I currently use
(Get-MsolUser -UserPrincipalName $EmailAddress).ObjectID.Guid
to lookup a user by their PrincipalName in Azure AD and return their guid. However, there are times when a user has changed email addresses due to a name change and the address I have been given is not their PrincipalName but a secondary email address.
Is there a way to locate a user based upon an alternate email address? Perhaps a fuzzy search?
Depending on the number of 'user' accounts in your tenant, it could take a little while for each user account to be returned. Please see following:
Get-MsolUser -all | Where{$_.ProxyAddresses -like "smtp:<EMAIL ADDRESS>"}
(Get-MsolUser -all | Where{$_.ProxyAddresses -like "smtp:<EMAIL ADDRESS>"}).ObjectId.Guid
You can use follow PowerShell scripts to filter user with one Alternate Email Address:
Get-MsolUser | Where-Object{$_.AlternateEmailAddresses -contains "<the email ddress>"}
(Get-MsolUser | Where-Object{$_.AlternateEmailAddresses -contains "<the email dress>"}).ObjectId.Guid
Here is my test result:
Related
I am trying to filter out employees from a specific OU via LDAP.
The problem is that the OU contains spaces.
By itself, with \20 between the respective words, this OU should be resolved and be able to be found.
Furthermore, there is no CN in the respective OU.
What I have tried so far is the following:
(&(objectCategory=person)(objectClass=user)(ou=test\20user\20accounts,dc=lab,dc=local))
Unfortunately I only get an empty output.
The searchbase is missing and i dont know how to implement it in the ldap query.
With Powershell i dont have any issues to get what i want:
Get-ADObject -LDAPFilter "(ObjectClass=user)" -SearchBase "ou=test\20user\20accounts,dc=lab,dc=local" -Properties * |`
? {$_.ObjectCategory -like "cn=Person*" }| select name,objectclass,ObjectCategory | fl
I appreciate any advice :)
Thanks in advance
To search for users in an OU, set the search root of your query (sometimes called Base DN) to the OU. It cannot be done in the filter.
The memberOf attribute is used for groups, not OU's.
You do not supply enough information to make an accurate assessment.
What are you looking for within OU=Test,User,Accounts,DC=Lab,DC=local?
"I wanna get all the members of the OU Test User Accounts"
This should get all "Users" (sAMAccountType=805306368) in the container "OU=Test,User,Accounts,DC=Lab,DC=local" (With some tweaking to fit your server and credentials)
ldapsearch -D "cn=exampleuser,example.com" -w secret -h server.example.com -b "OU=Test,User,Accounts,DC=Lab,DC=local" -s sub "(sAMAccountType=805306368)"
I'm pretty sure that last week I was able to use Get-AzADUser to return both Department and AccountEnabled.
Get-AzADUser | where {$_.Mail -eq "abc#xyz.com"} | Select-Object Mail, Department, AccountEnabled
Mail Department AccountEnabled
---- ---------- --------------
abc#xyz.com
When I call up all parameters for a single user I can see that I'm missing content on many fields, I basically only see Name, JobTitle, Mail, and MobileNumber
I'm using an account assigned the roles "Global reader" and "Directory readers".
(Other parts of my script also stopped working since last week where Get-AzADUsers no longer has a field called "ObjectId" but instead the field is simply called "Id")
You need to use "-Select" and " -AppendSelected" parameters to get the info.
Try the following (working for me)...
Get-AzADUser -Select 'Department,AccountEnabled' -AppendSelected -UserPrincipalName "abc#xyz.com" | Select-Object Mail, Department, AccountEnabled
Mail Department AccountEnabled
---- ---------- --------------
abc#xyz.com IT Support True
More info: https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azaduser
I tested in My Environment and found Get-AzADUser not much suitable command as it doesn't appear to return any information about the user (like department, usage location, office info, or basically any properties on the user).
There continues to be a lack of properties returned when comparing Get-AzureADUser vs. Get-AzADUser:
AzureAD Module which is a designed for tasks within AzureAD
Where second one Az which is designed to handle most, if not all of Azure's resources.
you can use the az module easliy if you just want to look up the users existance, but if you need to actually administer azure ad i would suggest you go for azuread. To connect to a specified tenant with azuread use connect-azuread -tenantId 'XXXXXX'.
Output Using Get-AzureADUser
I am able to get the departmentName
Reference : https://github.com/Azure/azure-powershell/issues/10497
I am trying to set up dynamic distribution lists at the company I work for.
