Category Archives: Active Directory

Add all members from one Security Group to another (and count them)

First you’d maybe like to count members;
(Get-QADGroupMember "Group").count

And then you can add them to another group:
Get-QADGroupMember "Group to copy from" | Add-QADGroupMember "Group to copy to"

Export a list over all disabled user accounts in Active Directory to CSV

Leave a reply

This will export data in the following order (with scandinavian letters)
Givenname, Surname, SamAccountname, PrimarySMTPAddress

Get-QADUser -sizelimit 0 | where {$_.accountisdisabled -eq $true} | select givenname,sn,SamAccountName,PrimarySMTPAddress | Export-Csv -Encoding utf8 c:tempdisabled_users.csv

Import a list of users and export a list with more fields

Leave a reply

# Make utf8 to include special characters
cat .list.csv > .list2.csv

# Import the file and process export as utf8
Import-Csv .list2.csv | foreach {
Get-QADUser -lastname $_.lastname -firstname $_.firstname | select firstname,lastname,mobile,primarysmtpaddress,logonname
} | Export-Csv .list3.csv -Encoding “UTF8”

Add “+47” to mobile field on all users missing it in AD

1 Reply

# Add +47 in “mobile”
$Users = Get-QADUser -SearchRoot “domain/A1/users” -sizelimit 0 | where { $_.mobile.length -eq 8 }

foreach ($user in $users) {
Set-QADUser -id $user -mobile ($user.mobile.insert(0,’+47′))
}

Count users with 8 characters mobile field in AD

Leave a reply

# Number of users with 8 characters mobile
(Get-QADUser -sizelimit 0 | where { $_.mobile.length -eq 8 }).count

Remove whitespaces in mobile field in AD

Leave a reply

# Remove whitespaces in mobile
$Users = Get-QADUser -SearchRoot “domain/A1/users” -sizelimit 0 | where {$_.mobile -match “s”}

foreach ($user in $users) {
Set-QADUser -id $user -mobile ($user.mobile -replace “s”)
}

Count all users with whitespaces in mobile field in AD

Leave a reply

# Count users with whitespace in mobile
(Get-QADUser -sizelimit 0 | where {$_.mobile -match “s”}).count

Clean up user accounts in one OU after linked-mailbox migration to new domain

Leave a reply

This script uses the Quest AD Cmdlets that can be downloaded free from Quest.

# Add the Quest commandlets if not added 
if(!(Get-PSSnapin | 
    Where-Object {$_.name -eq "quest.activeroles.admanagement"})) {
      ADD-PSSnapin Quest.Activeroles.ADManagement
    }

# Add Exchange 2010 commandlets (if not added)
if(!(Get-PSSnapin | 
    Where-Object {$_.name -eq "Microsoft.Exchange.Management.PowerShell.E2010"})) {
      ADD-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
    }

################## SETTINGS
# Home directory for users
$homedir = "\contoso.comusers"

# Domain
$domain = "contoso.com"

# Email address to keep
$keepmail = "@contoso.com"

# The OU we are working on
$OU = "contoso.com/Users/migrated_users"
##################

# Run on all users in the defined OU
Get-QADUser -SearchRoot $OU | 
foreach {
    echo "-------------------------------------------------"    
    echo "Working on $($_.displayname)"
    echo "-------------------------------------------------"

    # Generate username after the 3+3 rule
    $userprincipalname = ($_.firstname.substring(0,3) + $_.lastname.substring(0,3)).tolower()
    $userprincipalname = $userprincipalname.replace("ø","o")
    $userprincipalname = $userprincipalname.replace("å","a")
    $userprincipalname = $userprincipalname.replace("æ","e")
 
    # Make the changes on the user account
    Set-QADUser -Identity $_ -UserPrincipalName $($userprincipalname + "@" + $domain) -SamAccountName "$($userprincipalname)" -HomeDirectory $($homedir + $userprincipalname) -HomeDrive "H:"  #-whatif

    # Check to see if the users homedirectory exists
    if ( !(Test-Path -Path "$homedir$userprincipalname" -PathType Container) ) {

         # Doesn't exist so create it.
         Write-Host "home directory doesn't exist. Creating home directory."

         # Create the directory
         New-Item -path $homedir -Name $userprincipalname -ItemType Directory
         $userDir = "$homedir$userprincipalname"

         # Modify  Permissions on homedir
         $Rights= [System.Security.AccessControl.FileSystemRights]::Read -bor [System.Security.AccessControl.FileSystemRights]::Write -bor [System.Security.AccessControl.FileSystemRights]::Modify -bor [System.Security.AccessControl.FileSystemRights]::FullControl
         $Inherit=[System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
         $Propogation=[System.Security.AccessControl.PropagationFlags]::None
         $Access=[System.Security.AccessControl.AccessControlType]::Allow
         $AccessRule = new-object System.Security.AccessControl.FileSystemAccessRule("$userprincipalname",$Rights,$Inherit,$Propogation,$Access)
         $ACL = Get-Acl $userDir
         $ACL.AddAccessRule($AccessRule)
         $Account = new-object system.security.principal.ntaccount($userprincipalname)
         $ACL.setowner($Account)
         $ACL.SetAccessRule($AccessRule)
         Set-Acl $userDir $ACL
    }

    # We need some sleep...
    start-sleep -sec 20

    # Now we need to clean up the users Exchange account
    Get-Mailbox -Identity $userprincipalname |
    
    # Loop through all the emailaddresses
    foreach { 
       $a = $_.emailaddresses
       $b = $_.emailaddresses
     
     # Remove all but $keepmail
       foreach($e in $a) 
           { 
           if ($e.tostring() -notmatch $keepmail ) 
               { $b -= $e; } 
           $_ | Set-mailbox -EmailAddressPolicyEnabled $false -emailaddresses $b -alias $userprincipalname
           }
    }
    
    # We had to remove the emailaddresspolicy to make changes. Let's reactivate it
    Set-mailbox -Identity $userprincipalname -EmailAddressPolicyEnabled $true
}

Creating home directory for user

1 Reply

When setting the -homedirectory switch on a user through Powershell the directory is not created.
Use this code to create the folder and apply the necessary ACLs:

    if ( !(Test-Path -Path "$homedir$userprincipalname" -PathType Container) ) {
         ## Doesn't exist so create it.
         Write-Host "home directory doesn't exist. Creating home directory."

         ## Create the directory
         New-Item -path $homedir -Name $userprincipalname -ItemType Directory
         $userDir = "$homedir$userprincipalname"

         ## Modify  Permissions on homedir
         $Rights= [System.Security.AccessControl.FileSystemRights]::Read -bor [System.Security.AccessControl.FileSystemRights]::Write -bor [System.Security.AccessControl.FileSystemRights]::Modify -bor [System.Security.AccessControl.FileSystemRights]::FullControl
         $Inherit=[System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
         $Propogation=[System.Security.AccessControl.PropagationFlags]::None
         $Access=[System.Security.AccessControl.AccessControlType]::Allow
         $AccessRule = new-object System.Security.AccessControl.FileSystemAccessRule("$userprincipalname",$Rights,$Inherit,$Propogation,$Access)
         $ACL = Get-Acl $userDir
         $ACL.AddAccessRule($AccessRule)
         $Account = new-object system.security.principal.ntaccount($userprincipalname)
         $ACL.setowner($Account)
         $ACL.SetAccessRule($AccessRule)
         Set-Acl $userDir $ACL
    }

Thank you very much for this tip Shay Levy!

Connect to different domain controller

Leave a reply

Connect-QADService -service ‘server.company.com’

This requires the Quest commandlets.