Powershell and Active Directory: Finding User whose password is Expired.

Hi,

Yesterday i have got a call from my remote user, she is  saying that she is not able to login to the Intranet System and Outlook, I asked her if she has got any notifications about password failed (Setting using Group Policies). and she denied.

i said “OK”..

Somehow i feel this is related to her password, i thought let’s see if her password is expired or not.

The best way to check this is using “Powershell”

I opened my Powershell Console.

I imported my ActiveDirectory Module ( Import-Module ActiveDirectory )

and i shoot the command line.

Get-ADUser UserName -Properties *

14-01-2013 13-00-55

and when i scrolled down and i  seen “PasswordExpired : True

14-01-2013 13-00-19

and i call that lady over the phone and  told her to change her password.

You can also use this command line to find all users those password are expired.

Get-ADUser -Filter ‘PasswordExpired -eq $true’

All Sorted… and i live “happily ever after” (till the second problem hit me Winking smile)

I love Powershell.

Thanks

Aman Dhally

 

clip_image001 clip_image002 clip_image003 clip_image005 clip_image007

Powershell & Active Directory : Active Directory Reports in Excel.

Hi,

Active Directory reporting, some time we thinks what should a Active Directory reports contains, should i need a tool to do that reporting job? or should i purchase a active Directory tool to do this task.

One of my friend want an Active Directory Reporting tool and he was planning to buy it, i asked what are your requirements, he told me that, I want a tool which can export a data in to the Excel, and i have a list of disabled Computer accounts, User Account so that i can delete them,

I told this that that can be done easily with powershell and for him i wrote a little powershell script. this script is based on RSAT , Active Directory module. Make sure you have RSAT tools installed before running the script.

when you run the script , that will Import Active Directory Module First and then open an Excel workbook. In excel you can find 4 sheets for now. they are contains

  1. List of inactive Users Accounts
  2. List of inactive Computer Accounts
  3. Users Accounts created within a period of week.
  4. List of Users with password never expires enabled.

21-08-2012 13-19-01

and this excel file will be saved on users Desktop.

Script Download link : https://dl.dropbox.com/u/17858935/Active_Directory_Report_Generator.zip 

Thanks

Aman Dhally

join aman on facebook Join aman on Linkedin follow aman on Twitter

Powershell & Active Directory : “Find all users Email ID’s in Active Directory Using Powershell”.

Hi,

My todays task was to create a list of our all of our “Active Directory” users email Id’s. Normally you can do this easily using download your global address list of exchange server and export in to the file.

But remember Powershell is all about automation. Now imagine, your manager told you that every fortnightly he want’s a list of all users email id so that he can use it for sending some company wise “News”. I know you don’t want to so this manually after every 15 days. So why not to automate is and save some manual task, so that we can steal some time to spend on “Facebook”  ;o).

Okies, lets start , before running any cmdlets make sure you have RSAT tools installed.

The task is simple we can use Get-Aduser and and use –Filter * to find all users, and in –Properties choose Email Address to show and then pipe output to Select-Object cmdlet and choose to display Name and Email Address in the output.

<span style="color: #0000ff; font-weight: bold">Get-ADUser</span><span style="color: #000000"> </span><span style="color: #3399ff">-Filter</span><span style="color: #000000"> </span><span style="color: #0000ff">*</span><span style="color: #000000">  </span><span style="color: #3399ff">-Properties</span><span style="color: #000000"> EmailAddress  </span><span style="color: #0000ff">|</span><span style="color: #000000"> </span><span style="color: #c00000; font-weight: bold">Select</span><span style="color: #000000"> Name,EmailAddress </span>

Okies, we got what we want,,,,But wait,,, there are few users who don’t have any Email Address and i don’t want them in to my output file, let’s filter it more.

09-08-2012 19-30-52

I have added a one more cmdlet to the command , which is Where-Object , before Selecting the object we choose to show only those users whose Email Address files in not null.

