Get-Mailbox filter group membership

I am trying to create a powershell script that reports on information for a set of mailboxes. How can I use the Get-mailbox command and filter by the group membership of the AD account connected to the mailbox? I just want a list of mailboxes from accounts
that are in the VoicemailEnabled group.
I know this isn't possible but to illustrate what I am trying to do:
$mailboxes = Get-Mailbox -OrganizationalUnit "ou=Rooms,dc=contoso,dc=com" -Filter "Memberofgroup -eq 'VoicemailEnabled'"
Any suggestions on how to do this?

Unless I'm misunderstanding, this cmdlet does it for you: Get-DistributionGroupMember
The above cmdlet doesn't have server-side filtering, because the members are actually only learned AFTER the group is returned. So that means you'd have to do something like:
Get-DistributionGroupMember group1 | where {$_.OrganizationalUnit -eq 'laptop.lab/Demo Users'}
Mike Crowley | MVP
My Blog --
Planet Technologies

Similar Messages

Group Membership under Settings/My Account is not updating

We use an External table for User permissions/Groups to get updated in Group Membership.
We use our custom tool to create/update new/existing users with the permissions. Then our ETL picks up the changes from the OLTP tables and update User Permission table in our DWH hourly. Now let me explain the present situation. User ABC is an existing user and never used our Report Portal before, we updated ABC user with all the necessary groups to use Report portal and with curiosity she didn't wait until Hourly ETL run and she didn't had the necessary permissions to run any reports in Report portal. But when she login after 1hr/10 hr/ 1 day/2 day, the user won't see the Permissions getting updated in Group Membership. If we check the User permission table in DWH, it is updated with all the new roles, but it is never being updated in 'My Account' Answers. I think this is some kind of Presentation Cache issue, but I did clicked "Reload Files and Metadata" under Settings and "Close All Cursors" under Settings/Manage Sessions. You may also say it may be with the Caching on Initialization Block for the User Permission table, but we did Un-check the 'Use Caching' right below the Row-wise initialization for the corresponding Initialization block. We has 3 users with the same issue now. But when the user waits for certain time (for at least 1hr), and when they login after the actual hourly ETL ran, they were able to get in and use Report Portal without any issue. So, I am kind of sure this is something with CACHING and I might be missing some thing on Clearing this type of Cache. Could someone please help me out on this? This is in PRD and we are not able to find a solution. Any help would be appreciated!
-Dinesh

Yes, we are using Initialization Blocks to update the User Groups. Our USER_PERMISSION table has Login, Company_ID, Roles, etc columns in it. The Initialization Block will query on this Table and the query has a where clause in it and the Where clause "where company_id=(select substr(':USER', 0, (instr(':USER', '.')) - 1) from dual) and upper(login)=upper((select substr(':USER', (instr(':USER', '.')) + 1) from dual))) and dw_delete_date is null" from which it will get the roles for each user. And YES, the Caching is turned off for this initialization block.
And I should try deleting the user folders, but my company has a very strict policy so I should do that in DEv, then QA and in PRD. Hope this works, but I am still not convinced why this is happening. We cannot keep on deleting the user folders in future if this happens again.

How to pipe Get-MailboxStatistics and Get-Mailbox

HI,
I have two commands but i need following information in one report.
Ex:
Name
ForwardingAddress
DeliverToMailboxAndForward
Get-Mailbox -Filter {ForwardingAddress -ne $null} | ft Name,ForwardingAddress,DeliverToMailboxAndForward -Autosize
How do i get that lastlogontime to above by conbine following command
get-mailboxstatistics
select-object
Lastlogontime,
As

Hi ,
Try this :
Get-Mailbox -resultsize unlimited |where{$_.forwardingAddress -ne $null} |ft name,forwardingAddress,DeliverToMailboxAndForward
for get-mailboxStatistics ,first check the all object member and properties of by using below
Get-mailboxstatistics <anymailboxName>|get-member
if you see the ,ForwardingAddress,DeliverToMailboxAndForward properties , then you can pipe these two with Get-mailboxstatistics .
If so ,
Get-Mailbox -resultsize unlimited |where{$_.forwardingAddress -ne $null} |get-MailboxStatistics |ft name,forwardingAddress,DeliverToMailboxAndForward,lastlogontime
if not ,
You can't pipe these two with Get-mailboxstatistics along with lastlogontime.
Then ,
you have to use get-mailboxStatistics -resultsize unlimited|ft name,lastlogontime
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

