Develop Reference

Get a list of all groups in Azure for al members with a specific company

I need just a list of all groups (just the group names and desciption, not the users) that anyone who part of Company A (field in AD) is part of the company. This is what I have, but can't get it to work right. Any help?
$UserList = #()
$FinalGroupList = #()
$UserList = Get-Recipient -Filter {Company -eq "Company"} | where-object {$_.RecipientType -eq "UserMailbox"}
foreach ($user in $UserList) {
$CurrentUserGroups = Get-AzureADUser -User $user.PrimarySmtpAddress | Get-AzureADUserMembership
foreach ($group in $CurrentUserGroups) {
if ($FinalGroupList.displayname -notcontains $group.displayname) {
$FinalGroupList = $FinalGroupList + $group
}
}
}
foreach ($FinalListItem in $FinalGroupList) {
$CSVData = New-Object psobject
$CSVData | Add-Member -MemberType NoteProperty -name DisplayName -Value $FinalListItem.DisplayName
$CSVData | Add-Member -MemberType NoteProperty -name Description -Value $FinalListItem.Description
$CSVData | export-csv c:\temp\Groups.csv -Append -NoTypeInformation
}

I have tried in my environment with below powershell commands to get the group and its description whose users are present in specific company and could successfully get the same.
#Get-AzureADUser -All $true | Select-Object -Property CompanyName, UserPrincipalName
#$companyUsers =Get-AzureADUser | ?{ $_.CompanyName -eq '<that specific company name>' }
$companyname=”SamComp” //this the specific company name I am looking for
$companyUsers =Get-AzureADUser | ?{ $_.CompanyName -eq 'SamComp' }
foreach ($user in $companyUsers) {
Get-AzureADUserMembership -ObjectId $user.ObjectId
$groups = $user | Get-AzureADUserMembership
$list | Sort-Object DisplayName -Unique | fl -GroupBy DisplayName -Property Description
$list
}
OUTPUT:
Reference: Get-AzureADUserMembership (AzureAD) | Microsoft Docs

PowerShell: Create Hashtable with three columns

Ultimately, I'm trying to create a script that will get all Windows Services Running as a domain Service Account from a list of remote machines and output a csv file with three columns: the Service Account Name, the Windows Service, and the Hostname. I cannot figure out how to create the hashtable with two arrays. I've had some success with just one key and one array using += but even that has some issues and I'm reading this is inefficient.
This is modified code that gets all Win Services running as System on my local system:
$server = $env:COMPUTERNAME
$tgtAcct = 'SYSTEM'
$reportCsv = Join-Path -Path ([Environment]::GetFolderPath("Desktop")) -ChildPath ("report.$(Get-Date -Format `"yyyMMdd_hhmmss`").csv")
$GetServiceAccounts = {
[CmdletBinding()]
param(
$hostname
)
$serviceList = #( Get-WmiObject -Class Win32_Service -ComputerName $hostname -Property Name, StartName, SystemName -ErrorAction Stop )
$serviceList
}
Function Process-CompletedJobs(){
$jobs = Get-Job -State Completed
ForEach ($job in $jobs) {
$data = Receive-Job $job
Remove-Job $job
If ($data.GetType() -eq [System.Object[]]) {
$serviceList = $data | Where-Object { $_.StartName -ne $null -and $_.StartName.ToUpper().Contains($tgtAcct) }
ForEach ($service in $serviceList) {
$account = $service.StartName
$winService = $service.Name
$occurance = $service.SystemName
}
}
}
}
Start-Job -ScriptBlock $GetServiceAccounts -Name "read_$($server)" -ArgumentList $server | Wait-Job > $null
Process-CompletedJobs
Here is what I've tried that isn't working:
$server = $env:COMPUTERNAME
$tgtAcct = 'SYSTEM'
$serviceAccounts = #{}
$accountTable = #()
$winSvcTable = #()
$occurTable = #()
$reportCsv = Join-Path -Path ([Environment]::GetFolderPath("Desktop")) -ChildPath ("report.$(Get-Date -Format `"yyyMMdd_hhmmss`").csv")
$GetServiceAccounts = {
[CmdletBinding()]
param(
$hostname
)
$serviceList = #( Get-WmiObject -Class Win32_Service -ComputerName $hostname -Property Name, StartName, SystemName -ErrorAction Stop )
$serviceList
}
Function Process-CompletedJobs(){
$jobs = Get-Job -State Completed
ForEach ($job in $jobs) {
$data = Receive-Job $job
Remove-Job $job
If ($data.GetType() -eq [System.Object[]]) {
$serviceList = $data | Where-Object { $_.StartName -ne $null -and $_.StartName.ToUpper().Contains($tgtAcct) }
ForEach ($service in $serviceList) {
$account = $service.StartName
$winService = $service.Name
$occurance = $service.SystemName
$script:serviceAccounts.Item($account) += $winService
$script:serviceAccounts.Item($account) += $occurance
}
}
}
}
Start-Job -ScriptBlock $GetServiceAccounts -Name "read_$($server)" -ArgumentList $server | Wait-Job > $null
Process-CompletedJobs
ForEach ($serviceAccount in $serviceAccounts.Keys) {
ForEach ($occurance in $serviceAccounts.Item($serviceAccount)) {
ForEach ($winService in $serviceAccounts.Item($serviceAccount)) {
$row = New-Object PSObject
Add-Member -InputObject $row -MemberType NoteProperty -Name "Account" -Value $serviceAccount
Add-Member -InputObject $row -MemberType NoteProperty -Name "Service" -Value $winService
Add-Member -InputObject $row -MemberType NoteProperty -Name "Hostname" -Value $occurance
$accountTable += $row
}
}
}
$accountTable | Export-Csv $reportCsv
I'm trying to modify code written by Andrea Fortuna that almost does what I want but want to split the second column into two. Again, I'm also looking for how to do this without adding to each array using += if possible. https://www.andreafortuna.org/2020/03/25/windows-service-accounts-enumeration-using-powershell/