<span style="color: #0000ff; font-weight: bold">Get-ADUser</span><span style="color: #000000"> </span><span style="color: #3399ff">-Filter</span><span style="color: #000000"> </span><span style="color: #0000ff">*</span><span style="color: #000000">  </span><span style="color: #3399ff">-Properties</span><span style="color: #000000"> EmailAddress  </span><span style="color: #0000ff">|</span><span style="color: #000000"> </span><span style="color: #c00000; font-weight: bold">where</span><span style="color: #000000"> { </span><span style="color: #8b0000">$_</span><span style="color: #000000">.EmailAddress </span><span style="color: #0000ff">-ne</span><span style="color: #000000">  </span><span style="color: #8b0000">$null</span><span style="color: #000000"> }  </span><span style="color: #0000ff">|</span><span style="color: #000000"> </span><span style="color: #c00000; font-weight: bold">sort</span><span style="color: #000000">  </span><span style="color: #0000ff">|</span><span style="color: #000000"> </span><span style="color: #c00000; font-weight: bold">Select</span><span style="color: #000000"> Name,EmailAddress</span>

Now we can add Export-CSV cmdlet in to the End so that we have a output stored in to a .CSV file.

<span style="color: #0000ff; font-weight: bold">Get-ADUser</span><span style="color: #000000"> </span><span style="color: #3399ff">-Filter</span><span style="color: #000000"> </span><span style="color: #0000ff">*</span><span style="color: #000000">  </span><span style="color: #3399ff">-Properties</span><span style="color: #000000"> EmailAddress  </span><span style="color: #0000ff">|</span><span style="color: #000000"> </span><span style="color: #c00000; font-weight: bold">where</span><span style="color: #000000"> { </span><span style="color: #8b0000">$_</span><span style="color: #000000">.EmailAddress </span><span style="color: #0000ff">-ne</span><span style="color: #000000">  </span><span style="color: #8b0000">$null</span><span style="color: #000000"> }  </span><span style="color: #0000ff">|</span><span style="color: #000000"> </span><span style="color: #c00000; font-weight: bold">sort</span><span style="color: #000000">  </span><span style="color: #0000ff">|</span><span style="color: #000000"> </span><span style="color: #c00000; font-weight: bold">Select</span><span style="color: #000000"> Name,EmailAddress </span><span style="color: #0000ff">|</span><span style="color: #000000"> </span><span style="color: #0000ff; font-weight: bold">Export-Csv</span><span style="color: #000000"> D</span><span style="color: #0000ff">:</span><span style="color: #000000">\email_ID.txt</span>

and the output file should be look perfect like this.

09-08-2012 19-38-59

Task finished….

and have a nice day and

Happy Janmashtami Everyone :o)

krishna_animated

Thanks

Aman Dhally

join aman on facebook Join aman on Linkedin follow aman on Twitter

powershell & Active Directory: Find all users who have “Password Never Expires” enabled using Powershell.

Hi,

In domain controller environment we all have some password policies set. In some organizations the users password is expired in 60 days in some 90 or in 180 Days.

User’s password must expired in the defined period, changing password often is a good security policy.

But when we create a user account some time by mistakes we select  “Password Never Expires”.

if  the “Password never expires” checked users password never expired.

07-08-2012 13-28-44

which is not good for user’s account security.

My todays task is to find all users , who have “Password Never Expire” checked. To archive this task we are going to use “Active Directory” module and “Get-Aduser” cmdlet with Filters Smile

<span style="color: #000000">Get-ADUser </span><span style="color: #0000ff">-</span><span style="color: #0000ff">Filter</span><span style="color: #000000">  </span><span style="color: #ff0000">'PasswordNeverExpires -eq $true'</span><span style="color: #000000">  </span><span style="color: #0000ff">-</span><span style="color: #000000">Server localDC </span><span style="color: #0000ff">|</span><span style="color: #000000"> </span><span style="color: #c00000; font-weight: bold">select</span><span style="color: #000000"> name</span>

 07-08-2012 13-29-42

After Get-ADuser cmdlet we are using –Filter to show all those account whose “Password Never Expires value is equal to True” which means enabled,and in –server parameter i am defining my domain controller, and  we are piping the output to “Select-Object” cmdlet and selecting to show “Name” property of the output to show.

and the output is below Smile 

07-08-2012 13-29-20

Now I can show that list to my manager so that we can fix them later Smile ..

Thanks for reading.

