Working on blocking users by EmployeeID in AzureAD.
The CSV file has a column EmployeeID setup as:
EmployeID
---------
9999
12345
23452
24354
234234
Here is what I have so far
$TermedUsers = Import-csv "C:\temp\testtermed1.csv"
foreach ($Termed in $TermedUsers){
Set-AzureADUser -ObjectID (Get-AzureADUser | where-object {$_.ExtensionProperty.employeeId -eq $Termed}).EmployeeID -AccountEnabled $false
}
The error message I get is:
Set-AzureADUser : Cannot bind argument to parameter 'ObjectId' because it is null.
At line:5 char:27
I attempted to work off a script I found on Microsoft, which will block via UPN in .txt:
Get-Content "C:\My Documents\Accounts.txt" | ForEach { Set-AzureADUSer -ObjectID $_ -AccountEnabled $true }
Any help is appreciated.
Thank you,
According to the script you provided, we cannot use the property "EmployeeId" as the ObjectId. They are different properties of a user.
EmployeeId : The employee identifier assigned to the user by the organization
ObjectId : The unique identifier for the user. Inherited from Directory.
Regarding how to set Azure AD user, please refer to the following script :
CSV file
Script
Connect-AzureAD
$r = Import-csv E:\test.csv
$r.EmployeeID
foreach($id in $r.EmployeeID ){
Set-AzureADUser -ObjectId (Get-AzureADUser | where-object {$_.ExtensionProperty.employeeId -eq $id}).ObjectId -AccountEnabled $false
(Get-AzureADUser | where-object {$_.ExtensionProperty.employeeId -eq $id}) | Select-Object ObjectId , AccountEnabled
}
Update
According to my test, if we directly pass $Termed to filter Azure AD user, it is wrong. It is an Object, it is like #{EmployeeID=666}. So we need to pass $Termed.EmployeeID to filter Azure AD User.
Related
I've tried several ways of doing this, however I've found the below has been the best so far, which I found via another website. It works really well, however I now require to have the script get the number of AD Groups each user is a member of on another Domain.
Here is the working script:
# Either create an array of target users or import via a file
$colUser = (get-content "C:\TR\List.txt")
# Create a report array object
$UserReport = #()
foreach ($objUser in $colUser) {
# Cycle through our target users
$ErrorFlag = $false
Try {
# Attempt to enumerate and count the target users group membership
$count = Get-ADPrincipalGroupMembership $objUser | measure | select -expand count
} Catch {
# If we get an error - capture it and skip adding this user to the report
write-host "Error: $_"
$ErrorFlag = $true
}
If (!$ErrorFlag) {
# When we don't have an error - add the user details to a hash object
$UserHash = #{
Username = $objUser
Groupcount = $count
}
# Create a new object using our hash object
$objUserInfo = New-Object PSObject -Property $UserHash
# Add the new object to the reporting array
$UserReport += $objUserInfo
}
}
# Output our report object sorted by descending group membership numbers
$UserReport | sort -desc Groupcount | export-csv C:\TR\ExportCount.csv
I've tried adding
Get-ADDomain -Server 'DC.Server'
in various places, however it tends to either break the script, or the script just doesn't look for accounts in the new domain.
Can anyone please help?
Thanks :)
This works for me:
Get-AdUser -filter "*" -Properties memberof |
Select SamAccountName,#{n="NumberOfGroups";e={$_.memberof.count}} |
Where-Object { $_.NumberOfGroups -gt 0 } |
Export-CSV C:\TR\ExportCount.csv
For a different domain than the one you are currently using:
Get-AdUser -Server whatever.example.com `
-Credential (Get-Credential) -filter "*" `
-Properties memberof
The rest stays the same.
To get only users listed in a file:
Get-Content "C:\TR\List.txt" | Get-AdUser #... rest of the above
This assumes that the file contains one username per line.
I have the following sample OU structure in my Active Directory server
I have user accounts in the "users" OU in each of OU1, OU2 and so on.
The user accounts have a static prefix e.g. OU1 will have user accounts like OU1user1,OU1user2,OU1user3 and so on. Similarly OU2 and OU3 will have use accounts like OU2user2,OU2user2,OU2user3 & OU3user1,OU3user2,OU3user3
Now what I want?
I want only a single user (it can be any user) from all of the OU's under the RootOU. Currently i am using the following command and its returning all the users inside the RootOU's sub-OU.
$ou = "OU=RootOU,DC=mydomain,DC=com"
$myUsers = Get-ADUser -Filter * -SearchBase $ou -SearchScope 2
You can probably do something like
$myUsers = Get-ADOrganizationalUnit -Filter "Name -like '*users*'" -SearchBase $ou -SearchScope 2 | ForEach-Object {
Get-ADUser -Filter * | Select-Object -First 1
}
Hello IT Professionals,
I need some help, I am trying to create some powershell script that will check if a user is a member group B and then if they are remove them from group A - Im still very new to powershell and scripting so i am having a little trouble and wondering if I could get some assistance !
