PowerShell: List everything on a OU in a one line


To list all users in a OU, we can get it using Get-ADUser cmdlet. See the example below. (replace OU path in LDAP format to your own stuff and “Import-Module ActiveDirectory” before you run it).

Get-ADUser -Filter * -SearchBase “cn=Users,dc=company,,dc=com” -properties title, department| Select-Object name,title,department

Now what if you want everything (Users, Groups, Contacts, etc.,) from an OU. To get everything from a OU, use Get-ADObject cmdlet. See example below.

Get-ADObject -Filter * -SearchBase “cn=Users,dc=company,dc=com” -properties description | Select-Object name, objectclass, description

Enjoy!!!

PowerShell: How to return multiple values from a Function?


If you like to return multiple values from a function, simply populate a hash table variable in function and return the variable. See my example below. Feel free to use my example function and Enjoy.

 

Function Get-UserInfo($username)
{
    #Create an hashtable variable
    [hashtable]$Return = @{}
   
    Import-Module ActiveDirectory
   
    $ADUser = Get-ADUser -Identity $username -Properties Department, employeeNumber,l,Manager
   
    #Assign all return values in to hashtable
    $Return.Name = $ADUser.name
    $Return.EmployeeNo = $ADUser.employeeNumber
    $Return.Location = $ADUser.l
    $Return.Department = $ADUser.department
    $Return.Manager = ( Get-ADUser $ADUser.manager ).Name
   
    #Return the hashtable
    Return $Return
}

# Example usable of the Get-UserInfo function
# to show how to return multiple values

$User = Get-UserInfo(“JohnDoe”)

“Name: ” +$User.Name
“Manager: ” +$User.Manager
“Location: ” + $User.Location
“Department: ” + $User.Department
“Employee Number: ” + $User.EmployeeNo

PowerShell: Search User Accounts in Active Directory


Active Directory Module has many cmdlets to process many AD related tasks. BUT we don’t have simple search cmdlet.

I had a requirement to check a list of users in AD to see if they exist or not. Get-ADUser doesn’t cut it for my requirement. If a user doesn’t exist, Get-ADUser errors out. So I wrote my own function. It can be used in a script or pipe the user names (SAM Account Name). This function search active directory and returns the AD User object if exists. Otherwise it returns an null value.

Download the script here: http://1drv.ms/1fSd9PH

Feel free use it for you purpose.

# Function: Search-User
# Parameter: user’s SAM Account Name
#
# Description: Search Active Directory with given
# SAM Account Name. Return the AD User object if
# user exists, or return null value
#
# Written by: Anand Venkatachalapathy
#
Function Search-User
{


param([Parameter(ValueFromPipeline)] $User)

BEGIN {import-module activedirectory}

PROCESS
{

   $filter = “(&(ObjectClass=User)(sAMAccountName=$User))”
   $userobject = Get-ADObject -LDAPFilter $filter

   if ($userobject -eq $null)
   {
        return $null
   }

   return (Get-ADUser $userobject)

}

}

To use this function, call the function with a user’s SAM Account Name. E.g.,

$user = “JDoe”
$userobject = Search-User($user)
If ($userobject –eq $null)
{ “$user doesn’t exists in Active Directory” }
else
{ $userobject  }

Active Directory: Bulk User Password Reset by PowerShell


If you need to reset password for bulk number of user accounts, the following PowerShell scripts is for you.

This first script requires an file with usernames listed one per line. Check the UserList.txt file location in this file. Change your favorite password in ConvertTo-SecureString cmdlet in this script. Then you are good go.

#
# Script: ResetPwd.ps1
# Description: Reset the password for bulk number of users, and
# set the property to change passwrod required at next logon
#
# Written by: Anand Venkatachalapathy
#

Import-Module ActiveDirectory

# Set the default password
$password = ConvertTo-SecureString -AsPlainText “AwesomeP@ssw0rd” -Force
 
# Get the list of accounts from the file on file
# List the user names one per line
$users = Get-Content -Path c:\MyScripts\UserList.txt
 
ForEach ($user in $users)
{
    # Set the default password for the current account
    Get-ADUser $user | Set-ADAccountPassword -NewPassword $password -Reset
   
    #If you need to set the property “Change password at next logon”,
    #leave the next alone. If not, comment the next line
    Get-ADUser $user | Set-AdUser -ChangePasswordAtLogon $true
   
    Write-Host “Password has been reset for the user: $user”
}

# ————- End ———–

This second script does bulk password changes for similar named user accounts. e.g., TestUser001 to Testuser100. Change your own password and user account name in the filter.

#
# Script: ResetPwd.ps1
# Description: Reset the password for bulk number of users, and 
# set the property to change password required at next logon
#
# Written by: Anand Venkatachalapathy
#

Import-Module ActiveDirectory

# Set the default password
$password = ConvertTo-SecureString -AsPlainText "AwesomeP@ssw0rd" -Force    # Set the default password for all users named TestUserXX 
# e.g.,TestUser001 to TestUser100
Get-ADUser -Filter { SAMAccountName -like "*TestUser*"} `
| Set-ADAccountPassword -NewPassword $password -Reset
    
#If you need to set the property "Change password at next logon", 
#leave the next alone. If not, comment the next line
Get-ADUser -Filter { SAMAccountName -like "*TestUser*"} `
| Set-AdUser -ChangePasswordAtLogon $true
    

# ------------- End -----------

LastLogonTimeStamp: How to parse the 18 digit number in PowerShell?


