Active Directory reset password - active-directory

Set-ADAccountPassword -Identity DistinguishedName -NewPassword $NewPassword -Reset
Set-aduser DistinguishedName -changepasswordatlogon $true
Unlock-ADAccount -Identity DistinguishedName
This is how a script resets a users password. It works as intended. The question is how to make it so the new password it is reset to, only lasts for 3 days.

Since there is no parameter to define an expiration time (or date) for a password to be changed after a reset is done I would create a Group Policy (GPO) to enforce an "expiration after reset policy" and then assign that GPO to a group named "ExpirationPass" for that purpose.
Finally would use Add-ADGroup​Member (Remove-ADGroup​Member) cmdlets in the script to move the users to my "ExpirationPass" group to enforce the policy
Good luck!

Related

Add a value to all users in AD

I am trying to set up dynamic distribution lists at the company I work for.
I want to use the company value in AD for a distribution list that everyone in the company needs to be part of.
Most of our users have the name of the company as the value, but after checking some users it appears that this value is not set for all users.
Is there a way to set this value for all AD users (by using powershell f.e), or get a list of users where the company value is not set to the company name?
You can use the PowerShell ActiveDirectory module, which is included in the Remote Server Administration Tools (RSAT). Details on how to install it are here.
Then you can use Get-ADUser and pipe the results into Set-ADUser. Something like this:
$badusers = Get-ADUser -Filter "company -ne 'Your Company Name'"
$badusers | Set-ADUser -Company "Your Company Name"
You could do this in one line, but I split it into two so you can inspect the $badusers collection to actually see the users that you changed (just type $badusers into the PowerShell prompt and hit enter).
It may be wise to limit it to, say, 5 or 10 users just to make sure it works the way you want before attempting to change every user. You can do this by adding -ResultSetSize 5 to the Get-ADUsers line.
This also assumes you want to change all user objects to have your company name, even administrative accounts. Keep in mind that this will stop processing users if it hits one that you don't have permission to modify. If you want to limit it to a single OU, you can use the -SearchBase parameter of Get-ADUsers, like this:
$badusers = Get-ADUser -Filter "company -ne 'Your Company Name'" -SearchBase "OU=Users,DC=example,DC=com"

LDAP query logged in users via IP

Is it possible to connect to an LDAP/Windows Active Directory server as an admin (using bind) and then run an IP based query to see what user is logged into a Windows PC based on a particular IP? The IP would not be a hardcoded value or attribute.
Basically I am wondering if I can ask Active Directory what user is logged in when supplied an IP address.
Active Directory stores user logon history data in the event logs on domain controllers.
The event ID for a user logon event is 4624.
These events contain data about the user, time, computer and type of user logon.
Using LDAP query, we cannot fetch the username from the IP address.
Instead we can use PowerShell to query the logon event data and fetch the username with IP address.
# Find DC list from Active Directory
$DCs = Get-ADDomainController -Filter *
# Define time for report (default is 1 day)
$startDate = (get-date).AddDays(-1)
# Store successful logon events from security logs with the specified dates and workstation/IP in an array
foreach ($DC in $DCs){
$slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4624 }}
# Crawl through events; print all logon history with type, date/time, status, account name, computer and IP address based on user logon IP address
foreach ($e in $slogonevents){
# Logon Successful Events
if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[18] -eq ”IPAdress”)){
write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUsername: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18]
}}
Reference : Active Directory: How to Get User Login History using PowerShell - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)

Privileged access groups

Anyone have any clues how to manage eligible assignments in privileged access enabled groups with PowerShell?
Get-AzureADMSGroup shows the group IsAssignableToRole is True and Get-AzureADGroupMember shows no members as they're not directly assigned.
The AzureAdPreview module has a number of commands to manage PIM roles. https://learn.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0-preview#privileged-role-management
But with privileged access groups, I can't work out the commands to assign eligible user assignments to a group rather than to a role.
Hi Can you please try the below Command to add the user to your required group --
Add-ADGroupMember -Identity Groupname -Members user1,user2
Groupname - Please mention the name of group.
User1 - 1st user ;
User2 - 2nd User
Please have a look this Document if it helps you.
Thank You.