Here is what i have so far and i all I can do is list the members of group B
Get-AzureADGroupMember -ObjectId "90e136ce-f573-4b4f9990-21a314963de2"
# Get all members of the GroupB.
Foreach ($ObjectId In Get-AzureADGroupMember -ObjectId "90e136ce-f573-4b4f-9990-21a314963de2")
{
If ((Get-AzureADGroupMember -ObjectId "746e5b45-9368-434c-bab1-5d5b7baea075" -Contains $ObjectId))
{
# Remove that user from GroupA
Remove-AzureADGroupMember -ObjectId "746e5b45-9368-434c-bab1-5d5b7baea075" -Members $ObjectId
}
}
I have found some powershell scripts but im having trouble making them work for azure ad
# Get all members of the GroupB.
Foreach ($User In Get-ADGroupMember -Identity "Group B")
{
# If they are a 'MemberOf' GroupA
If ((Get-ADUser $User.SamAccountName -Properties MemberOf).MemberOf -Contains "Group A")
{
# Remove that user from GroupA
Remove-ADGroupMember -Identity "Group A" -Members $User.SamAccountName
}
}
I fully apreciate any assistance with this!
The below is the snippet.
If you are doing it for a single User :
$user_upn = "<USER UPN>"
$users= Get-AzureADGroupMember -ObjectId "<GROUP B ID>" -All $true
#Finds for a specific user and if it exists, goes ahead and remove the specific user from the Group A
$users |?{$_.UserPrincipalName -eq $user_upn} | %{Remove-AzureADGroupMember -ObjectId "<GROUP A ID>" -MemberId $_.objectid}
Explanation
Gets all the member of Group B and stores it in the variable $users.
Checks(Filters) whether the required member is present in the $users variable, if Yes, goes ahead and removes from the Group A.
If you are looking to do it for the list of UPNs from a File. You could refer to the below snippet.
#Getting the list of UPNS of the users for whom the process specified needs to be carried out
$user_upns = Get-Content "C:\ListUPN.txt"
#Iterates through each UPN
foreach( $user_upn in $user_upns)
{
Write-Host "Working on the $user_upn" -ForegroundColor Green
#Gets all user from the GROUP B
$users= Get-AzureADGroupMember -ObjectId "<GROUP B ID>" -All $true
#Finds for a specific user and if it exists, goes ahead and remove the specific user from the Group A
$users |?{$_.UserPrincipalName -eq $user_upn} | %{Remove-AzureADGroupMember -ObjectId "<GROUP A ID>" -MemberId $_.objectid}
}
This was Answered for me on another forum https://www.reddit.com/r/AZURE/comments/k910l4/azure_ad_powershell_help_user_group_memberships/
Kudos to TheStig1293 on reddit
#Store the groups in a variable
$GroupA = Get-AzureADGroupMember -ObjectId '746e5b45-9368-434c-bab1-5d5b7baea075'
$GroupB = Get-AzureADGroupMember -ObjectId '90e136ce-f573-4b4f-9990-21a314963de2'
#Using Compare-object to compare the members of the groups and then using Where-object to select the ones that are in both Groups. This is stored in a variable called Dif
$diff = Compare-Object -ReferenceObject $GroupB.ObjectID -DifferenceObject $GroupA.ObjectID -IncludeEqual | Where-Object {$_.SideIndicator -eq "=="}
#Using foreach to go through each user in diff and then removing them. We are referencing the InputObject property as the Object ID because if you look at the output of Compare-object, that is the anchor for the comparison.
foreach($user in $diff){
#I Included this so you can verify manually they are the users you would like to remove prior to removing.
#Get-AzureADUser -ObjectId $user.InputObject
Remove-AzureADGroupMember -ObjectID '746e5b45-9368-434c-bab1-5d5b7baea075' -MemberID ($User).InputObject
}
I have this command to find a distribution list object
dsquery * -filter "(&(cn=*group))"
but now how can I find the users from that, I want to loop through and get their names and email addresses from it.
Thanks
Now that you have the group name, you can use PowerShell to iterate through the group and extract the information you need:
Import-Module ActiveDirectory
$group = read-host "Please Enter Group Name: "
$members = Get-ADGroupMember -Identity $group -Recursive
ForEach ($member in $members) {
$memberType = $member.objectClass
If ($memberType -eq 'user') {
Get-ADUser -Filter "name -like '*$member'" -Properties cn,mail | Out-File c:\temp\Group_Members.csv -append
}
}
The code above will prompt for the group name and export the list of members, including where there is a nested group into the a file called Group_Members.csv in c:\temp.
You will need to ensure that:
Script execution is enabled in Powershell;
That RSAT is installed on the device that the script is executed from;
That the script is executed with administrator privileges.
I have constructed below to show an certain active directory users details and all their groups.
This works ok if only one user is returned howver if multiple users are returned I get an error with this section: "Get-ADPrincipalGroupMembership $user.samaccountname | select name"
I've looked in the direction of for loops but haven't yet found a solution
I need each user found displayed with their groups.
I plan to use this script to quickly gather info to troubleshoot user issues.
Thanks for reading
add-pssnapin quest.activeroles.admanagement
import-module activedirectory
clear-host
$name = read-host 'Whats the name ?'
$user = Get-qAduser $name -properties *
$user | select name,SamAccountName,AccountIsLockedOut,PasswordStatus,PasswordLastSet,PasswordExpires,email,ParentContainerDN,CreationDate | format-list
Get-ADPrincipalGroupMembership $user.samaccountname | select name
cmd /c pause | Out-Null
Just assume you're getting a list back and then use a foreach to iterate over the list:
add-pssnapin quest.activeroles.admanagement
import-module activedirectory
clear-host
$name = read-host 'Whats the name ?'
$users = Get-qAduser $name -properties *
foreach ($user in $users) {
$user | select name,SamAccountName,AccountIsLockedOut,PasswordStatus,PasswordLastSet,PasswordExpires,email,ParentContainerDN,CreationDate | format-list
Get-ADPrincipalGroupMembership $user.samaccountname | select name
}