Running script to export all Members in a specific AzureAD Group, but only get half and not all users.
I verified that there are members in Azure Portal, but export only gives me half
This is the script I ran:
Get-AzureADgroupmember -objectid "xxxxxxxxxxxxxxxxxxxxxx" | get-azureaduser | Export-Csv -path C:\temp\memberexport.csv
Any reason on why this is exporting only half and not all users in group?
Thank you,
When you don't specify -All as well as -Top optional parameters, then Get-AzureADGroupMember command may return you only a default number of records (like say 100. I'm not sure on this exact number).
So if you want all the members, try to specify that explicitly by using -All parameter. Example below:
Get-AzureADgroupmember -objectid "xxxxxxxxxxxxxxxxxxxxxx" -All $true | get-azureaduser | Export-Csv -path C:\temp\memberexport.csv
Related
I have a file of user emails. I need to gather their UPNs and object IDs.
Get-AzureADUser -Filter "PrimarySMTPAddress eq '$user.EmailAddress'"
I'm using this line to query AzureAD and it works perfectly. However when I place it in a loop I can't seem to get any data.
import-csv .\Book4.csv | ForEach-Object{
Get-AzureADUser -Filter "PrimarySMTPAddress eq '$_.EmailAddress'" | Select-Object UserPrincipalName, ObjectID
} | Export-Csv -Path .\Book4.csv -NoTypeInformation
Can anyone tell me where I'm going wrong. I thought this would be something simple but I've been stuck for an hour. The CSV file has three column headers: EmailAddress, UserPrincipalName, ObjectID
"PrimarySMTPAddress eq '$_.EmailAddress'" doesn't work as intended, because the attempted property access on variable $_, .EmailAddress, isn't effective:
Inside "...", an expandable string, you need $(...), the subexpression operator in order to access a variable's properties[1], call methods on it, or, more generally embed entire statements.
Therefore, use the following string instead:
"PrimarySMTPAddress eq '$($_.EmailAddress)'"
Also, you're mistakenly trying to read from and write back to the same file (.\Book4.csv) in the same pipeline, which doesn't work (without additional effort), as discussed in Allen Wu's helpful answer.
[1] Without enclosing in $(...), "...$_.EmailAddress..." cause $_ to be expanded by itself, whereas .EmailAddress is used verbatim. Compare Write-Output "$HOME.Length" to Write-Output "$($HOME.Length)", for instance.
#mklement0 is correct.
But another important thing is that we can't read from and write back to the same file in the same pipeline. Unless you make sure that the input file is read into memory, in full, before its lines are sent through the pipeline.
Use this:
$users = import-csv E:\temp\Book4.csv | ForEach-Object{
Get-AzureADUser -Filter "PrimarySMTPAddress eq '$($_.EmailAddress)'" | Select-Object UserPrincipalName, ObjectID
}
$users | Export-Csv -Path E:\temp\Book4.csv -NoTypeInformation
I'm developing a PowerShell script for company drive mapping purposes. Currently, the script is getting the logged in username and querying AD to store their groups. From there, we are going to compare their AD groups to an array (mappings) and then map their drives accordingly.
The problem is, we don't want to tamper with their current drive mappings if they are already mapped properly (they match the mappings array letter/path). I've tried doing a compare, looping, etc but I can't seem to find a good method to compare the currently mapped Network Drive Letter/Path to the array and if it's the same, to disregard it.
Essentially, we don't want to disconnect network drives if the current mapping matches what's in the array.
$mappings = #(
[pscustomobject]#{adgroup='ADGROUP1';driveletter='G';networkpath='\\server\location1'}
[pscustomobject]#{adgroup='ADGROUP2';driveletter='H';networkpath='\\server\location2'}
[pscustomobject]#{adgroup='ADGROUP3';driveletter='I';networkpath='\\server\location3'}
[pscustomobject]#{adgroup='ADGROUP4';driveletter='J';networkpath='\\server\location4'}
)
$groups = Get-ADPrincipalGroupMembership $env:username | select name
$currentDrives = Get-PSDrive -PSProvider FileSystem | Select-Object Name, DisplayRoot | Where-Object {$_.DisplayRoot -ne $null}
foreach ($mapping in $mappings) {
if ($groups -match $mapping.adgroup) {
Remove-PSDrive -Name $mapping.driveletter -Force -ErrorAction SilentlyContinue
New-PSDrive -Name $mapping.driveletter -PSProvider FileSystem -Root $mapping.networkpath -Persist -Scope Global -ErrorAction SilentlyContinue | Out-Null
}
}
This is confusing because Get-PSDrive H will show the Root property being the network-mapped name. But (Get-PSDrive H).Root will return H:\. Weird, right?
