How to change multiple users UPN suffix? - active-directory

I'm preparing for a move to office365 and since we have the mydomain.local domain I need to add an alternative UPN (same as my SMTP namespace) so mydomain.com. I added the alternate UPN to my domain and now I want to change multiple users UPN at once.
I select multiple users > right click > properties > account > UPN suffix and select the UPN from the drop-down. When that's done I click OK or Apply and I get following error for all selected user:
The specified directory service attribute or value does not exist.
When I change it from one user it works without a problem.
My question now is, can someone help me solve tell me why this error is showing or what way I can achieve this.
Thanks

You can try http://admodify.codeplex.com/.
There is an article showing an example of its uage here: http://blogs.technet.com/exchange/archive/2004/08/04/208045.aspx

Use the following powershell scripts. Change "contoso.local" to your actual domain name.
$localUsers = Get-ADUser -Filter {UserPrincipalName -like "contoso.local"} -Properties UserPrincipalName -ResultSetSize $null
$localUsers | foreach { $newUpn = $_.UserPrincipalName.Replace("contoso.local", "yourdomain.com"; $_ | Set-ADUser -UserPrincipalName $newUpn}

It is best to use a script to change bulk users rather than using the method you mentioned.
You can use either a PowerShell script (recommended) or a VBScript for this.
PowerShell script (using a CSV file):
http://gallery.technet.microsoft.com/Change-UPN-592177ea
PowerShell script (for all users in an OU searchbase):
http://community.spiceworks.com/scripts/show/1457-mass-change-upn-suffix
VBScript:
http://blogs.technet.com/b/heyscriptingguy/archive/2004/12/06/how-can-i-assign-a-new-upn-to-all-my-users.aspx?Redirected=true

Related

Powershell Get-ADUser sam -pr Mail, OtherMailbox, Manager. How to get Manager email if in OtherMailbox attribute?

I have an odd scenario. We had to move certain user mail attributes to otherMailbox to avoid AAD sync guest account create errors coming from affiliate. Now I have to do something like this to make sure an email is picked if mail is empty in AD. The below works fine.
Get-ADUser SamAccountName -pr mail, othermailbox | select #{N='Mail';E={if (!($_.mail)) {$_.otherMailbox}else{$_.mail}}}
Now the hard part. How would I get a user's manager's email in this case, if their mail was moved to OtherMailbox? Doing something like these next 2 lines, I can get one or the other. But how to do the IF ELSE like above in these cases?
(Get-ADUser $_.manager -Properties mail, othermailbox).otherMailbox
(Get-ADUser $_.manager -Properties mail, othermailbox).mail
It doesn't seem possible to do something like this without a foreach loop where a variable can be checked for which attribute exists or not? I'm ok with re-writing this to take care of. Just wondering if there's some other method I might be missing? Thx
Working now (foreach removed to shorten code example). Don't use select after $AD or $MGR Get-ADUser array or things get messy. Expression logic only works on BaseType Microsoft.ActiveDirectory.Management.ADAccount for $AD and $MGR variable types.
$AD = Get-ADUser $User.SamAccountName -Properties Company,employeeId,givenname,initials,sn,Mail,OtherMailbox,SamAccountName,Department,Title,telephoneNumber,mobile,Manager
$MGR = Get-ADUser $AD.Manager -Properties Mail, OtherMailbox
$AD | select #{Name="Org ID"; Expression={$OrgID}},
#{Name="Employee ID"; Expression={$AD.employeeId}},
#{Name="FirstName"; Expression={$AD.givenname}},
#{Name="MiddleName"; Expression={$AD.initials}},
#{Name="LastName"; Expression={$AD.sn}},
#{N='Email';E={if (!($AD.mail)) {$AD.otherMailbox}else{$AD.mail}}},
#{Name="Username"; Expression={$AD.samaccountname}},
#{Name="Manager Email Address"; Expression={if (!($MGR.mail)) {$MGR.otherMailbox}else{$MGR.mail}}} |
export-csv Path -NoTypeInformation -Append

Azure Policy ARM template - wildcard in resource name

I'm building a policy assignment that needs to exclude specific resource group according to their name. Resource groups starting with "Atlanta" should be excluded.
An array would not suffice. Is creating a parameter or variable with wildcard "Atlanta*" possible or how do I achieve this?
I don't know of a way to do this in the portal. I think your best option though not ideal is to use PowerShell/CLI to programmatically assign this policy to the RG's you wish. The logic inside your PowerShell/CLI can exclude the "Atlanta" RG's.
# Get a reference to the resource group that is the scope of the assignment
$rg = Get-AzResourceGroup -Name '<resourceGroupName>'
# Get a reference to the built-in policy definition to assign
$definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq 'Audit VMs that do not use managed disks' }
# Create the policy assignment with the built-in definition against your resource group
New-AzPolicyAssignment -Name 'audit-vm-manageddisks' -DisplayName 'Audit VMs without managed disks Assignment' -Scope $rg.ResourceId -PolicyDefinition $definition
https://learn.microsoft.com/en-us/azure/governance/policy/assign-policy-powershell