Aman Dhally

Powershell and Active Directory: Maintains the Leavers of your Company using powershell GUI based Application.

 

HI,

Like every IT Administrator we have to create user accounts when someone joined the company and also delete and reset the account when someone leaves.

From past few days i was trying to write a GUI Application based on powershell.

My Main objective was.

    • Reset Leaving Users Password.
    • Remove him from all groups.
    • Move his user account to particular OU

You can download the script form this link : https://dl.dropbox.com/u/17858935/Leavers_Processs_Community.zip 

Before running this script please change this variable as per your need:  $ArchiveOu = ‘OU=Archived,DC=localDC,DC=com’

Let me explain about the script.

This script is based on ActiveDirectory Module , so before running the script make sure that you have installed RSAT tools.

When you run the script first it ask for username  and password, Please provide your Domain Admin username and password.

02-08-2012 12-06-23

After you provide the credentials a GUI will open.

On the Number 1 , it is showing that if script is able to detect and imported the ActiveDirectory Module.

Our first task to to find the Users SAMAccount Name.

So provide the users First and last name (2,3) and click on Find (4)

when you click on Find .. It search for user in all AD for matching user.

in number 5 this will show the users SAMAccount Name

in Number 6 Provide a new password for user.

Now on number 7 click on Starts

When you click on start it do .

  • Reset User password
  • remove it from all Groups
  • Move it to a particular OU

 

02-08-2012 12-04-54

Download Link : https://dl.dropbox.com/u/17858935/Leavers_Processs_Community.zip

Thanks for reading.

Thanks!

Aman Dhally

Buy-More-Twitter-Followers 4fb29548b6adc  linkedin

00488d3a

Powershell and Active Directory: Find Active Directory users in a particular Organizational Unit whose Script Path is not set or blank using Powershell.

 

Hi,

If we are using “Active Directory” then one this is sure that 98% we are using some login scripts. Sometime while creating users we forget to mentioned to specify the login script in account.

15-06-2012 12-43-37

My task of today is to find all users accounts those have no login script defined in their accounts.

Let’s Start.

 Make sure you have “RSAT installed on you laptop.

Now Import the Active Directory module.

Import-Module ActiveDirectory

30-04-2012 23-21-03 

..

ok, Module is imported,

I want to search a particular organizational unit for users. I am not so good in LDAP so i always do a trick to find full path of OU.

Find OU.

I know a user name “Will smith” in located in that Organizational unit on whom i want to search users those have blank LOGIN SCRIPT field.

I run Get-ADUser cmdlet against Will.smith and i choose to show me of DistinguishedName the user. That DistinguishedName name contain full path of that OU

(Get-ADUser will.smith).DistinguishedName

Copy all fields expect CN and saved it to a variable.

15-06-2012 12-44-57 

$ou = “OU=testing,DC=localDC,DC=com”

15-06-2012 12-55-32

We are using  Get-ADUser cmdlet , to the information about active Directory users, in -SearchBase we are telling it to search our  predefined Organizational Unit in $ou variable,   then -Filter * to search for all users , and then -Properties * to show all the properties of the user account , then we are piping the command to  where cmdlet and we are choosing to choose only those users whose SCRIPTPATH is equal to null or blank and after that we are selecting only names using select cmdlet.

Get-ADUser -SearchBase $ou -Filter * -Properties * | where { $_.ScriptPath -eq $null } | select Name

15-06-2012 12-59-34

All Done…Job is secured | once again …

Thanks!

Aman Dhally

Buy-More-Twitter-Followers   4fb29548b6adc

dance_goofy

Powershell and Active Directory: Find all Active Directory users whose CITY property field in blank.

 

Hi,

Me again , yes yes i know , now you are going to ask me ,,”Aman” what is your task for the day”,, ok ok telling you..Today my manager told me to find all  active directory users which don’t have the CITY field set or those users whose CITY field is blank in there user properties.

I know that Active Directory Module has a Cmdlet to find users which is : Get-ADUser

 

Let’s Start.

 Make sure you have “RSAT installed on you laptop.

Now Import the Active Directory module.

Import-Module ActiveDirectory

30-04-2012 23-21-03 

..

ok, Module is imported,

To find all users in AD we need to user -Filter * and to get there all properties we need to use -Properties * parameters.