You can use the DisplayRoot property to get the real network share:
If((Get-PSDrive $mapping.driveletter).DisplayRoot -ne $mapping.networkpath){
#un-map and re-map the drive
}
After hours of tries and reading almost all posts here, I could not find the solution to what I need.
I would like to retrieve adusers but only specific fields. Something like this:
Area | Enabled | Name | userPrincipalName(email)
The problem is, the field DistinguishedName has everything I need but it's separated into different columns when I export it to .CSV.
I could only read this line and separate it in the columns I need, but then I have another problem that is there's some users with more than 2,3,4 OU.
is there a way to read, like only one OU ( the first one is the one I need, because it says IT, EXPEDITION , ETC) or at least separate CN as a field, OU as another field, and then name, email ...?
I create this code to run on PowerShell:
Get-ADUser -Filter * -Properties DistinguishedName,SamAccountName,DisplayName,EmailAddress,OfficePhone | Select-Object DistinguishedName,EmailAddress,OfficePhone,DisplayName,SamAccountName | export-csv -path path\to\adusers.csv -NoTypeInformation -Encoding "UTF8"
and then I import it to SQL Server.
The way I would use this is to create a custom property in the select-object part of your code. eg:
Get-ADUser -Filter * -Properties DistinguishedName,SamAccountName,DisplayName,EmailAddress,OfficePhone | Select-Object DistinguishedName,EmailAddress,OfficePhone,DisplayName,SamAccountName
would become
Get-ADUser -Filter * -Properties DistinguishedName,SamAccountName,DisplayName,EmailAddress,OfficePhone | Select-Object #{Label='DistinguishedName';expression={$_.DistinguishedName.Split(',')[1]}},EmailAddress,OfficePhone,DisplayName,SamAccountName
#{Label = 'DistinguishedName';Expression={$_.Distinguishedname.split(',')[1]}} this is how you create a custom property within the pipeline, so here we are saying I want a custom property and the Label is the name of the property, the expression is what we want the property to be, so in this case we want the current distinguishedname in the pipelin $_.DistinguishedName but then we want to split this on , as that is what separates the parts of the DistinguishedName from each other so we use the .split(',') method which you enter in the character you want to split on. Now based on your question you are only ever interested in the 1st OU in the distinguishedname field so we select the 2nd object in the array created by .split(',') using [1] the first object in the array will be the CN= entry.
This will give you something like below.
Which you can then export to CSV
Link to further info on custom properties https://4sysops.com/archives/add-a-calculated-property-with-select-object-in-powershell/
as a test and a way to get specific data from AD i am trying to get the data based on a txt file filled with names and last names of users. I worked out that using ConvertFrom-Stringcmdlet allows you to split names inside the txt file into two separate values, thus enabling you to use (in theory) Get-ADUser to find the user from AD and its attributes.
The code i was using so far is the following, with random changes here and there as i tried various options to make it work. I have been able to get the data i need by storing names under variables and then using the Get-ADUser cmdlet to pick them up from AD, i was even able to export that data into the CSV file. The issue is cant make it work when there is a text file filled with several entries.
Get-Content C:\temp\users.txt -encoding UTF8 |
ConvertFrom-String |
ForEach-Object {Get-ADUser -Filter {(givenName -Like '$($_.P1)') -and (sn -Like '$($_.P2)')} -Properties *} |
Select-object givenName, Surname, SamAccountName | Export-CSV C:\Temp\usersexport.csv -NoTypeInformation
Any help would be very appreciated.
You are using a sub-expression inside a non-expanding string. Check out Powershell's about_Quoting_Rules help topic for more detailed information. But, the short story is you need double quotes to expand something like $($_).
