PowerShell – Changing Departments for Multiple AD Users

by on September 25, 2020 at 16:18
Posted In: IT Blog

Hostile takeover? All employees of a department being reassigned? We won’t go into ‘how to disable way lots of employees because your upper management said ‘because we told you”. So, we’ll go into changing departments for the entire company.

There’s a few different ways to do this:

  1. Exporting to CSV, making absolutely sure who’s in the list.
  2. Or just changing everyone in one department, and replacing it with an entirely different department name.

Typically, you want option 1. This is fact checking, validation, all that stuff.

In that scenario you follow the same sort of methodolgy:

-Export all users that meet the criteria (in this case, everyone of a certain department) into a CSV file

-Take CSV file, inject into powershell and set new value

There is also a ‘once and done’ approach. Where you can simply replace the values in one string. I don’t suggest this for production environments, namely because there’s always a margin for error.

The ‘typical’ option

Export all users that fit a filter into a CSV file. In this example, I’m looking for all AD users with Department ‘Support’. Exporting to a CSV file. Export something unique, like the samAccountName.

Get-ADUser -Filter 'Department -like "Support"' -Properties * | select samaccountname | Export-CSV "C:\Path_to_csv\department_users.csv"

With this exported file “department_users.csv”, we use another piece of code to pick up the CSV file, run a for-loop to go through each user in that CSV file and update their department.

Import-Module Active Directory

$Set_Department = Import-Csv "C:\Path_to_csv\department_users.csv"  #Store CSV file into $Set_Department variable
$Department = "Operations Support" #New Department

foreach ($User in $Set_Department) {
    #For each name or account in the CSV file $Resetpassword, reset the password with the Set-ADAccountPassword string below
   $User.sAMAccountName

        Set-ADUser -Identity $User.sAMAccountName -Department $Department
        write-output $User
}
 Write-Host " Departments changed "
 $total = ($Set_Department).count
 $total
 Write-Host "AD User Departments have been updated..."

Just make sure your end CSV file has a format of only the SamAccountname (like below).

sAMAccountName
Zuzana.Burris
Zandra.Caig

The ‘Once-and-Done’ Option

Again, I don’t suggest this unless you feel absolutely comfortable with the results. If, however you’re in a hurry and need to change all attributes to the new updated attribute, this is the line of code for you.

Get-ADUser -Filter 'Department -like "Old Department Name"' | Set-ADUser -replace @{department="New Department Name"}

As always, you can retrofit this code to suit your needs.

You could also change other AD attributes with this sort of syntax as well, just be sure to change your code, and TEST first.

Showing the Results

Let’s see which AD Accounts by SamAccountName, Department and Title have a specific title. We’ll say anything with a title of “Support”. 

Get-ADUser -Filter 'Department -like "*Support*"' -Properties * | select samaccountname, department, title | out-gridview

Or you could search for all users that do NOT have a department specified

Get-ADUser -Filter * -Properties * | select samaccountname, Department,title | where department -eq $Null
└ Tags: , , , , ,
 Comment 

PowerShell – Change passwords on multiple AD accounts

by on September 25, 2020 at 10:59
Posted In: IT Blog

If you’re like me, you built a new AD for testing. And if you’re also like me, you imported a whole bunch of users into your AD. Some of those users likely had passwords that didn’t quite meet the domain criteria. If that happened, that means those users are disabled.

In past posts, I wrote about moving users into a different OU. Now, we’re going to change passwords for these users so we can enable them later.

For this, you’ll need a CSV in this format below. I took some liberties and retrieved a large amount of random passwords from manytools.org. There are many websites that can do this, I just like the format that manytools provided. I just pasted the passwords into the second column, the first column being the sAMAccountname of the user.

sAMAccountNamePassword
Zuzana.Burrisgz9DndwkBh8s
Zandra.Caig9eC3bcJ2SzA5

PowerShell code:

Import-Module Active Directory
$Resetpassword = Import-Csv "C:\path_to_username_password_file.csv"
 #Store CSV file into $Resetpassword variable

foreach ($User in $Resetpassword) {
    #For each name or account in the CSV file $Resetpassword, reset the password with the Set-ADAccountPassword string below
    $User.sAMAccountName
    $User.Password
        Set-ADAccountPassword -Identity $User.sAMAccountName -Reset -NewPassword (ConvertTo-SecureString $User.Password -AsPlainText -force)
}
 Write-Host " Passwords changed "
 $total = ($Resetpassword).count
 $total
 Write-Host "Accounts passwords have been reset..."