If your goal is to export to CSV, then a single top-level hashtable is not the data structure you want.
Export-Csv will expect a collection of individual objects, so that's what you'll want to create:
Function Process-CompletedJobs(){
$jobs = Get-Job -State Completed
ForEach ($job in $jobs) {
$data = Receive-Job $job
Remove-Job $job
If ($data.GetType() -eq [System.Object[]]) {
$serviceList = $data | Where-Object { $_.StartName -ne $null -and $_.StartName.ToUpper().Contains($tgtAcct) }
ForEach ($service in $serviceList) {
# don't assign this new object to anything - let it "bubble up" as output instead
[pscustomobject]#{
Account = $service.StartName
Service = $service.Name
Occurrence = $service.SystemName
}
}
}
}
}
Now you can do:
Start-Job -ScriptBlock $GetServiceAccounts -Name "read_$($server)" -ArgumentList $server | Wait-Job > $null
Process-CompletedJobs |Export-Csv ...

What about this?
$server = $env:COMPUTERNAME
$tgtAcct = 'SYSTEM'
$reportCsv = Join-Path -Path ([Environment]::GetFolderPath("Desktop")) -ChildPath ("report.$(Get-Date -Format `"yyyMMdd_hhmmss`").csv")
$GetServiceAccounts = {
[CmdletBinding()]
param(
$hostname
)
$serviceList = #( Get-WmiObject -Class Win32_Service -ComputerName $hostname -Property Name, StartName, SystemName -ErrorAction Stop )
$serviceList
}
Function Process-CompletedJobs(){
$jobs = Get-Job -State Completed
$hashtable = #{}
ForEach ($job in $jobs) {
$data = Receive-Job $job
Remove-Job $job
If ($data.GetType() -eq [System.Object[]]) {
$serviceList = $data | Where-Object { $_.StartName -ne $null -and $_.StartName.ToUpper().Contains($tgtAcct) }
ForEach ($service in $serviceList) {
$account = $service.StartName
$winService = $service.Name
$occurance = $service.SystemName
$hashtable[$account] = #{winService = $winService; occurance = $occurance}
}
}
}
return $hashtable
}
Start-Job -ScriptBlock $GetServiceAccounts -Name "read_$($server)" -ArgumentList $server | Wait-Job > $null
$myHashTable = Process-CompletedJobs

