Finding all groups without a manager in a specific OU in AD

Finding all groups without a manager in a specific OU in AD

Last week, I showed you how you can easily find the OU to use when looking for the members of a specific OU. Today, I’d like to show you how I use that information. The background was that we use AD groups to control access to network shares. In order for IT support to know who is authorized to approve requests for access to these shares, we use the Managed By tab, assigning the owner of the…

View On WordPress

Active Directory PowerShell commands cheat sheet

Get users in a group in descending order; recursively qualify all the nested groups

Get-ADGroupMember - Recursive - Identity <groupname> | Select-ExpandProperty SamAccountName | Sort-Object 

Get information about a user from Active Directory and store it in a text file named info.txt

Get-ADUser -Identity <username format for organization> -Properties * > info.txt

Get information about a user from Active Directory based on a filter

Get-ADUser -Properties * -Filter “(city -eq ‘New York’) | Select-Object -last 10 -Property samAccountName, Modified, Enabled

Get information about a user from Active Directory in a specific OU

Get-ADUser -SearchBase “OU=abc,DC=test,DC=com”  | Select-Object -last 10 -Property samAccountName, Modified, Enabled

Get information about a user from Active Directory using LDAP dialect

Get-ADUser -LDAPFilter ‘(&(objectCategory=User)([email protected]));’

Find Unresolvable ForeignSecurityPrincipals in ActiveDirectory

Active Directory is a complex service. It is even more complex when dealing with multiple forests. I have had to manage many multi-forest domains over the years. People are always asking for reports on group membership for audit or access verification. There are some good tools to do that with, but there are issues with many of them when dealing with multi-forest environments. One of these problems is group membership in foreign domains.

When you add an object from a foreign domain into a group it creates an object called a ForeignSecurityPrinciple. The object is basically just a SID that can be used in the local domain along with some information that helps AD construct information about the FSP for tools to display. When the object functions correctly most tools will perform as expected. You can generate your reports or run your scripts without any issues.

These objects help us get the job done, except when they do not. A problem that occurs many times is that you try to query a group with PowerShell or some tool and the tool returns unexpected results. If you dig into it you will generally find that the tool is looking for a constructed property that cannot be built and AD returns an error which causes unexpected results. The properties of the FSPs are pulled from the foreign domain by AD and returned to the tool. If someone deleted the referenced object the query is null and thus the property cannot be returned leading to our error condition.

If you come across a multi-forest domain you will learn something you didn't know frequently. One of these things is that FSPs with constructed properties will crash your tools and scripts that always worked for you in the past. There is hope though. This simple script can ferret out those pesky and undesired orphaned objects. You can send the results to a script to delete them or you can simply pipe the out for review. I will say that I prefer group membership to be clean and this script has helped me keep it that way.

<# Get-DeletedFsps.ps1 -Domains @("prod.contoso.com", "nonprod.contoso.com" Results: CN=S-1-5-21-0000000000-0000000000-000000000-20229,CN=ForeignSecurityPrincipals,DC=prod,DC=contoso,DC=com CN=S-1-5-21-0000000000-0000000000-000000000-87540,CN=ForeignSecurityPrincipals,DC=prod,DC=contoso,DC=com CN=S-1-5-21-0000000000-0000000000-000000000-21712,CN=ForeignSecurityPrincipals,DC=nonprod,DC=contoso,DC=com CN=S-1-5-21-0000000000-0000000000-000000000-87541,CN=ForeignSecurityPrincipals,DC=nonprod,DC=contoso,DC=com #> Param( [Parameter(Position=0,Mandatory=$true)][Array]$Domains=@()) # Result set creation $Unmapped = @() # Cycle through domains ForEach ($Domain In $Domains) { # Build the path to FSPs $Dn = "CN=ForeignSecurityPrincipals" ForEach($DomainPart In $Domain.Split('.')) { $Dn += ",DC=$DomainPart" } # Obtain the list of FSPs $ForSecPri = Get-ADObject -SearchBase $Dn -Server $Domain -LdapFilter "(objectClass=foreignSecurityPrincipal)" # Resolve FSPs and if we cannot add them to the result set ForEach($Object In $ForSecPri) { Try { (New-Object System.Security.Principal.SecurityIdentifier($Object.Name)).Translate([System.Security.Principal.NTAccount]) | Out-Null } Catch [System.Security.Principal.IdentityNotMappedException] { $Unmapped += $Object.DistinguishedName } } } # Return the results for post processing Return $Unmapped

PowerShell: Find all enabled user accounts

PowerShell: Find all enabled user accounts

Some time ago, I was asked to provide a list of all enabled user accounts in Active Directory. My thoughts immediately went to PowerShell, assuming that there would be tools available to achieve that task. I knew that the Get-ADUser query, combined with a parameter, would likely be the ticket.

Using the -ldapfilterparameter to only return results that had a useraccountcontrol value of 512, I…

View On WordPress

Powershell: Exporting Active Directory Contacts

Powershell: Exporting Active Directory Contacts

Some time ago, I needed to have a list of all Contacts registered in Active Directory. Knowing that there are a lot of them (numbering at least eighty), getting the data manually was not a viable alternative, particularly knowing that the same objective can be achieved through Powershell. I eventually came up with a solution. To make following it logically easier, I’m going to include commentary…

View On WordPress