Showing the Results

Once we’ve set the passwords, we need a way of knowing when or if the passwords were last set for a user. Referring back to the Get-ADuser cmdlet, we can look at the -passwordlastset property.

Get-ADUser -filter * -properties passwordlastset | sort-object samaccountname | select-object samaccountname, passwordlastset, passwordneverexpires | Out-GridView
└ Tags: , , , , , ,
 Comment 

PowerShell – Move AD users via CSV file

by on September 25, 2020 at 10:26
Posted In: IT Blog

This is part of my ‘Finding all Disabled users in AD’ from an earlier post. The backstory is, I used some powershell to import about 1100 dummy users into a newly created AD.

Out of 1100 users, 300+ became disabled due to non-compliant passwords (too short, didn’t meet requirements). My end goal was to have all disabled users re-enabled, which meant I had to give them all proper passwords. In the meantime, I decided to create this script to move all disabled users into a separate OU.

The steps for this script are pretty simple:

  • 1. Create a list of all the disabled users (done in last post)
  • 2. Export list of disabled users, taking all the unique values (samAccountName) into .CSV Format (done in last post)
  • 3. Retrieving the list with powershell, and moving all the users in the CSV list into another AD OU container

This does of course require a list of users in CSV format, just SamAccountName since each user has as unique value.

like so:

SamAccountName
“Codie.Youthead”
“Bellina.Kobierski”
“Melitta.Marcum”
“Marietta.Caverhill”
Sample CSV file contents

Now the code:

import-module ActiveDirectory
#Store CSV into $Movelist variable
$MoveList = Import-Csv -Path "C:\Path_AD_users_to_move.csv"

#Specify target OU to move users in that CSV file
$TargetOU = "OU=Disabled-Users,OU=contoso,DC=contonso,DC=org"

#Import the data from CSV file and assign it to variable 
$Imported_csv = Import-Csv -Path "C:\C:\Path_AD_users_to_move.csv"

$Imported_csv | ForEach-Object {
     # Retrieve Distinguised Name of Users
     $UserDN  = (Get-ADUser -Identity $_.SamAccountName).distinguishedName
     Write-Host " Moving Accounts ..... "
     # Move user to target OU.
     Move-ADObject  -Identity $UserDN -TargetPath $TargetOU #-Whatif
     
 }
 Write-Host " Completed move " 
 $total = ($MoveList).count
 $total
 Write-Host "Accounts have been moved successfully..."

Showing the Results

Typically, Get-ADUser relies on the -DistinguishedName Property. Which really is quite long, and not entirely human readable. Sample code which works, but not in a very pretty manner:


Get-ADUser -Filter * -Properties * | select samaccountname,DistinguishedName|sort-object -descending DistinguishedName

Not really the best use of screen real estate

The distinguishename property by itself is a string, separated by a comma “,”. Which means, we can actually split the contents by still using one line of code within powershell. Like so:


Get-ADUser -filter * -Properties samaccountname,distinguishedname | select samaccountname, @{l='OU';e={$_.DistinguishedName.split(',')[1].split('=')[1]}}

Results show like so:

I can’t seem to get the sort-object code to sort by distinguishedname. If someone out there knows how, I’d be happy to include it in here.

 Comment 

PowerShell – Finding all Disabled users in AD

by on September 24, 2020 at 22:53
Posted In: IT Blog

Need to find all the disabled users in your AD? it’s odd that the built in AD Tools do not have this option. PowerShell to the rescue!

All these commands are documented in the Microsoft Get-ADUser cmdlet. I’ve added some additional types of output with out-gridview and CSV.

Finds all the disabled users in AD.