Make it simple it will work, this is the complete script and I have tried and valid for many servers you can change the variable $hostnames = $env:COMPUTERNAME,host2,host3,.. as you need
and I added some parameters to get a grid view of result to test and add force and notypeinfo. in export-csv
Here is the code - I hope you mark it answer if it helps:
$hostnames = $env:COMPUTERNAME
$tgtAcct = 'SYSTEM'
$reportCsv = Join-Path -Path ([Environment]::GetFolderPath("Desktop")) -ChildPath ("report.$(Get-Date -Format `"yyyMMdd_hhmmss`").csv")
$TableName = "System Accounts"
#Create a table
$Table = new-object System.Data.DataTable "$TableName"
#Create a column and you can increase it as many as you need
$col1 = New-Object System.Data.DataColumn "Service Account Name",([string])
$col2 = New-Object System.Data.DataColumn "Windows Service",([string])
$col3 = New-Object System.Data.DataColumn "Hostname",([string])
# Add the Columns
$Table.columns.add($col1)
$Table.columns.add($col2)
$Table.columns.add($col3)
foreach($hostname in $hostnames){
$serviceList = Get-WmiObject -Class Win32_Service -ComputerName $hostname -Property Name, StartName, SystemName -ErrorAction Stop | Where-Object { $_.StartName -ne $null -and $_.StartName.ToUpper().Contains($tgtAcct) }
foreach ($service in $serviceList){
$Row = $Table.NewRow()
$Row."Hostname" = $hostname
$Row."Service Account Name" = $service.StartName
$servicename = $service.Name.ToString()
$Row."Windows Service" = $servicename
$Table.Rows.Add($Row)
}}
$Table | Out-GridView
$Table | Export-Csv $reportCsv -Force -NoTypeInformation

Certificate Information Exported to CSV is Empty using Different Credential

I have an array that I write certificate information into using a credential called $array_otheruser but when I try to Export-Csv, the file becomes empty.
However, it writes fine if my export line is within the $ScriptBlock. However, I want to export it out of scriptblock, is this possible?
The code below writes an empty file:
[string][ValidateNotNullOrEmpty()]$passwd = "password"
$secpasswd = ConvertTo-SecureString -String $passwd -AsPlainText -Force
$mycreds = New-Object Management.Automation.PSCredential ("username", $secpasswd)
$array_otheruser = #()
$CSVFile = "c:\temp\temp9.csv"
$Certs = Get-ChildItem Cert: -Recurse
[ScriptBlock]$ScriptBlock = {
$Certs | where {
$_.PsIsContainer -eq $false
} | ForEach-Object ({
$obj | Add-Member -MemberType NoteProperty -Name "NotAfter" -Value $_.NotAfter
$obj | Add-Member -MemberType NoteProperty -Name "NotBefore" -Value $_.NotBefore
$array_otheruser += $obj
$obj = $null
})
}
$otheruser = Invoke-Command -ScriptBlock $ScriptBlock -ComputerName $env:computername -Credential $mycreds | Wait-Job
$otheruser | Receive-Job
$array_otheruser | Export-Csv -Path $CSVFile -NoTypeInformation
The code below writes into the file (where I've put the Export-Csv inside the scriptblock):
[ScriptBlock]$ScriptBlock = {
...
$array_otheruser += $obj
$obj = $null
})
##########This is the key difference, the export line is inside the ScriptBlock
$array_otheruser | Export-Csv -Path "c:\temp\temp9.csv" -NoTypeInformation
########
}
$otheruser = Invoke-Command -ScriptBlock $ScriptBlock -ComputerName $env:computername -Credential $mycreds | Wait-Job
$otheruser | Receive-Job
I would like to know if it is possible to have the Export-Csv file line outside of the scriptblock and have the cert information contents populate as it should using a different credential.

How do I send each result of Get-AdGroupMembership to my array?

