Scenario: You want to see the last time AD replication happened between site-to-site.
Scriptlet:
repadmin.exe /showrepl * /csv > c:tempshowrepl.csv
Category: Active Directory
Remove a user/group permission on an AD Object via PowerShell
Scenario: You want to remove a users permission to an AD Object via PowerShell. This is the equivalent of opening Active Directory Users and Computers, finding your AD object (user, computer, ect), and removing the users permission from the Security Tab.
Scriptlets: We are going to remove the user domainjdoe from the AD Computer test_computer.
#Set these variables $DistinguishedName = "CN=test_computer,OU=Test,OU=Domain,DC=com" $user = "domainjdoe" #Collect the current ACL $Acl = Get-Acl $DistinguishedName #Loop each access permission in the ACL foreach ($access in $acl.Access) { if ($access.IdentityReference.Value -eq $user) { $acl.RemoveAccessRule($access) } } #Set the ACL Back to the AD Object set-acl $DistinguishedName -AclObject $acl
Lets say you wanted to do this for every ADObject in a specific OU, run the following
#Set these Variables $strOU = "CN=test,DC=Domain,DC=Com" $Obj = get-adobject -searchbase $strOU -properties DistinguishedName,DisplayName -Filter * | Select DisplayName,DistinguishedName $Obj = $obj | Sort DisplayName $user = "domainjdoe" $counter = 0 #Set AD as the location to find the user objects. Set-Location ad: #Loop it $Obj | Select -first 5 | %{ #Increase counter $Counter++ #Display Output " $counter / $($obj.count): Removing $User from $_.DisplayName - $_.DistinguishedName ----------------------------------------------------------------------- " #Get the current ACL for the AD Object $DN = $_.DistinguishedName $Acl = Get-Acl $DN #Loop each Access Level in the ACL And Remove for the User foreach ($access in $acl.Access) { if ($access.IdentityReference.Value -eq $user) {$acl.RemoveAccessRule($access)} } #Setting the Modified ACL back to the AD Object set-acl $DN -AclObject $acl #reset variables $ACL = $Null $DN = $null }
Determine Group Membership of a user via PowerShell
Scenario: Display all of the groups a AD user is a member of
Scriptlet: Run the following in Powershell:
Get-Aduser STEVE -properties * | Select -expandproperty Memberof | Sort
Determine which groups are distribution of all the groups a AD user is a member of
Scenario: A user is a member of multiple security and distribution groups and you wish to determine which of these groups are distribution.
Script:
$1 = (Get-ADUser STEVE -Properties Memberof).memberof
$2 = $1 | %{Get-DistributionGroup $_}
Setting AD properties via PowerShell for Active Directory
Scenario: You want to set the Office property for a user account via PowerShell for Active Directory
Solution:
To set a single User for the property Office:
Get-ADUser testusr1 -Properties * | Set-ADObject -Replace @{Office = “test”}
To check a single User for the property Office:
Get-ADUser testusr1 -Properties * | Select name, Office
To clear the value for Office:
Get-ADUser testusr1 -Properties * | Set-ADObject -Clear Office
To set multiple users via script: In the CSV file, have two columns; 1. One column for Name and 2. One column for the Office.
$1 = Import-Csv C:tempOfficeDataFile.csv
$1 | %{ $2 = $_.Office; Get-ADUser $_.name -Properties Office | Set-ADObject -Replace @{Office =”$2”} }
To check multiple users via a script
$1 = Import-Csv C:tempOfficeDataFile.csv
$1 | %{ Get-ADUser $_.name -Properties Office | Select name, Office}
Script to output the LastLogon in a readable format from a list of users
Scenario: You need to determine the LastLogon date in a readable format from a list of AD users in a csv file.
Edit your users.csv file so that row1 = name and the following rows have the SamAccountName (or other get-ADUser property) separated by a new line.
Example of contents of users.csv =
name
testusr
testuser2
testuser3
testuser4
Script:
$users = Import-csv C:users.csv
$users | %{
$user = Get-ADUser $_.name
$dcs = Get-ADDomainController -Filter {Name -like “*”}
$time = 0
foreach($dc in $dcs)
{
$hostname = $dc.HostName
$user1 = Get-ADUser $user -Properties lastLogon
if($user1.LastLogon -gt $time)
{
$time = $user1.LastLogon
}
}
$dt = [DateTime]::FromFileTime($time)
Write-Host $user.name “last logged on at:” $dt
$x = $user.name + “:” + $dt
$x | Out-File C:results.txt -append
}
Get-ADGroupMember : The size limit for this request was exceeded
Scenario: You are using PowerShell for Active Directory to export a list of members in a group, but you receive this error:
Get-ADGroupMember : The size limit for this request was exceeded
Work Around: Run this following command:
$grp = get-adgroup groupname -properties members
$grp.members | get-aduser | Select Name | Export-csv C:\temp\exportsgroupmembers.csv
Ex-Shell 