Get-ADUser -Filter {Enabled -eq $false}

Finds all and outputs to a gridview for editing (but you need excel)

Get-ADUser -Filter {Enabled -eq $false} | Out-GridView

Finds all disabled users and outputs to a CSV file. This exports ALL the readily available attributes.

Get-ADUser -Filter {Enabled -eq $false} | export-csv "C:\users\Administrator\Desktop\disabled_ADusers.csv"

Finds all the disabled users by specific property and selects the objects and outputs them

Get-ADUser -Filter {Enabled -eq $false} -properties SamAccountName,mail | Select-Object SamAccountName,mail | Out-GridView

Finds all the disabled users, looks a properties that aren’t readily available like email, export to a CSV file

For some reason, you can’t search by mail address outright or have it display, you have to select it, then show it with that select-object command

Get-ADUser -Filter {Enabled -eq $False} -Properties SamAccountName,mail | Select-object SamAccountName,mail| export-csv "C:\Path_to_CSV.csv"

Or you can use variables to clean up the code:

$SamAcc = "SamAccountName"
$Desc = "Description"
$mail = "mail"
$title = "title"
$CSVpath = "C:\Path_to_CSV.csv"

Get-ADUser -Filter {Enabled -eq $False} -Properties $SamAcc,$mail | Select-object $SamAcc,$mail| export-csv $CSVpath
└ Tags: , , , , , ,
 Comment 

PowerShell – Importing AD users from CSV

by on September 23, 2020 at 00:53
Posted In: IT Blog

What are the situations you’ll need lots of Dummy AD data? When you want to run some awesomely crafted PowerShell AD scripts, that’s where.

I was in a situation a few months ago where I needed replicate a VERY large set of AD data in order to pull some queries with Get-Aduser and Set-Aduser. I toyed with the idea of just creating them manually, or restoring them from production (this is a bad idea, don’t restore from production for a testing environment!). So I found a script that would import a great deal of AD data, and I also found a place online that can create a buttload of fake AD data for me.

The Setup:

  • A Running AD Domain controller
  • Powershell ISE
  • https://mockaroo.com CSV loaded with all sorts of dummy AD data

First, let’s hit mockaroo.com.

For this entry, I’m going to fill as many fields as possible that relate to a powershell script. For each field in powershell, we’ll create a matching one in Mockaroo, and we’ll name it consistently.

This is the set of data with parameters I’m using:

The fields I’m using in AD are (copied from above)

  • City
  • Company
  • Description
  • Department
  • Email
  • EmployeeID
  • GivenName
  • MobilePhone
  • Office
  • OfficePhone
  • Password
  • Path
  • Postalcode
  • State
  • Streetaddress
  • Surname
  • Title

I also need to place these created accounts into a specific OU. I had to do some editing in Excel, and placed the OU ADSI path into that Path attribute above.

Here’s my example with column and headers:

CityCompanyDepartmentEmailEmployeeIDGivenNameMobilePhoneOfficeOfficePhonePasswordPathPostalcodeStateStreetAddressSurNameTitle
IpabaSkybleHuman Resourcescyouthead0@google.es873-02-1259Codie+55 283 153 2678 592-719-1607MhyWOJIAE“OU=Contoso-Users,DC=Contoso,DC=com”35198-000 787 Arizona TrailYoutheadStructural Analysis Engineer

Generate the data you need, or create the information you require and save it into a CSV file (ideally in a Windows format).

Now, the powershell code:

