I have a Powershell script that will import a csv file containing a list of computers and their respective owners, and then perform some queries on each. I am looking for a reliable way of maintaining this list so it's up-to-date and can be exported for Powershell consumption.
One idea, is that all of our computers in AD have their own respective OUs, and I am looking to use a field (Department if there is one) that will then be populated with the IT Owner. For example, in the Computers OU, there will be child OUs: "Finance Servers"; "Marketing Servers", etc. We can't use Description as this is already used.
Any ideas as I can't see additional fields or custom fields to play around with for each computer object?
Thanks
My recommendation would be to use the "ManagedBy" Property, however if you prefer to look over the options for yourself you can always open up powershell and run
get-adcomputer -identity "SomeServerName" -properties *
that will show you all properties that are available on that object.
Related
I have a piece of software that imports groups from certain OU's within AD. I have an OU that has four nested OU's within it and I only want to import from three of these. How do I exclude the one OU from importing?
There is the option within the software to use what's called a filter string, which I have been using to manually type in the filter to exclude this one OU from importing. The filter clearly isn't correct as the job imports from all of the OU's.
I want to exclude the UAT OU from importing so I tried the following filter:
(&(objectClass=Group)(!(ou:cn:=*_UAT)))
All groups within the UAT OU end in _UAT, which is why I tried the above filter. The job successfully ran but imported from all four OU's.
I want the import to only import AD groups from three of the four OU's I have nested within the Application OU.
There is no way to do this just in the query. There is no attribute called ou, which is why the filter you tried didn't work.
Starting in Windows Server 2012, there is an attribute called msDS-parentdistname, which has the distinguishedName of the OU, but it is a constructed attribute, meaning it's not actually stored; it's constructed at the time it is requested. That means you can't use it in a query.
There are two ways you can do this:
Change the search scope to "single level" so it does not search any nested OUs. You would have to search each of the three OUs separately this way.
Get all the results, and remove the unwanted results after the search. Check if the distinguishedName contains the name of the unwanted OU and, if so, discard it.
I am in an organization with an Active Directory with a very deep nested group structure. I would like to query the directory to recursively find user members of a group from a Linux machine. On a Windows machine,
dsget group "dn_of_group" -members -expand
does exactly what I want and does it very quickly. When I tried to get the same results via LDAP with
(memberOf:1.2.840.113556.1.4.1941:=dn_of_group)
the query takes almost a minute to run. Does dsget use LDAP under the hood or does it use some other means to query the directory? And if so, is there any way for me to also use that?
Edit:
Clarified that I need the members which are users.
The framework 3.5 with System.DirectoryServices.AccountManagement Namespace provides a method that searches all groups recursively and returns the groups in which the user is a member. The returned set may also include additional groups that system would consider the user a member of for authorization purposes.
UserPrincipal.GetAuthorizationGroups()
The groups that are returned by this method may include groups from a different scope and store than the principal. For example, if the principal is an AD DS object that has a DN of "CN=SpecialGroups,DC=Fabrikam,DC=com, the returned set can contain groups that belong to the "CN=NormalGroups,DC=Fabrikam,DC=com
In the other direction you've got :
GroupPrincipal.GetMembers(bool recursive)
See Remarks
Pardon my ignorance, I do not know much about AD (let lone querying with AD or googling for that). I would like to get a list of all the users in a particular domain, their first name, last name and email ids. Would a network admin (or help desk in my case) be able to do that ? My other option: I have the usernames in an excel sheet, Full name in another text file (amongst other data - say XXXyy , FirstName LastName- I would have to split,parse it to extract the name) and email in another file and none of them are in order. There might be some missing data too :(
What would be the best way to go about it with Querying AD ?
Edit:May be I should be more specific. If I was seeing what my network admin would be doing to get me this info, what would he be doing ?
Active Directory exposes query interface via OLE DB and ADO. The provider is "ADsDSOObject", the query syntax goes like this:
<LDAP://mydomain.com>;(objectType=user);givenname,sn
Perversely, the URL schema name LDAP must be capitalized.
