ADModule – Jere's Techblog

Compare ActiveDirectory ACL

November 25, 2019

Here are some examples and a good description of the ActiveDirectory ACL:

https://blogs.technet.microsoft.com/ashleymcglone/2013/03/25/active-directory-ou-permissions-report-free-powershell-script-download/

Script example to compare ActiveDirectory OU ACL ( Security Groups )

by J.Kühnis 25.11.2019

Import-Module ActiveDirectory


$OU1 = Get-ACl -Path 'AD:\OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM' |  Select-Object -ExpandProperty Access | select IdentityReference

$OU2 = Get-ACl -Path 'AD:\OU=Marketing,OU=UserAccounts,DC=FABRIKAM,DC=COM' |  Select-Object -ExpandProperty Access | select IdentityReference

Compare-Object $OU1 $OU2 -IncludeEqual

1

2

3

4

5

6

7

8

9

10

by J.Kühnis 25.11.2019

Import-Module ActiveDirectory

$OU1 = Get-ACl -Path 'AD:\OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM' | Select-Object -ExpandProperty Access | select IdentityReference

$OU2 = Get-ACl -Path 'AD:\OU=Marketing,OU=UserAccounts,DC=FABRIKAM,DC=COM' | Select-Object -ExpandProperty Access | select IdentityReference

Compare-Object $OU1 $OU2 -IncludeEqual

ActiveDirectory, AD, Automation, Example, Powershell, Scripting

ADModule, PowerShell, Scripting, Windows

Leave a comment

Function Count Ad-GroupMember

November 12, 2019

Jeremias Kühnis

#by J.Kühnis 12.11.2019
Function Count-ADGroupMember {
    
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]
        [string]$GroupName
    )


    #Get Data From AD-Group
    $groupname
    $groupdsn = (Get-ADGroup $groupname).DistinguishedName
    $group = [adsi]"LDAP://$groupdsn" 
    $groupmemebrs = $group.psbase.invoke("Members") | ForEach-Object { $_.GetType().InvokeMember("SamAccountName", 'GetProperty', $null, $_, $null) }
    $ADGroupMemberCount = $groupmemebrs.count
    return $ADGroupMemberCount
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

#by J.Kühnis 12.11.2019

Function Count-ADGroupMember {

[CmdletBinding()]

Param(

[Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)]

[string]$GroupName

)

#Get Data From AD-Group

$groupname

$groupdsn = (Get-ADGroup $groupname).DistinguishedName

$group = [adsi]"LDAP://$groupdsn"

$groupmemebrs = $group.psbase.invoke("Members") | ForEach-Object { $_.GetType().InvokeMember("SamAccountName", 'GetProperty', $null, $_, $null) }

$ADGroupMemberCount = $groupmemebrs.count

return $ADGroupMemberCount

}

example:

Count-ADGroupMember -GroupName AnyGroupNameHere

1	Count-ADGroupMember -GroupName AnyGroupNameHere

ActiveDirectory, AD, Automation, Function, Microsoft, Powershell, Windows

ADModule, PowerShell, Scripting, Windows

Leave a comment

Query big ADObject / Containers

March 13, 2019

Jeremias Kühnis

The Powershell AD-Modules have certain restrictions when it comes to querying large objects, this can be bypassed by ADSI Query.

Here an example how to read them and how to iterate on users of a group:

#by J.Kühnis 13.03.2019
#example ADSI Query Powershell
$BigGroup = "someADGroupName"
$ADGroup1 = "someADGroup1"
$ADGroup2 = "someADGroup2"


$groupname = $BigGroup
$groupdsn = (Get-ADGroup $groupname).DistinguishedName
$group =&#91;adsi]”LDAP://$groupdsn” 
$groupmemebrs = $group.psbase.invoke("Members") | % {$_.GetType().InvokeMember("SamAccountName",'GetProperty',$null,$_,$null)}

$groupmemebrs | foreach {
    
    $usradgroups = GET-ADUser -Identity $_ –Properties MemberOf | Select-Object -ExpandProperty MemberOf | Get-ADGroup -Properties name | Select-Object name
    IF ($usradgroups.name -notContains $ADGroup1 -and $usradgroups.name -notContains $ADGroup2) {

        #User is not a Member of ADGroup1 &amp; ADGroup2

        }
        Else{
          #User is MemberOf ADGroup1 &amp; ADGroup2
        }
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

#by J.Kühnis 13.03.2019

#example ADSI Query Powershell

$BigGroup = "someADGroupName"

$ADGroup1 = "someADGroup1"

$ADGroup2 = "someADGroup2"

$groupname = $BigGroup

$groupdsn = (Get-ADGroup $groupname).DistinguishedName

$group =[adsi]”LDAP://$groupdsn”

$groupmemebrs = $group.psbase.invoke("Members") | % {$_.GetType().InvokeMember("SamAccountName",'GetProperty',$null,$_,$null)}

$groupmemebrs | foreach {

$usradgroups = GET-ADUser -Identity $_ –Properties MemberOf | Select-Object -ExpandProperty MemberOf | Get-ADGroup -Properties name | Select-Object name