I'm trying to recurse an NTFS folder structure, and output a CSV file that only displays each USER account with permissions on only the folders. Everything in the script outputs correctly EXCEPT for the portion that discovers a group and proceeds to enumerate the users in that group using Get-ADGroupMember. While debugging, I can see that each user within the group (even with nested groups) is outputted, but I guess I'm not properly "arraying" each output of the command and sending it onward to my "out" array.
I marked the section I'm having trouble with. Any help folks could provide would be very much appreciated. Thanks!
$Answer = Read-Host 'Do you wish to use an answer file? File must be named answer.csv and must reside in same directory as script. (Default is [N])'
If ($Answer -eq "y") {
$AnsFile = Import-Csv answer.csv | Select src,outdir,domain,user,pwd
$List_Dir = $AnsFile.src
$OutPath = $AnsFile.outdir
$DomainName = $AnsFile.domain
$Admin = $AnsFile.user
$Pwd = $AnsFile.pwd
}
Else {
Do {
$List_Dir = Read-Host 'Enter the directory path to be searched/recursed'
$TestList_Dir = Test-Path $List_Dir
If ($TestList_Dir -eq $True) {Write-Host "List directory checks out..."}
Else {Write-Host "Incorrect source directory. Please try again." -foregroundcolor red -backgroundcolor yellow}
}
While ($TestList_Dir -eq $False)
Do {
$OutPath = Read-Host 'Enter the directory path where the output files will be saved. Do not add a trailing slash.'
$TestOutPath = Test-Path $OutPath
If ($TestOutPath -eq $True) {Write-Host "Output path checks out..."}
Else {Write-Host "Incorrect output path. Please try again." -foregroundcolor red -backgroundcolor yellow}
}
While ($TestOutPath -eq $False)
$DomainName = Read-Host 'Enter the non-distinguished name of the Active Directory domain'
$Admin = Read-Host 'Type in an administrative account with rights to read AD Security Groups'
$Pwd = Read-Host 'Enter the adminstrative account password'
}
$Folder_Array = #()
write-host "List directory = $List_Dir"
write-host "Output path = $OutPath"
write-host "Domain = $DomainName"
write-host "Admin account = $Admin"
write-host "Password = $Pwd"
Import-Module ActiveDirectory
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$CType = [DirectoryServices.AccountManagement.ContextType]::Domain
$IDType = [DirectoryServices.AccountManagement.IdentityType]::SamAccountName
$DomainContext = New-Object DirectoryServices.AccountManagement.PrincipalContext -ArgumentList $CType, $DomainName, $Admin, $Pwd
#$pat = "^[a-zA-Z0-9_:.]+$"
$pat = "^[a-zA-Z0-9_:.\]+$]"
get-childitem $List_Dir -recurse | where-object {$_.psIsContainer -eq $true} | foreach-object {
$a = ($_.FullName)
$d = $a -match $pat
$e = (get-acl $_.FullName).Access
foreach ($e1 in $e) {
$f = $e1.FileSystemRights
$g = $e1.AccessControlType
$SecID = $e1.IdentityReference
foreach ($Sec in $SecID) {
$GroupPrincipal = [DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($DomainContext, $IDType, $Sec)
if ($GroupPrincipal -ne $null) {
$Sec = $Sec.ToString()
$Sec = $Sec.Split("\")[1]
Get-AdGroupMember $Sec -Recursive | ForEach-Object {
$User = ($_.SamAccountName)
foreach ($u in $User) {
$out = new-object psobject
$out | add-member noteproperty Path $a
$out | add-member noteproperty Unix_Safe $d
$out | Add-Member NoteProperty UserAccount $u
$out | add-member noteproperty Permission $f
$out | add-member noteproperty AccessType $g
$Folder_Array += $out
}
}
}
else {
$e2 = $Sec.ToString()
$e2 = $e2.split("\")[1]
$out = new-object psobject
$out | add-member noteproperty Path $a
$out | add-member noteproperty Unix_Safe $d
$out | Add-Member NoteProperty UserAccount $e2
$out | add-member noteproperty Permission $f
$out | add-member noteproperty AccessType $g
$Folder_Array += $out
}
}
}
}
$Folder_Array | Select Path,UserAccount,Permission,AccessType,Unix_Safe | Export-Csv "$OutPath\folderonly.csv" -NoTypeInformation