Something like:
Get-Content C:\temp\users.txt -encoding UTF8 |
ConvertFrom-String |
ForEach-Object {Get-ADUser -Filter "( givenName -like '$($_.P1)' ) -and (sn -like '$($_.P2)' )" -Properties *} |
Select-object givenName, Surname, SamAccountName | Export-CSV C:\Temp\usersexport.csv -NoTypeInformation
Notice that I quoted the entire filter. Technically Get-ADUser's -Filter parameter takes a string so this is acceptable and makes it a little easier to read.
Also note: you may need "*" to make this work correctly. Technically -like will work on exact matches, but it's more typically used when searching with wildcards. In your case using '*$($_.P1)*' might help get you past the issue.
If you are confident in the values especially considering you are also using the -and operator you might think about using -eq. However I'd be concerned as there's always a chance of common name collisions. For example in the US there could easily be 2 John Smiths in AD...
I'd also point out it's more expedient to use Import-Csv for this. When corrected your approach is working, but below is more readable and easier to write in the first place:
Example with -eq:
Import-Csv -Path C:\temp\users.txt -header "givenName","sn" -Delimiter " " |
ForEach-Object{
$GivenName = $_.givenName
$LastName = $_.sn
ForEach-Object { Get-ADUser -Filter "(givenName -eq '$GivenName') -and (sn -eq '$LastName')" -Properties * }
} |
Select-Object givenName, Surname, SamAccountName |
Export-CSV C:\Temp\usersexport.csv -NoTypeInformation
Example with -like and Wildcards:
Import-Csv -Path C:\temp\users.txt -header "givenName","sn" -Delimiter " " |
ForEach-Object{
$GivenName = $_.givenName
$LastName = $_.sn
ForEach-Object { Get-ADUser -Filter "(givenName -like '*$GivenName*') -and (sn -like '*$LastName*')" -Properties * }
} |
Select-Object givenName, Surname, SamAccountName |
Export-CSV C:\Temp\usersexport.csv -NoTypeInformation
You also may want to avoid -Properties * and instead define a more exact set of properties to retrieve. In bigger jobs that's going to make a performance difference.
Oh and, you usually don't need to specify the encoding for Get-Content it's very good at figuring that out on it's own.
In PowerShell Core the default value for the parameter is UTF8NoBOM. NoBOM just means there's no "Byte Order Mark" declaring the encoding and so it shouldn't have any issues with a UTF8 file. In Windows PowerShell 5.1 you may need to specify as you have.
It looks like this is a learning exercise for you, let me know if this helps.
I'm trying to find a way to display all groups that an Intune device is a member of. I cannot find this function for the sake of my life. I don't see this fucntion under the Intune blade, nor the Azure Active Directory one. Is there any other way to see group memberships of a device?
PS: devices are managed via Intune and Azure AD only joined.
Tried to find the information via Microsoft and Powershell.
Get-AzureADDeviceMembership doesn't exist
I expect an output to display groups that an AAD device is a member of.
You can view the groups a device is a member of by searching for it from the Devices blade in Azure Active Directory.
I had the same problem and i was astonished that the Get-AzureADDeviceMembership cmdlet did not exists.
I used this as a work around:
Get-AzureADGroup -All 1 | ? {"COMPUTER_DISPLAY_NAME" -in (Get-AzureADGroupMember -ObjectId $_.ObjectId).DisplayName}
It works but is incredibly slow. So i also made a function which caches the groups and their member in a global variable. This functions runs instant from the second run since everything is cached.
function:
function Get-AzureADDeviceMembership{
[CmdletBinding()]
Param(
[string]$ComputerDisplayname,
[switch]$UseCache
)
if(-not $Global:AzureAdGroupsWithMembers -or -not $UseCache){
write-host "refreshing cache"
$Global:AzureAdGroupsWithMembers = Get-AzureADGroup -All 1 | % {
$members = Get-AzureADGroupMember -ObjectId $_.ObjectId
$_ | Add-Member -MemberType NoteProperty -Name Members -Value $members
$_
}
}
$Global:AzureAdGroupsWithMembers | % {
if($ComputerDisplayname -in ($_.Members | select -ExpandProperty DisplayName)){
$_
}
} | select -Unique
}
use the function:
Connect-AzureAD
Get-AzureADDeviceMembership -ComputerDisplayname "COMPUTER_DISPLAY_NAME" -UseCache
To add to Gerrit's answer, use -Filter groupTypes/any(c:c+ne+'Unified') with Get-AzureADGroup to filter out unified groups, as devices can't join them. This should speed up the query significantly.