Me (and the company I work for) are looking for a script to extract the following information from an AzureAD.
Accountname
Username
Description
creation date
last login
Blocked yes or no
Date last password change
Password expiration date
Administrator yes or no
Futhermore:
NTFS groups
Computer SID (OS and version / assigned to which OU / Last time seen online)
And lastly
Password policy
We require our customers to provide this information when they are subject to a financial audit. Currently we have a working extraction script which give a .csv export which we can import in a qlikview dashboard. With this dashboard we can look for possible security risks. We do not export passwords and do not want passwords of accounts.
I have been looking for such a script for a couple of weeks but can't seem to find one that gives us this result.
I hope someone can help.
This is not a good question, but since I needed almost the same information, I will show you how you can start solving your issue, and for others ending up in this question by searching.
Start by installing this https://www.powershellgallery.com/packages/AzureAD/2.0.2.4 to your powershell
Then you connect to your Azure AD.
$_adroles = #()
$_docpath = $env:userprofile + '\Documents\ADDirRole.csv'
Get-AzureADDirectoryRole | foreach {
$_objectid = $_.ObjectId; $rolename = $_.Displayname
$_adroles += Get-AzureADDirectoryRoleMember -ObjectId $_objectid | select `
#{name='RoleName';expression={$rolename}},displayname,UserPrincipalName,UserType,LastDirSyncTime,DirSyncEnabled,mail,accountenabled
}
$_adroles | export-csv $_docpath –NoTypeInformation
For more information see: https://blogs.technet.microsoft.com/chadcox/2017/06/30/powershell-useful-azure-ad-queries-using-the-azuread-module/
And the documentation is here: https://learn.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0#users
Related
I'm pretty sure that last week I was able to use Get-AzADUser to return both Department and AccountEnabled.
Get-AzADUser | where {$_.Mail -eq "abc#xyz.com"} | Select-Object Mail, Department, AccountEnabled
Mail Department AccountEnabled
---- ---------- --------------
abc#xyz.com
When I call up all parameters for a single user I can see that I'm missing content on many fields, I basically only see Name, JobTitle, Mail, and MobileNumber
I'm using an account assigned the roles "Global reader" and "Directory readers".
(Other parts of my script also stopped working since last week where Get-AzADUsers no longer has a field called "ObjectId" but instead the field is simply called "Id")
You need to use "-Select" and " -AppendSelected" parameters to get the info.
Try the following (working for me)...
Get-AzADUser -Select 'Department,AccountEnabled' -AppendSelected -UserPrincipalName "abc#xyz.com" | Select-Object Mail, Department, AccountEnabled
Mail Department AccountEnabled
---- ---------- --------------
abc#xyz.com IT Support True
More info: https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azaduser
I tested in My Environment and found Get-AzADUser not much suitable command as it doesn't appear to return any information about the user (like department, usage location, office info, or basically any properties on the user).
There continues to be a lack of properties returned when comparing Get-AzureADUser vs. Get-AzADUser:
AzureAD Module which is a designed for tasks within AzureAD
Where second one Az which is designed to handle most, if not all of Azure's resources.
you can use the az module easliy if you just want to look up the users existance, but if you need to actually administer azure ad i would suggest you go for azuread. To connect to a specified tenant with azuread use connect-azuread -tenantId 'XXXXXX'.
Output Using Get-AzureADUser
I am able to get the departmentName
Reference : https://github.com/Azure/azure-powershell/issues/10497
I am trying to set up dynamic distribution lists at the company I work for.
I want to use the company value in AD for a distribution list that everyone in the company needs to be part of.
Most of our users have the name of the company as the value, but after checking some users it appears that this value is not set for all users.
Is there a way to set this value for all AD users (by using powershell f.e), or get a list of users where the company value is not set to the company name?
You can use the PowerShell ActiveDirectory module, which is included in the Remote Server Administration Tools (RSAT). Details on how to install it are here.
Then you can use Get-ADUser and pipe the results into Set-ADUser. Something like this:
$badusers = Get-ADUser -Filter "company -ne 'Your Company Name'"
$badusers | Set-ADUser -Company "Your Company Name"
You could do this in one line, but I split it into two so you can inspect the $badusers collection to actually see the users that you changed (just type $badusers into the PowerShell prompt and hit enter).