Get-ADUser -Filter * -Properties *

13-06-2012 12-02-27

but our target it to find CITY field which is blank., let’s use Where-Object cmdlet to do this.

In this command we are asking powershell to Find all users with all of there properties and then then show is only those users whose CITY property is $null or blank.

Get-ADUser -Filter * -Properties * | Where-Object { $_.City -eq $null}

this is showing us huge amount of data.

13-06-2012 12-07-13

Lets just select names of the users only.

Get-ADUser -Filter * -Properties * | Where-Object { $_.City -eq $null} | Select Name

13-06-2012 12-09-21 

Wow !! i have the names of all users whose City filed in blank.. i can export it to CSV files and sent to my Manager :)

Thanks for reading

Thanks!

Aman Dhally

Buy-More-Twitter-Followers   4fb29548b6adc

penguin

Import only specific Cmdlets from Module in Powershell.

 

Hi,

Sometime in Scripts we imported whole module but we need only we cmdlets of that module. For example i am working on a script which run on “Active Directory”,  but in “Active Directory” module i am using only two cmdlets Get-ADUser,Get-ADGroup , so it seems wise if we able to import only these cmdltes rather then whole bunch of other Cmdlets which we are not going to use in the script.

we can do this using -Cmdlet parameter in Import-Module Cmdlet,

Import-Module ActiveDirectory -Cmdlet Get-ADUser,Get-ADGroup

Now we are importing only two cmdlets  Get-ADUser,Get-ADGroup from “Active Directory” Module.

22-05-2012 11-13-29

Ok, Module imported successfully now check which cmdlets “Active Directory” have { i already show you how to do this here }

Get-Command -Module ActiveDirectory

22-05-2012 11-13-40

Yo!!!, Module have has only two Cmdlets which we told him to import.

Cool!! Isn’t.

Thanks for reading.

Aman Dhally

joker_nurse

Powershell and Active Directory: Remove domain user from domain Group using Powershell.

 

Hi,

Today my IT Manager told me to remove a domain user from a specific group. Normally i used “DSA.MSC” or we can say that “Active Directory users and Computers”, then i find users, go to his user account properties and click on “Member Of” tab and delete the group which the user is not required.

We can do two things.. Either we can use Get-ADGroupMember cmdlet to find the group  all group member of a particular group,or, we can use Get-ADUser cmdlet to find a group membership of a particular user.

Lets Start.

 Make sure you have “RSAT installed on you laptop.

Now Import the Active Directory module.

Import-Module ActiveDirectory

30-04-2012 23-21-03 

..

ok, Module is imported,,

Let’s use Get-ADUser cmdlet to find group membership of a domain user { http://newdelhipowershellusergroup.blogspot.in/2012/05/powershell-and-active-directory-find_11.html }

$((Get-ADUser Aman.Demo -Properties *).MemberOf -split (“,”)  | Select-String -SimpleMatch “CN=”) -replace “CN=”,”"

Ok now we know that user “Aman.Demo” is a member of a Fax-Dubai and two others group. Our target is to remove “Aman.Demo” from “Fax-Dubai” Group.

15-05-2012 14-14-18

Let’s cross-check if “Fax-Dubai” have a “Aman.Demo” as a member.

Get-ADGroupMember -IdentityFax-Dubai” | Select-Object Name

Yes it has… Now lets remove “Aman.Demo” from the Group.

15-05-2012 14-28-24

we are Remove-ADGroupMember cmdlet to remove user from the desired Group.

Remove-ADGroupMember -IdentityFax-Dubai” -Members “Aman.Demo”

before removing the user from the group it ask you for confirmation , type “Y”. That’s all.

15-05-2012 14-33-44

if you want to suppress Confirmation, you can use -Confirm:$false parameter , after it it wont ask for confirmation.

15-05-2012 14-36-44

ok. now we already removed the user from the group , let’s check it now.

User “Aman.Demo” is a member of 2 user groups now previously it was 3, and you can see there is no “Fax-Dubai” exists in Members of now.

15-05-2012 14-39-14

All Sorted :)

Thanks for reading the blog.

Aman Dhally

Aman Dhally

%d bloggers like this: