Add a value to all users in AD - active-directory

I am trying to set up dynamic distribution lists at the company I work for.
I want to use the company value in AD for a distribution list that everyone in the company needs to be part of.
Most of our users have the name of the company as the value, but after checking some users it appears that this value is not set for all users.
Is there a way to set this value for all AD users (by using powershell f.e), or get a list of users where the company value is not set to the company name?

You can use the PowerShell ActiveDirectory module, which is included in the Remote Server Administration Tools (RSAT). Details on how to install it are here.
Then you can use Get-ADUser and pipe the results into Set-ADUser. Something like this:
$badusers = Get-ADUser -Filter "company -ne 'Your Company Name'"
$badusers | Set-ADUser -Company "Your Company Name"
You could do this in one line, but I split it into two so you can inspect the $badusers collection to actually see the users that you changed (just type $badusers into the PowerShell prompt and hit enter).
It may be wise to limit it to, say, 5 or 10 users just to make sure it works the way you want before attempting to change every user. You can do this by adding -ResultSetSize 5 to the Get-ADUsers line.
This also assumes you want to change all user objects to have your company name, even administrative accounts. Keep in mind that this will stop processing users if it hits one that you don't have permission to modify. If you want to limit it to a single OU, you can use the -SearchBase parameter of Get-ADUsers, like this:
$badusers = Get-ADUser -Filter "company -ne 'Your Company Name'" -SearchBase "OU=Users,DC=example,DC=com"

Related

Get-AzADUser no longer return Department and AccountEnabled

I'm pretty sure that last week I was able to use Get-AzADUser to return both Department and AccountEnabled.
Get-AzADUser | where {$_.Mail -eq "abc#xyz.com"} | Select-Object Mail, Department, AccountEnabled
Mail Department AccountEnabled
---- ---------- --------------
abc#xyz.com
When I call up all parameters for a single user I can see that I'm missing content on many fields, I basically only see Name, JobTitle, Mail, and MobileNumber
I'm using an account assigned the roles "Global reader" and "Directory readers".
(Other parts of my script also stopped working since last week where Get-AzADUsers no longer has a field called "ObjectId" but instead the field is simply called "Id")
You need to use "-Select" and " -AppendSelected" parameters to get the info.
Try the following (working for me)...
Get-AzADUser -Select 'Department,AccountEnabled' -AppendSelected -UserPrincipalName "abc#xyz.com" | Select-Object Mail, Department, AccountEnabled
Mail Department AccountEnabled
---- ---------- --------------
abc#xyz.com IT Support True
More info: https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azaduser
I tested in My Environment and found Get-AzADUser not much suitable command as it doesn't appear to return any information about the user (like department, usage location, office info, or basically any properties on the user).
There continues to be a lack of properties returned when comparing Get-AzureADUser vs. Get-AzADUser:
AzureAD Module which is a designed for tasks within AzureAD
Where second one Az which is designed to handle most, if not all of Azure's resources.
you can use the az module easliy if you just want to look up the users existance, but if you need to actually administer azure ad i would suggest you go for azuread. To connect to a specified tenant with azuread use connect-azuread -tenantId 'XXXXXX'.
Output Using Get-AzureADUser
I am able to get the departmentName
Reference : https://github.com/Azure/azure-powershell/issues/10497

LDAP memberOf returns no results

I'm trying to create a custom query in ADUaC to help me index administrators in my system. I've narrowed down security groups that I need to list the members of, but I'm misusing the 'memberOf' attribute in some way which breaks the query.
(objectClass=user)(objectCategory=user)(memberOf=*)
The above query works fine to return all users, but the when I change the wildcard to anything else (ex. (memberOf=*Administrators*)), the query returns no objects.
I have confirmed that there is a relevant Security Group for this query to get users from. I am aware that it does not work for Primary Groups or nested users, and I am simply trying to get it working on a basic level right now. Anyone know how to have the code return users that are a member of the security group?
Unfortunately, you cannot use the wildcard * character to filter distinguishedName attributes. The reason for this is the X.500 Standard.
http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm
Perhaps Powershell can be handy. Something like this could do the trick:
#for just one group
get-adgroupmember -Recursive -Identity "domain admins"
#for a batch of groups
$adminsgroups = "Enterprise Admins","Domain admins"
foreach ($admingroup in $adminsgroups)
{
#with the recursive switch you get nested group members
get-adgroupmember -Recursive -Identity $admingroup
}

How to access a key on an array that i recovered on AD with shellscript

First the question, after ill contribute on some idea im working:
Im receiving from AD some information and got an array on one of them.
I want to extract this info so i can use for next part of my project
the script:
Get-ADUser foo -Properties * | select name, department, manager
this returns me a table, ill simplify reading:
name -> foo
department -> bar
manager -> CN=foo, OU=bar, OU=fubar, OU=foobar
**disclaimer: im from BR, so it may look different for you when u receive data(if you trying to reproduce)
I want to extract The info "foo" from uptable, but i accept even "CN=foo".
::finalle
My idea is to create automation by taking AD's data and by shell putting into MSWord
There i have some fields that has autocompletion and after this ill need to somehow pass it through shell
The complete goal is
run a script that the users gives who he wants (by ID), find it and
receive the word oppening with all writen, instead of have to stay
changing the same document everytime someone needs this
Thank you guys!
I manage do get 2 commands that do the job after some time.
(get-aduser (get-aduser foobar -Properties manager).manager).name
Get-ADUser -Identity foobar -Properties manager |
Select-Object -Property #{label='Supervisor';expression={$_.manager -replace ',.*$'}}
Thanks for the help anyway

Locating a user by alternate email address in Azure AD

I currently use
(Get-MsolUser -UserPrincipalName $EmailAddress).ObjectID.Guid
to lookup a user by their PrincipalName in Azure AD and return their guid. However, there are times when a user has changed email addresses due to a name change and the address I have been given is not their PrincipalName but a secondary email address.
Is there a way to locate a user based upon an alternate email address? Perhaps a fuzzy search?
Depending on the number of 'user' accounts in your tenant, it could take a little while for each user account to be returned. Please see following:
Get-MsolUser -all | Where{$_.ProxyAddresses -like "smtp:<EMAIL ADDRESS>"}
(Get-MsolUser -all | Where{$_.ProxyAddresses -like "smtp:<EMAIL ADDRESS>"}).ObjectId.Guid
You can use follow PowerShell scripts to filter user with one Alternate Email Address:
Get-MsolUser | Where-Object{$_.AlternateEmailAddresses -contains "<the email ddress>"}
(Get-MsolUser | Where-Object{$_.AlternateEmailAddresses -contains "<the email dress>"}).ObjectId.Guid
Here is my test result:

Saved LDAP Query Locked Out Specific OU

Currently I can do this in powershell via this script:
Search-ADAccount –LockedOut -SearchBase 'OU=location,OU=country,DC=company,DC=com' | ft Name, SamAccountName, LastLogonDate
I would rather have it in a LDAP saved query, I found this one to display all locked out accounts in the company:
(&(&(ObjectCategory=Person)(ObjectClass=User)(LockoutTime>=1)))
I have tried a number of combinations, but I can't seem to get it right. Here is one of them:
(&(&(ObjectCategory=Person)(ObjectClass=User)(memberof=OU=location,OU=country,DC=company,DC=com)(LockoutTime>=1)))
What am I doing wrong?
As information, when you create a new query, you have the option of specifying the "query root"... by drilling down with that, I was able to achieve the desired goal. I didn't have to modify the query string at all.

Resources