Active Directory: Working with Users and Security Groups using PowerShell

Listing user’ group membership

To list the groups a user is a member of:

Or

The only difference between the two is that the latter includes the primary group. e.g. Domain Users.

List MemberOf given Security Group

To list all members of a the “Domain Admins” Security Group, inlcuding nested groups and return only the SamAccountName:

Something I regularly use this for is to email users who will be affected by a change pertaining to the given security group. Therefore, to return a list of email addresses:

Outlook, ofcourse will accept usernames or display names. If you want to export to a CSV file:

The last bit ; ii C:\Temp\MemberOf_DOMAIN-ADMINS.csv , simply opens the file. To find out what ii is an alias for: Get-Alias ii

 

Adding to groups

To add all users with ExtensionAttribute3 set to “user” to an AD Security Group named “DG-XenSSO-AD”.

To add all users who are a member of Security Group “DG-XenSSO-AD” to AD Security Group named “DG-XenSSO-LIVE”.
(Essentially copying from one group to another).

Copying a user’s Group Membership to another user

To copy the group membership of user A to user B:

 

Getting user information based on group membership

These two lines will pull the Name and Mail properties for all members of AD security group named “DG-XenPreLive” and optionally export to a CSV.

 

Getting user informaiton based on group membership with additional filters

This scriptlet does the same as the one above with the addition of filtering on ExtensionAttribute3 where its value = “user”.

 

Find Blank Values

Looks in the “ExtensionAttribute3” Attribute for empty records.

Find unique values

Looks in the “ExtensionAttribute3” Attribute and returns on unique values.

Count the number of items in each attribute

This returns the number of unique items in each of the 15 “ExtensionAttribute” Attributes.

 

Copy AD Attributes

This example copies the AD attribute ipPhone to ExtensionsAttribute6 for a single user who’s SamAccountName = “jsmith”:

To clear ipPhone, effectively moving:

To revert the change:

Clear ExtensionAttribute6

-Remove
-Add
-Replace
-Clear

These works with PowerShell v2 on Windows Server 2008 R2.

Please feel free to leave a comment...