The problem isn't so much with how you're doing it, it's more of when you're doing things. Let me explain...
Get-AdGroupMember $Sec -Recursive | ForEach-Object {
$User = ($_.SamAccountName)
foreach ($u in $User) {
$e2 = $u
}
}
}
****************************************************
else {
$e2 = $Sec.ToString()
$e2 = $e2.split("\")[1]
}
}
}
$out = new-object psobject
$out | add-member noteproperty Path $a
$out | add-member noteproperty Unix_Safe $d
$out | Add-Member NoteProperty UserAccount $e2
$out | add-member noteproperty Permission $f
$out | add-member noteproperty AccessType $g
$Folder_Array += $out
Given that, if it is a group you are taking all users for the group and setting that array of users to $User, and then going through that array, and assigning each user, one at a time, to $e2. Once you're done with that you create your object, and add that object to the array for output.
Let's say that group has 3 users in it, Tom, Dick, and Harvey (Harry was busy, he sent his brother instead). So now:
$User = #("Tom","Dick","Harvey")
Then you cycle through that assigning each to $e2, which basically comes out to this (some pseudocode here):
If(is a group){
$User = Get-ADGroup |select -expand samaccountname
ForEach($u in $User){
$e2 = "Tom"
<Next item in array>
$e2 = "Dick"
<next item in array>
$e2 = "Harvey"
<No more items in array, end ForEach>
So now when it moves on to create your object $e2 = "Harvey" and Tom and Dick are just out of luck. To resolve that we have options. Either:
A) Move object creation to inside the If/Else portions of the loop, specifically to create an object every time you assign $e2, and add those objects to the output array immediately after making them.
or:
B) Make $e2 an array by changing all references to setting it to read either $e2 += $u or $e2 = ,$Sec.ToString().Split("\")[1]. And then when you create objects do that like:
ForEach($User in $e2){
$Folder_Array += [PSCustomObject][Ordered]#{
'Path' = $a
'Unix_Safe' = $d
'UserAccount' = $User
'Permission' = $f
'AccessType' = $g
}
}

Unable to query [Get-QADComputer] info in Remote PS Sessions (Powershell)

When i run the below script to extract the OU info using quest ad commandlets it gives me an error as below
Object reference not set to an instance of an object.
+ CategoryInfo : NotSpecified: (:) [Get-QADComputer], NullReferenceException
+ FullyQualifiedErrorId : System.NullReferenceException,Quest.ActiveRoles.ArsPowerShellSnapIn.Powershell.Cmdlets.GetComputerCmdlet
Below is The Script which is use
$password = convertTo-secureString -string "123" -asPlainText -force
$credential = new-object System.Management.automation.Pscredential ("test.com\sh" , $password)
$session = New-PSSession -computername CI -credential $credential -port 5985 -Authentication Default
Invoke-Command -Session $session -ScriptBlock {
Add-PSSnapin Quest.ActiveRoles.ADManagement
$ou = get-qadcomputer QUAG | select -ExpandProperty canonicalname
}
$adou= (Invoke-Command -Session $session -ScriptBlock { $ou })
Get-PSSession | Remove-PSSession
$adou
Can Some one please help me with this?
Thanks!

You don't need to run QAD from within a remote session, you can try it from your admin station:
Add-PSSnapin Quest.ActiveRoles.ADManagement
$pw = read-host "Enter password" -AsSecureString
Connect-QADService -Service 'server.company.com' -ConnectionAccount 'company\administrator' -ConnectionPassword $pw
Get-QADComputer QUAG | Select-Object -ExpandProperty CanonicalName

I think the problem is with the way you're declaring and then invoking that script block. Not tested, but I think this might work better:
Invoke-Command -Session $session -ScriptBlock {
Add-PSSnapin Quest.ActiveRoles.ADManagement
}
$ou = {get-qadcomputer QUAG | select -ExpandProperty canonicalname}
$adou= (Invoke-Command -Session $session -ScriptBlock $ou)