Excel does not have a built-in ADO client, unless you code in VBA.
UPDATE: wrote a simple JavaScript query script for you:
var conn = new ActiveXObject("ADODB.Connection");
conn.Open("Provider=ADsDSOObject");
var rs = conn.Execute("<LDAP://your-domain.com>;(objectClass=user);sn,givenname");
var i;
if(!rs.EOF)
{
rs.MoveFirst();
while(!rs.EOF)
{
WScript.Echo(rs.Fields.Item("givenname")+","+rs.Fields.Item("sn")+"\n");
rs.MoveNext();
}
}
It queries the fiest and last name of all users in your domain. Place your domain name in the third line. Then save it as a .js file, and execute thusly:
cscript adquery.js >a.txt
And you'll end up with a text file called a.txt, with the names of your users, comma-separated. Import it into Excel or something.
In Excel, if you are willing to mess with macros, you can write a VBA function against ADO that performs the same query. Or use .NET's DirectorySearcher, recent versions of Excel let you consume .NET objects.
If you're using the .NET platform, I would suggest looking into the System.DirectoryServices namespace, which "provides easy access to Active Directory Domain Services from managed code."
MSDN also provides code samples for performing common tasks using System.DirectoryServices, available in both VB and C#. If you're familiar with one of these languages, you should hopefully be able to glean what you need (at least to get started, and then perhaps be able to ask other, more specific questions here on SO) from these examples.
Hope this helps!
I have been tasked with coming up with a solution where I am not sure if there is a solid answer:
How can I match username records from an application's database to users in our Active Directory?
I have two applications this needs to be done for - 1st application I only have firstname and lastname information. Second application i have the application's username, which is similar to activeD's but not a definate match. I also have firstname lastname info.
Now, simply put I can just write a script that matches all the records in ActiveD that match the firstname lastname in the application DB, but that is fraught with errors.
Having no unique identifier to begin with might make this an impossible task, but before I start to task someone else with manually comparing the data after running the script, I thought I would ask the delightful StackOverflow crew to chew on it. There are always methods I don't think of, after all.
So any brilliant ideas out there to accomplish this task?
Thanks guys
Once you get them matched up automatically and the exceptions by hand, make a custom attribute in Active directory where you can store the information to keep them matched up in the future.
You could store the Active Directory object GUID against the database record.
Well, the one thing that will be indeed unique in AD is the sAMAccountName for each user. If you find a way to associate your users in your two databases with a SAM Account Name, you should have no big trouble anymore to do an automatic sync check with AD.
That property is already available in AD, you don't need to add any additional artificial IDs, and it's much easier to read than a GUID.
Marc
I need to query Active Directory for a list of users whose password is about to expire. The obvious (and easy) way to do this is with:
dsquery user -stalepwd n
The problem is that I need to add additional filters to only look for users who are in certain security groups. This is hard to do with the "dsquery user" syntax that has the built-in -stalepwd option, so I've been using the "dsquery * -filter" option which allows you to use LDAP query syntax. Unfortunately, while its relatively easy to do apply the other filters with an LDAP query, I'm having trouble filtering users who have a password age greater than n.
Does anyone know the syntax (or if it is even possible) to filter for old passwords using the "dsquery * -filter" method instead of the "dsquery user -stalepwd" method.
You can write an LDAP Query that compares "stale" passwords by comparing the pwdLastSet attribute on the user object:
(&(objectClass=person)(objectClass=User)(pwdLastSet<=n))
ActiveDirectory uses a very specific format for this time stamp. I believe it a file-time, but I would double check on the web.
There are better tools than dsquery to use.
FindExpAcc from joeware will do the same as stalepwd and allow a filter through its -f switch.
The filter would then look like:
&(objectCategory=user)(memberof=CN=User Group,OU=Test,DC=foo,dc=com)
Also check out adfind and admod tools from joeware which are more powerful than the command line query tools from Microsoft, but can be a little harder to learn.