======Microsoft - Active Directory - Scripting - PowerShell - Notes======

=====Get-ADUser -Filter not working inside foreach=====
When used inside a foreach loop the following Get-ADUser with filter syntax does not work:
<code powershell>
Get-ADUser -Filter { SamAccountName -eq "$strAccountName" }
</code>
Use the following syntax instead:
<code powershell>
Get-ADUser -Filter "SamAccountName -eq '$strAccountName'"
</code>
Source: [[https://social.technet.microsoft.com/Forums/scriptcenter/en-US/64657770-326c-4ee6-a562-950745b3ed9f/getaduser-not-working-from-foreachobject?forum=winserverpowershell|Microsoft - Script Center - Forum - get-aduser not working from ForEach-Object]] \\

=====Snippets=====

Get accounts with password never expires ON:
<code>
Get-ADUser -LDAPFilter {(userAccountControl:1.2.840.113556.1.4.803:=65536)}
</code>

Get accounts with password never expires OFF:
<code>
Get-ADUser -LDAPFilter {(!(userAccountControl:1.2.840.113556.1.4.803:=65536))}
</code>

Get the name of all disabled accounts with password never expires set to ON (exclude the Guest account):
<code>
Get-ADUser -LDAPFilter {(&(userAccountControl:1.2.840.113556.1.4.803:=65536)(userAccountControl:1.2.840.113556.1.4.803:=2)(!CN=Guest))} | Select-Object Name
</code>

Set password never expires to OFF for all disabled accounts that currently have it on (excluding the Guest account):
<code>
Get-ADUser -LDAPFilter {(&(userAccountControl:1.2.840.113556.1.4.803:=65536)(userAccountControl:1.2.840.113556.1.4.803:=2)(!CN=Guest))} | Set-ADUser -PasswordNeverExpires $false
</code>

Get list of users with lastlogon and lastlogontimestamp:
<code powershell>
Get-ADUser -Filter * -Properties lastLogon,lastLogonTimeStamp | `
Select-Object Name,UserPrincipalName,
@{Label="lastLogon";Expression={if($_.lastLogon){[datetime]::FromFileTime($_.lastLogon)}}},
@{Label="lastLogonTimeStamp";Expression={if($_.lastLogonTimeStamp){[datetime]::FromFileTime($_.lastLogonTimeStamp)}}}
</code>

====Get list of admin accounts with enabled/expired status====

<code powershell>
$strGroups = "CN=Domain Admins,|CN=Enterprise Admins,|CN=Administrators,"

Get-ADUser -Filter * -Properties memberof,Enabled,AccountExpirationDate | `
Where-Object {$_.memberof -match "$strGroups"} | `
Select-Object Name,SamAccountName,Enabled,AccountExpirationDate | `
Sort-Object Name
</code>

Example output:
<code>
Name                          SamAccountName                                      Enabled AccountExpirationDate
----                          --------------                                      ------- --------------------
Administrator                 Administrator                                       True
</code>

=====Get lists of Group Policies without links=====

<code powershell>
# Taken from https://social.technet.microsoft.com/Forums/windowsserver/en-US/de1431b6-190c-4779-8b44-b2c33b22fc15/powershell-determining-if-a-gpo-is-linked?forum=winserverpowershell
Function Get-AllGPO
{
	$objGPOs = Get-GPO -All
	foreach ($objGPO in $objGPOs) {

		([xml](Get-GPOReport $objGPO.Id -ReportType XML)).gpo | `
		Select-Object Name,
		@{Label="SOMName";Expression={$_.LinksTo | ForEach-Object {$_.SOMName}}},
		@{Label="SOMPath";Expression={$_.LinksTo | ForEach-Object {$_.SOMPath}}}
	}
}

# Show all GPOs that have no links
Get-AllGPO | Where-Object {$_.SomName -eq $null} | Select-Object Name
</code>

Example output:
<code>
Name
----
Set_WSUS_Default-Settings
</code>

Source: [[https://social.technet.microsoft.com/Forums/windowsserver/en-US/de1431b6-190c-4779-8b44-b2c33b22fc15/powershell-determining-if-a-gpo-is-linked?forum=winserverpowershell|Microsoft - Forums - Windows Server - PowerShell - Determining if a GPO is linked]]


=====Group Policy Inheritance=====

List of all OUs with their BlockedInheritance state:
<code powershell>
$strBaseOU = "DC=domain,DC=tld"

Get-ADOrganizationalUnit -SearchBase "$strBaseOU" -Filter * | `
Format-Table DistinguishedName,@{Name="Inheritance";Expression={(Get-GPInheritance$_.DistinguishedName).GpoInheritanceBlocked}} -Autosize
</code>

List only the OUs with Blocked Inheritance enabled:
<code powershell>
$strBaseOU = "DC=domain,DC=tld"

Get-ADOrganizationalUnit -SearchBase "$strBaseOU" -Filter * | `
Where-Object {(Get-GPInheritance $_.DistinguishedName).GpoInheritanceBlocked -eq "Yes"} | `
Select-Object DistinguishedName
</code>

Source: [[https://rakhesh.com/powershell/get-a-list-of-ous-with-inheritance-blocked-gpos-not-applied/|rakhesh.com - Get a list of OUs with inheritance blocked & GPOs not applied]]


=====Export groups and group members=====

<code powershell>
$strGroupsExportCsv = "C:\Temp\$((Get-Date -Format u).SubString(0,10)) - Groups.csv"
$strGroupMembersExportCsv = "C:\Temp\$((Get-Date -Format u).SubString(0,10)) - Groupmembers.csv"

$objGroups = Get-ADGroup -Filter *

$objGroupsWithMembers = @()

foreach ($objGroup in $objGroups) {

  $objMembers = $objGroup | Get-ADGroupMember

  foreach ($objMember in $objMembers) {

        $objTemp = {} | Select-Object GroupName,Member,MemberDN
        $objTemp.GroupName = $objGroup.Name
        $objTemp.Member = $objMember.name
        $objTemp.MemberDN = $objMember.distinguishedName

        $objGroupsWithMembers += $objTemp
        $objTemp = $null

  }

  $objMembers = $null

}

# Export
$objGroups | Sort-Object Name | Export-Csv -NoTypeInformation -Path $strGroupsExportCsv
$objGroupsWithmembers | Sort-Object GroupName,Member | Export-Csv -NoTypeInformation -Path $strGroupMembersExportCsv

</code>