Locating a user by alternate email address in Azure AD

I currently use
(Get-MsolUser -UserPrincipalName $EmailAddress).ObjectID.Guid
to lookup a user by their PrincipalName in Azure AD and return their guid. However, there are times when a user has changed email addresses due to a name change and the address I have been given is not their PrincipalName but a secondary email address.
Is there a way to locate a user based upon an alternate email address? Perhaps a fuzzy search?
Depending on the number of 'user' accounts in your tenant, it could take a little while for each user account to be returned. Please see following:
Get-MsolUser -all | Where{$_.ProxyAddresses -like "smtp:<EMAIL ADDRESS>"}
(Get-MsolUser -all | Where{$_.ProxyAddresses -like "smtp:<EMAIL ADDRESS>"}).ObjectId.Guid
You can use follow PowerShell scripts to filter user with one Alternate Email Address:
Get-MsolUser | Where-Object{$_.AlternateEmailAddresses -contains "<the email ddress>"}
(Get-MsolUser | Where-Object{$_.AlternateEmailAddresses -contains "<the email dress>"}).ObjectId.Guid
Here is my test result:

Mixing SQL query and PowerShell send-mailmessage

I've combed through the help files here and can't quite find the right combination of what I'm looking for.
Someone before my time created a PowerShell script that is used to create user accounts in Active Directory. Currently, when a new account is requested, the admin (me) runs a script that creates the AD account, then goes back to a Web-based form to enter the user name/password (also generated by that script) to close the request. Closing it through the form also kicks off an email to the requestor and two system admins with the user name and password in it.
Because it's silly to have to copy/paste anything, I've successfully added cmdlets to the script write the user name, password and other data back to the SQL table directly and close the ticket. I've also successfully added a send-mailmessage cmdlet to generate that user name/pswd email. My problem comes when I need to look up (via a SQL query) and send to the email address of the original requestor. The request form captures the user ID of the requestor, which I then use a query to find their email address from another table and define it as a variable.
$requestor = Invoke-Sqlcmd -ServerInstance [servername] -Database [dbname] -Query
"select b.email from [Table1] a left outer join
[Table2] b on a.requestedby = b.clockid where
a.accrequestid = '$reqID'"
Two things may be causing problems here. When I define that variable and then type $requestor for output, I get
PS SQLSERVER:> $requestor
email
[email#abc.com]
I may need to find a way to define that variable as just the email address value without the field header, and I'm not sure how to do that. (I'm very new to PowerShell.)
The other issue is using that variable as part of an array. Currently, my send-mailmessage cmdlet looks somewhat like this:
$PSEmailServer = "[SMTPServerName]" Send-MailMessage -From
"[EmailAddress]" -To "email1#abc.com", "email2#abc.com", "$requestor" -Subject "User
Account Info ($DisplayName)" -Body "The user account you requested
has been created."
The email will deliver to email1 and email2, but I get this error from the use of the variable:
Send-MailMessage : The specified string is not in the form required
for an e-mail address. At [FileName].ps1:381 char:1
+ Send-MailMessage -From "onlinenotification#foley.com" -To "$requestor" -Subject ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidType: (:) [Send-MailMessage], FormatException
+ FullyQualifiedErrorId : FormatException,Microsoft.PowerShell.Commands.SendMailMessage
I have tried all combinations of single, double and no quotes around that $requestor variable, and tried sending to only the address returned by the variable. No luck.
Does anyone have any experience with something like this? I know I could go create a trigger on the SQL table to send an email instead, but I'd love to figure out what the problem is here. My guess is that it's the former issue...
Many thanks!
(The database is SQL2008R2 and PowerShell is v4.)
$requestor will contain the SQL record as an object. As you're selecting the email column in your query this will probably be an array of email addresses.
You can inspect what the $requestor object is by typing $requestor.GetType() at the PowerShell prompt.
However, at a guess I'd imagine you need to use:
($requestor.email)[0] in your Send-MailMessage command to access the string property of the returned object or create a variable for the requestor email address by doing something like:
$reqEmail = $requestor | Select-Object -ExpandProperty email -First 1

Resources