It may be wise to limit it to, say, 5 or 10 users just to make sure it works the way you want before attempting to change every user. You can do this by adding -ResultSetSize 5 to the Get-ADUsers line.
This also assumes you want to change all user objects to have your company name, even administrative accounts. Keep in mind that this will stop processing users if it hits one that you don't have permission to modify. If you want to limit it to a single OU, you can use the -SearchBase parameter of Get-ADUsers, like this:
$badusers = Get-ADUser -Filter "company -ne 'Your Company Name'" -SearchBase "OU=Users,DC=example,DC=com"
First, and newbie question. Sorry in advance ;)
I'm trying to create a two step script in powershell to change all sql server logins on different servers.
My goal is to be able to run it in a few seconds and not having to access the management studio for this operations. This has to be done in about 1000 computers running different versions of SQL Express.
1st step: Change the SA password.
I've tested this one and it's ok. I'm using a txt file with the server name list and two string for the password and username. Works perfect.
2nd step: Disable all sql logins (including windows auth ones)that are not on text file with the list of logins to keep.
Here's where I'm stuck.
I can use a list of users and disable them but I would like to do the opposite. I want to disable login names that are not on the list but are enabled on the sql server.
I need it to work this way because I have no chance to know the hostnames and usernames without accessing our clients computers / servers and I need it to be done really quick without manual procedures.
This is what I've done to be able to disable the ones on the list. It works fine but... I need the opposite.
Thank you very much and sorry if it's a stupid question.
Regards,
Luís
#DISABLE LOGINS ON THE LIST
[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.SqlServer.SMO') | out-null
$Error.Clear()
cls
$servers = Get-Content C:\example\servers.txt
$logins = Get-Content C:\example\users.txt
foreach($server in $servers)
{
$srv = New-Object ('Microsoft.SqlServer.Management.Smo.Server') $server
foreach($login in $logins)
{
if ($srv.Logins.Contains($login))
{
$srv.Logins[$login].disable();
}
}
}
$srv.Logins |
Where-Object Name -notin $logins |
ForEach-Object Disable
Note that the lookup isn't efficient, because a linear search in array $logins is performed for each login, but that probably won't matter in practice.
The Where-Object and ForEach-Object calls use simplified syntax.
I currently use
(Get-MsolUser -UserPrincipalName $EmailAddress).ObjectID.Guid
to lookup a user by their PrincipalName in Azure AD and return their guid. However, there are times when a user has changed email addresses due to a name change and the address I have been given is not their PrincipalName but a secondary email address.
Is there a way to locate a user based upon an alternate email address? Perhaps a fuzzy search?
Depending on the number of 'user' accounts in your tenant, it could take a little while for each user account to be returned. Please see following:
Get-MsolUser -all | Where{$_.ProxyAddresses -like "smtp:<EMAIL ADDRESS>"}
(Get-MsolUser -all | Where{$_.ProxyAddresses -like "smtp:<EMAIL ADDRESS>"}).ObjectId.Guid
You can use follow PowerShell scripts to filter user with one Alternate Email Address:
Get-MsolUser | Where-Object{$_.AlternateEmailAddresses -contains "<the email ddress>"}
(Get-MsolUser | Where-Object{$_.AlternateEmailAddresses -contains "<the email dress>"}).ObjectId.Guid
Here is my test result:
I follow this step by step http://technet.microsoft.com/en-us/library/ff681014.aspx for reset the User Profile Synchronization Service but I need the GUID of the synchronization database.
I searched a lot but I didn't find anything. I need also to find the GUID of the/a service.
Thank you
You can use Powershell to do this the way MS describes in the Technet article or the smart way:
$syncDBType = "Microsoft.Office.Server.Administration.SynchronizationDatabase"
$upaSAType = "User Profile Service Application"
$syncDB = Get-SPDatabase | where-object {$_.Type -eq $syncDBType}
$upa = Get-SPServiceApplication | where-object {$_.TypeName -eq $upaSAType}
$syncDB.Unprovision()
$syncDB.Status = "Offline"
$upa.ResetSynchronizationMachine()
$upa.ResetSynchronizationDatabase()
$syncDB.Provision()
restart-service SPTimerV4
So we actually don't look for the guid but look where the database type is the sync database type. You can find more troubleshooting gems like this on Harbars site: “Stuck on Starting”: Common Issues with SharePoint Server 2010 User Profile Synchronization