Table of Contents

Microsoft - Active Directory - Scripting - PowerShell - Notes

Get-ADUser -Filter not working inside foreach

When used inside a foreach loop the following Get-ADUser with filter syntax does not work:

Get-ADUser -Filter { SamAccountName -eq "$strAccountName" }

Use the following syntax instead:

Get-ADUser -Filter "SamAccountName -eq '$strAccountName'"

Source: Microsoft - Script Center - Forum - get-aduser not working from ForEach-Object

Snippets

Get accounts with password never expires ON:

Get-ADUser -LDAPFilter {(userAccountControl:1.2.840.113556.1.4.803:=65536)}

Get accounts with password never expires OFF:

Get-ADUser -LDAPFilter {(!(userAccountControl:1.2.840.113556.1.4.803:=65536))}

Get the name of all disabled accounts with password never expires set to ON (exclude the Guest account):

Get-ADUser -LDAPFilter {(&(userAccountControl:1.2.840.113556.1.4.803:=65536)(userAccountControl:1.2.840.113556.1.4.803:=2)(!CN=Guest))} | Select-Object Name

Set password never expires to OFF for all disabled accounts that currently have it on (excluding the Guest account):

Get-ADUser -LDAPFilter {(&(userAccountControl:1.2.840.113556.1.4.803:=65536)(userAccountControl:1.2.840.113556.1.4.803:=2)(!CN=Guest))} | Set-ADUser -PasswordNeverExpires $false

Get list of users with lastlogon and lastlogontimestamp:

Get-ADUser -Filter * -Properties lastLogon,lastLogonTimeStamp | `
Select-Object Name,UserPrincipalName,
@{Label="lastLogon";Expression={if($_.lastLogon){[datetime]::FromFileTime($_.lastLogon)}}},
@{Label="lastLogonTimeStamp";Expression={if($_.lastLogonTimeStamp){[datetime]::FromFileTime($_.lastLogonTimeStamp)}}}

Get list of admin accounts with enabled/expired status

$strGroups = "CN=Domain Admins,|CN=Enterprise Admins,|CN=Administrators,"
 
Get-ADUser -Filter * -Properties memberof,Enabled,AccountExpirationDate | `
Where-Object {$_.memberof -match "$strGroups"} | `
Select-Object Name,SamAccountName,Enabled,AccountExpirationDate | `
Sort-Object Name

Example output:

Name                          SamAccountName                                      Enabled AccountExpirationDate
----                          --------------                                      ------- --------------------
Administrator                 Administrator                                       True
# Taken from https://social.technet.microsoft.com/Forums/windowsserver/en-US/de1431b6-190c-4779-8b44-b2c33b22fc15/powershell-determining-if-a-gpo-is-linked?forum=winserverpowershell
Function Get-AllGPO
{
	$objGPOs = Get-GPO -All
	foreach ($objGPO in $objGPOs) {
 
		([xml](Get-GPOReport $objGPO.Id -ReportType XML)).gpo | `
		Select-Object Name,
		@{Label="SOMName";Expression={$_.LinksTo | ForEach-Object {$_.SOMName}}},
		@{Label="SOMPath";Expression={$_.LinksTo | ForEach-Object {$_.SOMPath}}}
	}
}
 
# Show all GPOs that have no links
Get-AllGPO | Where-Object {$_.SomName -eq $null} | Select-Object Name

Example output:

Name
----
Set_WSUS_Default-Settings

Source: Microsoft - Forums - Windows Server - PowerShell - Determining if a GPO is linked

Group Policy Inheritance

List of all OUs with their BlockedInheritance state:

$strBaseOU = "DC=domain,DC=tld"
 
Get-ADOrganizationalUnit -SearchBase "$strBaseOU" -Filter * | `
Format-Table DistinguishedName,@{Name="Inheritance";Expression={(Get-GPInheritance$_.DistinguishedName).GpoInheritanceBlocked}} -Autosize

List only the OUs with Blocked Inheritance enabled:

$strBaseOU = "DC=domain,DC=tld"
 
Get-ADOrganizationalUnit -SearchBase "$strBaseOU" -Filter * | `
Where-Object {(Get-GPInheritance $_.DistinguishedName).GpoInheritanceBlocked -eq "Yes"} | `
Select-Object DistinguishedName

Source: rakhesh.com - Get a list of OUs with inheritance blocked & GPOs not applied

Export groups and group members

$strGroupsExportCsv = "C:\Temp\$((Get-Date -Format u).SubString(0,10)) - Groups.csv"
$strGroupMembersExportCsv = "C:\Temp\$((Get-Date -Format u).SubString(0,10)) - Groupmembers.csv"
 
$objGroups = Get-ADGroup -Filter *
 
$objGroupsWithMembers = @()
 
foreach ($objGroup in $objGroups) {
 
  $objMembers = $objGroup | Get-ADGroupMember
 
  foreach ($objMember in $objMembers) {
 
        $objTemp = {} | Select-Object GroupName,Member,MemberDN
        $objTemp.GroupName = $objGroup.Name
        $objTemp.Member = $objMember.name
        $objTemp.MemberDN = $objMember.distinguishedName
 
        $objGroupsWithMembers += $objTemp
        $objTemp = $null
 
  }
 
  $objMembers = $null
 
}
 
# Export
$objGroups | Sort-Object Name | Export-Csv -NoTypeInformation -Path $strGroupsExportCsv
$objGroupsWithmembers | Sort-Object GroupName,Member | Export-Csv -NoTypeInformation -Path $strGroupMembersExportCsv