I want to use the company value in AD for a distribution list that everyone in the company needs to be part of.
Most of our users have the name of the company as the value, but after checking some users it appears that this value is not set for all users.
Is there a way to set this value for all AD users (by using powershell f.e), or get a list of users where the company value is not set to the company name?
You can use the PowerShell ActiveDirectory module, which is included in the Remote Server Administration Tools (RSAT). Details on how to install it are here.
Then you can use Get-ADUser and pipe the results into Set-ADUser. Something like this:
$badusers = Get-ADUser -Filter "company -ne 'Your Company Name'"
$badusers | Set-ADUser -Company "Your Company Name"
You could do this in one line, but I split it into two so you can inspect the $badusers collection to actually see the users that you changed (just type $badusers into the PowerShell prompt and hit enter).
It may be wise to limit it to, say, 5 or 10 users just to make sure it works the way you want before attempting to change every user. You can do this by adding -ResultSetSize 5 to the Get-ADUsers line.
This also assumes you want to change all user objects to have your company name, even administrative accounts. Keep in mind that this will stop processing users if it hits one that you don't have permission to modify. If you want to limit it to a single OU, you can use the -SearchBase parameter of Get-ADUsers, like this:
$badusers = Get-ADUser -Filter "company -ne 'Your Company Name'" -SearchBase "OU=Users,DC=example,DC=com"
Is it possible to connect to an LDAP/Windows Active Directory server as an admin (using bind) and then run an IP based query to see what user is logged into a Windows PC based on a particular IP? The IP would not be a hardcoded value or attribute.
Basically I am wondering if I can ask Active Directory what user is logged in when supplied an IP address.
Active Directory stores user logon history data in the event logs on domain controllers.
The event ID for a user logon event is 4624.
These events contain data about the user, time, computer and type of user logon.
Using LDAP query, we cannot fetch the username from the IP address.
Instead we can use PowerShell to query the logon event data and fetch the username with IP address.
# Find DC list from Active Directory
$DCs = Get-ADDomainController -Filter *
# Define time for report (default is 1 day)
$startDate = (get-date).AddDays(-1)
# Store successful logon events from security logs with the specified dates and workstation/IP in an array
foreach ($DC in $DCs){
$slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4624 }}
# Crawl through events; print all logon history with type, date/time, status, account name, computer and IP address based on user logon IP address
foreach ($e in $slogonevents){
# Logon Successful Events
if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[18] -eq ”IPAdress”)){
write-host "Type: Remote Logon`tDate: "$e.TimeGenerated "`tStatus: Success`tUsername: "$e.ReplacementStrings[5] "`tWorkstation: "$e.ReplacementStrings[11] "`tIP Address: "$e.ReplacementStrings[18]
}}
Reference : Active Directory: How to Get User Login History using PowerShell - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)
Me (and the company I work for) are looking for a script to extract the following information from an AzureAD.
Accountname
Username
Description
creation date
last login
Blocked yes or no
Date last password change
Password expiration date
Administrator yes or no
Futhermore:
NTFS groups
Computer SID (OS and version / assigned to which OU / Last time seen online)
And lastly
Password policy
We require our customers to provide this information when they are subject to a financial audit. Currently we have a working extraction script which give a .csv export which we can import in a qlikview dashboard. With this dashboard we can look for possible security risks. We do not export passwords and do not want passwords of accounts.
I have been looking for such a script for a couple of weeks but can't seem to find one that gives us this result.
I hope someone can help.
This is not a good question, but since I needed almost the same information, I will show you how you can start solving your issue, and for others ending up in this question by searching.
Start by installing this https://www.powershellgallery.com/packages/AzureAD/2.0.2.4 to your powershell
Then you connect to your Azure AD.
$_adroles = #()
$_docpath = $env:userprofile + '\Documents\ADDirRole.csv'
Get-AzureADDirectoryRole | foreach {
$_objectid = $_.ObjectId; $rolename = $_.Displayname
$_adroles += Get-AzureADDirectoryRoleMember -ObjectId $_objectid | select `
#{name='RoleName';expression={$rolename}},displayname,UserPrincipalName,UserType,LastDirSyncTime,DirSyncEnabled,mail,accountenabled
}
$_adroles | export-csv $_docpath –NoTypeInformation
For more information see: https://blogs.technet.microsoft.com/chadcox/2017/06/30/powershell-useful-azure-ad-queries-using-the-azuread-module/
And the documentation is here: https://learn.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0#users