AD and Powershell

neljosytewa2 · 2016-03-01T20:33:13.000Z

Hi Guys,

I need someones help with Powershell. We are trying to gather the following info. In our AD we have OU’s that have Department. Under the department we have a separate folder for the following. Computer, Groups, Mailing List, Users. We need to create script that pulls the following so I can put the information into a spreadsheet for each Department. HELP super please.

Users:

Name, Alias, Phone, Title, Manager, Email

Computer:

Name, OS, Last Login

Mailing List:

Group Name Email, Member of

Groups:

Group Name, Email, Member of

brycekatz · 2016-03-01T21:00:03.000Z

OK … what do you have so far, and where is it breaking down?

thomas-blake · 2016-03-01T21:48:05.000Z

We would love to help you with your current script. Please let us know what you have so far, but my first recommendation would be to check out:

Get-ADUser

learn.microsoft.com

Get-ADUser

Get-ADComputer

learn.microsoft.com

Get-ADComputer

Get-DistributionGroupMember

learn.microsoft.com

Get-DistributionGroupMember (ExchangePowerShell)

If your organization has multiple Active Directory domains, you may need to run the Set-ADServerSettings cmdlet with the ViewEntireForest parameter set to $true before running the Get-DistributionGroupMember cmdlet to view the entire forest. For more...

Get-ADGroup

learn.microsoft.com

Get-ADGroup

anil-lepide · 2016-03-02T08:12:16.000Z

Please checkout Lepide active directory query tool (available free) if it helps you to resolve your purpose.

DoctorDNS · 2016-03-02T10:16:20.000Z

Please post what you currently have - and we can go from there.

This is a peer to peer support group and while most of the regulars will go the extra mile - you need to add some effort on your part.

Let us see how far you have gotten. Thomas0311 has given you some starting points regarding the 4 key cmdlets you need.

neljosytewa2 · 2016-03-02T15:00:55.000Z

Sorry I have been out. Here is what I have for the user part.

Get-ADUser -SearchBase “OU=IT,OU=Users,DC=com,DC=city” -Filter * -ResultSetSize 50000 | Select Displayname, department,telephoneNumber,title,mail,manager| export-csv \pctest\c$\test.csv

brycekatz · 2016-03-02T17:02:04.000Z

What about that isn’t working for you?

brycekatz · 2016-03-02T17:02:49.000Z

Moderator’s note: Please use the Code button when posting code snippets to the community. This makes your code easier to read.

laurelraven · 2016-03-02T22:31:17.000Z

Nel4630:

Sorry I have been out. Here is what I have for the user part.

Get-ADUser -SearchBase “OU=IT,OU=Users,DC=com,DC=city” -Filter * -ResultSetSize 50000 | Select Displayname, department,telephoneNumber,title,mail,manager| export-csv \pctest\c$\test.csv

AD doesn’t return all properties by default; you’ll need to specify them with the -Properties argument. You’re probably wanting something like this:

Get-ADUser -SearchBase "OU=IT,OU=Users,DC=com,DC=city" -Filter * -ResultSetSize 50000 -Properties Displayname, department, telephoneNumber, title, mail, manager | select Name, DisplayName, SamAccountName, Department, telephoneNumber, Title, Manager, mail | export-csv \\pctest\c$\test.csv

(EDIT: code button worked for me for five seconds; took the opportunity and fixed the code)

psophos · 2016-03-03T08:07:06.000Z

Raven Hunter:

(note: normally I would put it in a code block, but the button isn’t doing anything right now; might be related to the community update)

Ah, excellent. I thought it was just my script blocking

brycekatz · 2016-03-03T13:04:25.000Z

Raven Hunter:

(note: normally I would put it in a code block, but the button isn’t doing anything right now; might be related to the community update)

I’ve posted in the help forum about this issue. Please go and spice up.

"Insert Code" button not working Spiceworks Support

As noted here https://community.spiceworks.com/t/477396/9 and confirmed by me as I type this: The "Insert Code" button on the toolbar? She ain't workin'.

neljosytewa2 · 2016-03-03T21:48:16.000Z

Omgosh thank you so much! I am so just learning Powershell. I know a little how to Powershell with Exchange but really dont know much how to pull info out of AD. Thank you all again.

neljosytewa2 · 2016-03-07T18:38:59.000Z

Get-ADUser -SearchBase "OU=IT,OU=Users,DC=com,DC=city" -Filter * -ResultSetSize 50000 -Properties Displayname, lastlogon | select Name, DisplayName, SamAccountName,lastlogon | export-csv \\pctest\c$\test.csv

I am trying to get the users last logon for that OU. Would this work? Also how would I do it the computers in the OU?

So I also found this but I would like to run this by OU and have it formatted into columns. How the heck do I do that.

Import-Module ActiveDirectory
 
function Get-ADUsersLastLogon()
{
  $dcs = Get-ADDomainController -Filter {Name -like "*"}
  $users = Get-ADUser -Filter *
  $time = 0
  $exportFilePath = "c:\lastLogon.csv"
  $columns = "name,username,datetime"

  Out-File -filepath $exportFilePath -force -InputObject $columns

  foreach($user in $users)
  {
    foreach($dc in $dcs)
    { 
      $hostname = $dc.HostName
      $currentUser = Get-ADUser $user.SamAccountName | Get-ADObject -Server $hostname -Properties lastLogon

      if($currentUser.LastLogon -gt $time) 
      {
        $time = $currentUser.LastLogon
      }
    }

    $dt = [DateTime]::FromFileTime($time)
    $row = $user.Name+","+$user.SamAccountName+","+$dt

    Out-File -filepath $exportFilePath -append -noclobber -InputObject $row

    $time = 0
  }
}
 
Get-ADUsersLastLogon

laurelraven · 2016-03-07T19:01:37.000Z

Nel4630:

Get-ADUser -SearchBase "OU=IT,OU=Users,DC=com,DC=city" -Filter * -ResultSetSize 50000 -Properties Displayname, lastlogon | select Name, DisplayName, SamAccountName,lastlogon | export-csv \\pctest\c$\test.csv
I am trying to get the users last logon for that OU. Would this work? Also how would I do it the computers in the OU?[…]

Oh, you want to know the last logon time? That’s a whole different ball of wax, with multiple different attributes (some of which are downright useless). Check this out: Difference between lastlogon and lastlogontimestamp | Microsoft Learn

To that end, I’ve always used LastLogonTimestamp. That’s described in the linked forum post, but the short-short version is that LastLogonTimestamp is replicated, but only accurate to within about 15 minutes. I never care about greater accuracy than that, and don’t want to query every domain controller to get the right time, so it works for me.

For computers, if you’re looking for computers that haven’t been on the network for a while, check out PasswordLastSet. Computer accounts, just like user accounts, have passwords, and by default, they have to change them every 30 days. They handle this by themselves in the background, but what this means is that any computer that hasn’t changed their password in 60 days has not been seen by the domain for at least 30 days, probably longer, or they would have changed their password more recently.

martin9700 · 2016-03-07T19:21:25.000Z

Raven Hunter:

To that end, I’ve always used LastLogonTimestamp. That’s described in the linked forum post, but the short-short version is that LastLogonTimestamp is replicated, but only accurate to within about 15 minutes. I never care about greater accuracy than that, and don’t want to query every domain controller to get the right time, so it works for me.

This isn’t accurate I’m afraid. The LastLogonTimeStamp is only updated if the time the user logs in is GREATER than 14 days from the value of the LastLogonTimeStamp. From your link:

If your domain is at Windows Server 2003 functional level, there is a new attribute called lastLogonTimeStamp you can use. Like lastLogon, this attribute is Integer8 and represents the time when the user last logged onto the domain. Unlike lastLogon, this new attribute is replicated. However, it is only updated when the user logs on if the old value is more than 14 days in the past. That means the value can only be trusted if it is more than 14 days in the past, which is fine for finding old unused accounts. This behavior reduces the synchronization load while still giving administrators the information they need.

So it’s a great attribute to use if you’re looking for users who haven’t logged in in 30 days, but if you’re looking for a report of when they last logged in it’s awful. To get the true time, you have to query every Domain Controller for the lastLogon attribute and find the newest one. I did create a report for this, that’s quite fast too:

https://community.spiceworks.com/scripts/show/2618-last-logon-report-new-lastlogonreport-ps1

laurelraven · 2016-03-07T19:38:31.000Z

Martin9700:

Raven Hunter:

To that end, I’ve always used LastLogonTimestamp. That’s described in the linked forum post, but the short-short version is that LastLogonTimestamp is replicated, but only accurate to within about 15 minutes. I never care about greater accuracy than that, and don’t want to query every domain controller to get the right time, so it works for me.

This isn’t accurate I’m afraid. The LastLogonTimeStamp is only updated if the time the user logs in is GREATER than 14 days from the value of the LastLogonTimeStamp. From your link:
If your domain is at Windows Server 2003 functional level, there is a new attribute called lastLogonTimeStamp you can use. Like lastLogon, this attribute is Integer8 and represents the time when the user last logged onto the domain. Unlike lastLogon, this new attribute is replicated. However, it is only updated when the user logs on if the old value is more than 14 days in the past. That means the value can only be trusted if it is more than 14 days in the past, which is fine for finding old unused accounts. This behavior reduces the synchronization load while still giving administrators the information they need.
So it’s a great attribute to use if you’re looking for users who haven’t logged in in 30 days, but if you’re looking for a report of when they last logged in it’s awful. To get the true time, you have to query every Domain Controller for the lastLogon attribute and find the newest one. I did create a report for this, that’s quite fast too:

https://community.spiceworks.com/scripts/show/2618-last-logon-report-new-lastlogonreport-ps1

Oh, mixed up days and hours again, my bad

Either way, greater accuracy than 14 days has never been a need of a report I’ve used it for, so LastLogonTimestamp has been just fine for my needs. If you need greater accuracy, then Martin’s script is what you’re looking for.

neljosytewa2 · 2016-03-07T20:36:55.000Z

Thank you all. I do love this script. I feel so dumb for asking this but where do I set the parameters? In the string or in the Parameter setting?

Param (
    [Parameter(ParameterSetName="obj")]
    [Parameter(ParameterSetName="html")]
    [Parameter(ParameterSetName="csv")]
    [string]$SearchBase,
    
    [Parameter(ParameterSetName="obj")]
    [Parameter(ParameterSetName="html")]
    [Parameter(ParameterSetName="csv")]
    [int]$Age,
    
    [Parameter(ParameterSetName="html")]
    [switch]$HTML,
    
    [Parameter(ParameterSetName="csv")]
    [switch]$CSV,
    
    [Parameter(ParameterSetName="html")]
    [Parameter(ParameterSetName="csv")]
    [string]$Path,
    
    [Parameter(ParameterSetName="obj")]
    [Parameter(ParameterSetName="html")]
    [Parameter(ParameterSetName="csv")]
    [string]$MaxThreads = 15

laurelraven · 2016-03-07T21:38:09.000Z

Nel4630:

Thank you all. I do love this script. I feel so dumb for asking this but where do I set the parameters? In the string or in the Parameter setting?
Param (
    [...] lots of params [...]

Those are command line arguments; assuming you named the script “New-LastLogonReport.ps1”, then you would set them when you call that script, like this;

New-LastLogonReport.ps1 -Age 30 -CSV -Path 'C:\temp\report.csv'