IF ($usradgroups.name -notContains $ADGroup1 -and $usradgroups.name -notContains $ADGroup2) {

#User is not a Member of ADGroup1 & ADGroup2

}

Else{

#User is MemberOf ADGroup1 & ADGroup2

}

Here also an example using a Class to just specify the object the way you like:

#by J.Kühnis 09.10.2019
#Set variables
$ADGROUP = "someAdGrp"

# Load AD-Module
IF (!(Get-Module -Name ActiveDirectory)) {
    Import-Module -Name ActiveDirectory
    IF (!(Get-Module -Name ActiveDirectory)) {
    start-sleep 10
    Write-Warning "No AD-Module Found"

        Exit
    }
}
$groupname = $ADGROUP
$groupdsn = (Get-ADGroup $groupname).DistinguishedName
$group =&#91;adsi]”LDAP://$groupdsn” 
$groupmemebrs = $group.psbase.invoke("Members") | % {$_.GetType().InvokeMember("SamAccountName",'GetProperty',$null,$_,$null)}

class User{
&#91;string]$Name
&#91;string]$SamAccountName
&#91;string]$UserPrincipalName
&#91;string]$Mail
&#91;string]$extensionAttribute7
&#91;string]$extensionAttribute9
}


$Userlist = @()
$groupmemebrs | ForEach-Object {
    $usrATTR = GET-ADUser -Identity $_ –Properties Name,SamAccountName,UserPrincipalName,mail,extensionAttribute9, extensionAttribute7
    
    $User = &#91;User]::new()
    $User.Name = $usrATTR.Name
    $User.SamAccountName = $usrATTR.SamAccountName
    $User.UserPrincipalName = $usrATTR.UserPrincipalName
    $User.Mail = $usrATTR.Mail
    $User.extensionAttribute1 = $usrATTR.extensionAttribute1
    $User.extensionAttribute2 = $usrATTR.extensionAttribute2

    $Userlist += $User
}
$Userlist | format-table

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

#by J.Kühnis 09.10.2019

#Set variables

$ADGROUP = "someAdGrp"

# Load AD-Module

IF (!(Get-Module -Name ActiveDirectory)) {

Import-Module -Name ActiveDirectory

IF (!(Get-Module -Name ActiveDirectory)) {

start-sleep 10

Write-Warning "No AD-Module Found"

Exit

}

$groupname = $ADGROUP

$groupdsn = (Get-ADGroup $groupname).DistinguishedName

$group =[adsi]”LDAP://$groupdsn”

$groupmemebrs = $group.psbase.invoke("Members") | % {$_.GetType().InvokeMember("SamAccountName",'GetProperty',$null,$_,$null)}

class User{

[string]$Name

[string]$SamAccountName

[string]$UserPrincipalName

[string]$Mail

[string]$extensionAttribute7

[string]$extensionAttribute9

}

$Userlist = @()

$groupmemebrs | ForEach-Object {

$usrATTR = GET-ADUser -Identity $_ –Properties Name,SamAccountName,UserPrincipalName,mail,extensionAttribute9, extensionAttribute7

$User = [User]::new()

$User.Name = $usrATTR.Name

$User.SamAccountName = $usrATTR.SamAccountName

$User.UserPrincipalName = $usrATTR.UserPrincipalName

$User.Mail = $usrATTR.Mail

$User.extensionAttribute1 = $usrATTR.extensionAttribute1

$User.extensionAttribute2 = $usrATTR.extensionAttribute2

$Userlist += $User

}

$Userlist | format-table

ActiveDirectory, AD, Automation, LDAP, Powershell, query

ADModule, PowerShell, Scripting, Windows

Leave a comment

Remove AD-Group on certain Users

November 13, 2018

Jeremias Kühnis

This script is very handy in dayli business, when you need to remove multiple users from an AD-Group.

In the userlist the users can be specified with the samAccountName.

Of course there is the possibility to fill “$UserList” variable with a list e.g. a CSV-File. In this case you can Use the function “Import-Csv” which is an out of the Box Powershell feature.

#13.11.2018 by Jeremias Kühnis
#Remove AD-Groupmemership

$ADGroup = "someAdGroupName"

$Userlist = @(
"SamAccountName1"
"SamAccountName2"
"SamAccountName3"
)

$Userlist | % {Remove-ADGroupMember -Identity $ADGroup -Members $_ -Confirm:$false}

1

2

3

4

5

6

7

8

9

10

11

12

#13.11.2018 by Jeremias Kühnis

#Remove AD-Groupmemership

$ADGroup = "someAdGroupName"

$Userlist = @(

"SamAccountName1"

"SamAccountName2"

"SamAccountName3"

)

$Userlist | % {Remove-ADGroupMember -Identity $ADGroup -Members $_ -Confirm:$false}

ActiveDirectory, Automation, Powershell, Windows

ADModule, PowerShell, Scripting, Uncategorized

Leave a comment

Compare ActiveDirectory ACL

Function Count Ad-GroupMember

Query big ADObject / Containers

Remove AD-Group on certain Users

Links

Community