This command generates the following results:

PS H:\> Get-ADUser JohnD -Properties LastLogonTimeStamp | select Name,LastLogonTimeStamp | fl

Name               : John Doe
LastLogonTimeStamp : 130364862459391289

If you are wondering how to parse the 18 digit number of LastLogonTimeStamp property value. This LastLogonTimeStamp is expressed using Windows File Time.

A Windows file time is a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 midnight, January 1, 1601 A.D. (C.E.) Coordinated Universal Time (UTC). Windows uses a file time to record when an application creates, accesses, or writes to a file. More info at HERE.

To convert to human readable date format, use .Net function FromFileTime and convert the output to [DateTime] format.

e.g., 

$u = Get-ADUser JohnD -Properties LastLogonTimeStamp

[DateTime]::FromFileTime([Int64] $u.LastLogonTimeStamp)

Displayed output: 02/09/2014 22:10:45

I wrote the following script to list all of my domain computers with OS and LastLogonTimeStamp vaule. This script also creates a TAB delimited output in text file.

 

Import-Module ActiveDirectory

$computers = Get-ADComputer -Filter * -Properties name,operatingsystem,lastlogontimestamp -ResultPageSize 0
“Computer Name`tOperating System`tLast Logon Date/Time” | Out-File -FilePath .\DomainComputers.txt
foreach ($computer in $computers)
{
   $computer.name + “`t” + $computer.OperatingSystem + “`t” + [DateTime]::FromFileTime([Int64] $computer.lastlogontimestamp)
    $computer.name + “`t” + $computer.OperatingSystem + “`t” + [DateTime]::FromFileTime([Int64] $computer.lastlogontimestamp) | Out-File -FilePath .\DomainComputers.txt -Append
}

PowerShell 4.0: “Get-ADUser : One or more properties are invalid”


This applies to Get-ADComputer cmdlet too. When I try to get all properties of an AD account like Get-ADUser JohnDoe –Properties * it gives following error.

Get-ADUser : One or more properties are invalid.
Parameter name: msDS-AssignedAuthNPolicy

It used to work in older PowerShell versions (Windows 8 or Windows 7). Now my scripts are all stopped working.

Well I believe it is a bug in ActiveDirectory PowerShell module. But also on other hand we should NOT be using –Properties * in a script. That would be a bad scripting practice, it takes more time to process obviously. Right way is use it like –Properties <propertyname1>,<propertyname2>.

What if I don’t know the properties I want. What if I have to figure the correct property name. Do NOT worry, there is a workaround. Pipe the Get-ADUser or Get-ADComputer to a Get-ADObject cmdlet like below.

Get-ADuser JohnDoe | Get-ADObject –Properties *

Hopefully it will be fixed on next updates or MS don’t want us to use * in properties parameter. Enjoy. Open-mouthed smile

Citrix/RDS: Publish Internet Explorer without Address Bar


Publishing IE for a web application without address bar is easier than you think. Simply publish the following VBScript or PowerShell script to launch IE without address bar and go to specific intranet website.

Copy either one of the script into Notepad and save as LaunchIE.vbs for vbscript OR LaunchIE.PS1 for PowerShell. Change the website address in the script. Run the script to make sure it works as you expected. Publish the script in Citrix or RDS.

Here is the VBScript Code. You can download this script from here: http://sdrv.ms/1cijdke


‘ Script: LaunchIE.vbs
‘ Purpose: Launch IE without Address bar with the given website
‘ Written by: Anand Venkatachalapathy


‘ Note: Replace your own webstie below in 12th line

Dim objIE
Set objIE = WScript.CreateObject (“InternetExplorer.Application”)
objIE.Toolbar = false    ‘Turning off the tool/address bar
objIE.Navigate “
http://anandthearchitect.com”
objIE.Visible = true

‘ End of Script

Here is the PowerShell Code. Download the script from here: http://sdrv.ms/1cijnYN

#    __                           __       __________
#   / /   ____ ___  ______  _____/ /_     /  _/ ____/
#  / /   / __ `/ / / / __ \/ ___/ __ \    / // __/
# / /___/ /_/ / /_/ / / / / /__/ / / /  _/ // /___
#/_____/\__,_/\__,_/_/ /_/\___/_/ /_/  /___/_____/
#
# Launch IE without Tool bar and Address bar
# Written by: Anand the Awesome Venkatachalapathy
#
# Replace your website on next line
$site = “
http://anandthearchitect.com”

#Get IE Application object
$ie = New-Object -ComObject “InternetExplorer.Application”

#Hide Address Bar and Tool Bar
$ie.AddressBar = $false
$ie.ToolBar = $false

#Launch the IE with the specified website address
$ie.Navigate($site)

#
#-*-*-*-*-*-*-*-*-*-*- The End *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*