01	# Import active directory module for running AD cmdlets
02	Import-Module activedirectory
03	 
04	#Store the data from ADUsers.csv in the $ADUsers variable
05	$ADUsers = Import-csv "C:\Users\Administrator\Desktop\2AD_users.csv"
06	 
07	#Loop through each row containing user details in the CSV file 
08	foreach ($User in $ADUsers)
09	{
10	#Read user data from each field in each row and assign the data to a variable as below
11	$City           =$User.City
12	$Company        =$User.Company
13	$Description    =$User.Description
14	$Department     =$User.Department
15	$Email          =$User.Email
16	$Employeeid     =$User.Employeeid
17	$GivenName      =$User.GivenName
18	$MobilePhone    =$User.MobilePhone
19	$Office         =$User.Office
20	$OfficePhone    =$User.OfficePhone
21	$Password       =$User.Password
22	$Path           =$User.Path
23	$Postalcode     =$User.Postalcode
24	$State          =$User.State
25	$Streetaddress  =$User.Streetaddress
26	$SurName        =$User.SurName
27	$Title          =$User.Title
28	$Username       =$GivenName+"."+$Surname
29	 
30	    #Check to see if the user already exists in AD
31	if (Get-ADUser -F {SamAccountName -eq $Username})
32	    {    #If user does exist, give a warning
33	         Write-Warning "A user account with username $Username already exist in AD."
34	    }
35	    else
36	    {
37	        #User does not exist then proceed to create the new user account
38	        #Account will be created in the OU provided by the $Path variable read from the CSV file
39	        New-ADUser `
40	            -City $City `
41	            -Company $Company `
42	            -Description $Description `
43	            -Department $Department `
44	            -Email $Email `
45	            -EmployeeID $EmployeeID `
46	            -GivenName $GivenName `
47	            -MobilePhone $MobilePhone `
48	            -Office $Office `
49	            -OfficePhone $OfficePhone `
50	            -AccountPassword (convertto-securestring $Password -AsPlainText -Force) `
51	            -Path $Path `
52	            -Postalcode $Postalcode `
53	            -State $State `
54	            -Streetaddress $Streetaddress `
55	            -SurName $SurName `
56	            -Title $Title `
57	            -SamAccountName $Username `
58	            -UserPrincipalName "$Username@dtab.org" `
59	            -Name "$GivenName $SurName" `
60	            -DisplayName "$GivenName $SurName" `
61	            -Enabled $true
62	    }
63	}

I had to reference the New-ADUser powershell commandlet. A great deal of the switches came from this article. As you can see, I’ve also alphabetized the fields to make sorting a little easier.Notes about this script:

Code Syntax explanation – lines 11 – 28

01	$City           =$User.City
02	$Company        =$User.Company
03	$Description    =$User.Description
04	$Department     =$User.Department
05	$Email          =$User.Email
06	$Employeeid     =$User.Employeeid
07	$GivenName      =$User.GivenName
08	$MobilePhone    =$User.MobilePhone
09	$Office         =$User.Office
10	$OfficePhone    =$User.OfficePhone
11	$Password       =$User.Password
12	$Path           =$User.Path
13	$Postalcode     =$User.Postalcode
14	$State          =$User.State
15	$Streetaddress  =$User.Streetaddress
16	$SurName        =$User.SurName
17	$Title          =$User.Title
18	$Username       =$GivenName+"."+$Surname

This code stores the CSV columns (headers) information for each user into $variables. I’ve kept the variable names the same as the CSV headers tokeep things simple. The last line, $username stores the firstname (period) lastname. Everyone will likely have a different standard for usernames, I just like this format since I don’t have to re-write code.

Code Syntax explanation – lines 31-33

1	if (Get-ADUser -F {SamAccountName -eq $Username})
2	    {    #If user does exist, give a warning
3	         Write-Warning "A user account with username $Username already exist in AD."

Some error checking code. Checking for duplicate information in the imported CSV file.

The variables used in this script are considered ‘more than necessary’. The bare basic amount needed (I think) are username, password, first and last name. Anything you add or take away, requires some editing of the code, and the CSV file.

Notes about this Script:

  • For some reason the New-ADUser command does not allow the -country variable, it seems to fail each time. This is not a deal breaker for me, but for you it might be something worth investigating.
  • When importing passwords, use 10 characters at a minimum. Mockaroo only shows a password “between 6 to 12 chars”. By trial and error, I found manytools.org where I could generate the passwords necessary in the format I wanted, and copy/pasted them into my user CSV.
  • Should you feel hesitant about running this script, add “-Whatif” on the end of the Add-ADUser cmdlet line
└ Tags: , , , , , ,
 Comment