DisplayName | select SamAccountName
    $Members2 = Get-ADGroupMember -identity $UserToCopyFrom -Recursive | Get-ADUser -Property DisplayName | select MemberOf

}
catch
{
    Write-Warning "Failed to get members"
    Start-Sleep -s 3
    exit
}

#Get all members and add to new user
$Members | foreach { 
    
    Write-Host "Add users $UserToCopyTo to group $_" -ForegroundColor Green
    Add-ADGroupMember -Identity $_ -Members $UserToCopyTo
}

Read-Host "Press to quit"

Export everyone with Phone nr in AD Powershell

Author

How to export everyone with phone nr out of Active Directory

$AdusersNoPhone = Get-ADUser -Filter * -Properties mobile, officephone -SearchBase "OU=UserOU,DC=comany,DC=domain" | where {$_.Enabled -and $_.Mobile -like ""} | select Name, Emailaddress, Mobile, OfficePhone | sort Name

$AdusersNoPhone | Export-Csv -Path "C:\temp\ADusersWithNoMobileNR.csv" -NoTypeInformation -Encoding UTF8

Powershell Get mebers in a AD Group

Author


Are you looking for a script that can help you to get all users that members in a specific AD Group?

#Ask for name of the group
$Group = Read-Host "Whats name of the group"

Get-ADGroupMember -identity "$Group" -Recursive | Get-ADUser -Property DisplayName | Select Name