Powershell: Comparing a value between two arrays, and extracting a related value

so here is what I'm trying to accomplish.
I have a form for a new starter, New Starter Form.csv, that has the following headers and information:
firstname,lastname,teamname,startdate
Joe,Bloggs,Security Admin,01/01/18
I have a different csv called Team List.csv, that has the following headers and information:
teamlead,teamname,resgroup
A B,Marketing,RESMARKETING01G
C D,Product,RESPRODUCT01G
E F,Advertising,RESADVERTISING01G
G H,Security Admin,RESSECURITYADMIN01G
I want to import both CSV files into Powershell, run a comparisson that takes the team name from the New Starter Form, and checks if there are any matches in the Team List, and if so, add the relevant RES group to the new starter in AD.
Currently, I can import them, compare them, find a match, and find an index number for the record, but I'm struggling to the take this index number, and use it to get the relevant RES group. So far the code looks like this:
$teamlist = import-csv "\\location\Team List.csv"
$newstarter = import-csv "\\otherlocation\New Starter Form.csv"
[string]$teamname = Compare-Object -includeequal -excludedifferent -PassThru $newstarter.teamname $teamlist.teamname
$teamname
[array]::indexof($teamlist,$teamname)
And running that, provides us with this in the console, showing that we can indeed see the match, and that the matching record is the last (-1) one:
PS C:\WINDOWS\system32> $teamlist = import-csv "\\location\Team List.csv"
$newstarter = import-csv "\\otherlocation\New Starter Form.csv"
[string]$teamname = Compare-Object -includeequal -excludedifferent -PassThru $newstarter.teamname $teamlist.teamname
$teamname
[array]::indexof($teamlist,$teamname)
Security Administration
-1
I've not got a lot of experience with Powershell, and my coding knowledge is pretty limited overall, but I'm used to the concept that I can save the index value as a variable, and then I could call that variable back to do something like $teamlist.resgroup[VARIABLE HERE].
But if I try and declare a new variable before [array]::indexof($teamlist,$teamname), Powershell isn't happy.
Whilst I've not looked into it, I believe a possible alternative could be to add in a huge switch statement, but I may be looking at having 100+ teams overall, and I'd like to avoid inefficient code wherever I can. Am I missing something obvious though? Is there a better way (Or even just a functioning way would be great!) that this could work?
Any help you can provide would be greatly appreciated!
$teamlist = import-csv "\\location\Team List.csv"
$newstarter = import-csv "\\otherlocation\New Starter Form.csv"
# get a single new starter
$person = $newstarter | Where-Object { $_.firstname -eq 'Joe' -and $_.lastname -eq 'Bloggs' }
# get the new starters team
$team = $teamlist | Where-Object { $_.teamname -eq $person.teamname }
# get the new starters resource group
$resgroup = $team.resgroup
# use the resource group - this simply writes it to the console
Write-Host $resgroup
The code above will:
import your two csvs
grab a single new starter from your new starter csv, based on first &
last name
grab the team & resource group for that new starter from the team list
display the resgroup (this is where you will need to use to populate AD)

Office 365 Powershell - WinForm get-msoldomain as string

I'm playing with WinForms and powershell and am creating a form to create a new user on Office 365 as part of a suite of commonly used tools. For specifying email address I will have a text box for the alias then a dropdown box with available domains.
I'm pulling a list of domains using Get-MSOLDomain
This is my combobox form part.
$form1.Controls.Add($comboBox1)
$cbentries = Get-MsolDomain | select name
foreach ($en in $cbentries) { $comboBox1.Items.Add($en) }
The problem I'm having is that the output of the domains displays as #{Name=domain.com}
How can I get this to only display the domain name not the #{Name= part?
Thanks
You need to pass names only, expand the Name attribute:
$cbentries = Get-MsolDomain | select -expand name
You can also use the foreach-object cmdlet:
$cbentries = Get-MsolDomain | foreach {$_.name}

Get NT style domain\user given DN

I have the DN of a user in Active Directory, I want to get the "NT style" domain\user from this. The sAMAccountname AD property gives me the user part, but what about the domain?
Thanks
You can get it by taking the last part of the user DN (DC=domain,DC=local) and adding CN=Partitions,CN=Configuration, before.
Then do a subtree search for (&(nCName="DC=domain,DC=local")(nETBIOSName=*)) with CN=Partitions, CN=Configuration, DC=domain, DC=local as the starting point; the entry you get back will have the NETBIOS name of the domain in the nETBIOSName-attribute.
How about using --> System.Security.Principal.NTAccount.ToString()
See msdn info about it here: NTAccount.ToString()
This should return a string in the format of domain\user... is this what you are after?
The easiest way to do this conversion is through the DsCrackNames API. You specify the input format and output format and it does the conversion for you.
Here is the PowerShell code:
$hash = #{} //this contains the map of CN and nCNAME
$Filter = '(nETBIOSName=*)'
$RootOU = "CN=Partitions,CN=Configuration,DC=DOMAIN,DC=LOCAL" //Change this to your org's domain
$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.SearchScope = "subtree"
$Searcher.Filter = $Filter
$Searcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$($RootOU)")
$Searcher.FindAll()|sort | foreach { $hash[($_.Properties.ncname).Trim()] = ($_.Properties.cn).Trim() }
$hash.GetEnumerator() | sort -Property Value
If the user details are available in $userDetails, then the you can get the correct domain with this:
$hash[[regex]::Match($userDetails.DistinguishedName, 'DC=.*').Value]
and the final username would look like this:
$hash[[regex]::Match($userDetails.DistinguishedName, 'DC=.*').Value] + "\" + $userDetails.SamAccountName

Resources