OBIEE only getting limited number of group membership records

Hey everyone,
I'm seeing some strange behavior with the group membership functionality of OBIEE. Right now we're on version 10.1.3.2 and we've implemented SSO and we setup a query against LDAP (AD) to get user group information similar to the way Venkat's blog demonstrates:
http://oraclebizint.wordpress.com/2007/10/12/oracle-bi-ee-101332-and-oid-user-and-group-phase-2/
At first glance, everything was working smoothly, however, on second glance, I noticed that on users who were part of lots of groups (i.e. 80 groups), not all of their membership information was getting into OBIEE. On my test user, who was part of only 10 groups, I ran a test in which I only gave access to the Answers module to a person from the 10th group. When I logged into OBIEE as my test user, I was able to access answers.
On my second test user, who had 80 groups, I set access to answers for the 75th and 80th groups (both different tests). Neither test allowed this user to access answers. However, when I choose the 5th group returned, the user was quickly able to see and access answers.
When I test out the call to the Oracle function in the Admin tool, I see all the groups returned there.
These strange results lead me to believe that there is only so many group membership records that OBIEE can receive. Is that true? Has anyone seen this before? Did I forget to set something appropriately?
Thanks everyone for your help!
-Joe

Hey,
Sorry about the delay in getting back to you, I was slammed with some work right before the Holiday. Anyway, below is the sample code and an example of it's usage. be sure to replace the <BASE DN>, <LDAP HOST>. <LDAP USER>, and <LDAP PASSWORD> with the appropriate values for your situation.
Also, you'll need to create the "ARRAY" datatype like in Venkat's blog.
Best of luck!
-Joe
select * from table(getusergroup(‘Jbertram’));
create or replace FUNCTION GETUSERGROUP(Username in Varchar2) RETURN ARRAY PIPELINED AS
-- Adjust as necessary.
l_retval pls_integer;
l_session dbms_ldap.session;
l_attrs dbms_ldap.string_collection;
l_message dbms_ldap.message;
l_entry dbms_ldap.message;
l_attr_name varchar2(256);
l_ber_element dbms_ldap.ber_element;
l_vals dbms_ldap.string_collection;
l_raw dbms_ldap.binval_collection;
l_ldap_base varchar2(256) := '<BASE DN>';
l_filter varchar2(100) := '(&(cn='||Username||'))';
l_ldap_host varchar2(100) := '<LDAP HOST>';
l_ldap_port number := 389;
l_ldap_user varchar2(100) := '<LDAP USER>';
l_ldap_passwd varchar2(100):= '<LDAP PASSWORD>';
l_result varchar2(100);
begin
-- Choose to raise exceptions.
dbms_ldap.use_exception := true;
dbms_ldap.utf8_conversion := false;
-- Connect to the LDAP server.
l_session := dbms_ldap.init(hostname => l_ldap_host, portnum => l_ldap_port);
l_retval := dbms_ldap.simple_bind_s(ld => l_session, dn => l_ldap_user, passwd => l_ldap_passwd);
-- Get all attributes
l_attrs(1) := 'memberOf'; -- retrieve all attributes
--l_attrs(2) := 'cn';
l_retval := dbms_ldap.search_s(ld => l_session
,base => l_ldap_base
,scope => dbms_ldap.scope_subtree
,filter => l_filter
,attrs => l_attrs
,attronly => 0
,res => l_message);
if dbms_ldap.count_entries(ld => l_session, msg => l_message) > 0
then
-- Get all the entries returned by our search.
l_entry := dbms_ldap.first_entry(ld => l_session, msg => l_message);
<<entry_loop>>
while l_entry is not null
loop
-- Get all the attributes for this entry.
dbms_output.put_line('---------------------------------------');
l_attr_name := dbms_ldap.first_attribute(ld => l_session
,ldapentry => l_entry
,ber_elem => l_ber_element);
<<attributes_loop>>
while l_attr_name is not null
loop
-- Get all the values for this attribute.
l_vals := dbms_ldap.get_values(ld => l_session, ldapentry => l_entry, attr => l_attr_name);
<<values_loop>>
for i in l_vals.first .. l_vals.last
loop
dbms_output.put_line(substr(l_vals(i),4,instr(l_vals(i),',')-4));
PIPE ROW(substr(l_vals(i),4,instr(l_vals(i),',')-4));
end loop values_loop;
l_attr_name := dbms_ldap.next_attribute(ld => l_session
,ldapentry => l_entry
,ber_elem => l_ber_element);
end loop attibutes_loop;
l_entry := dbms_ldap.next_entry(ld => l_session, msg => l_entry);
end loop entry_loop;
end if;
-- Disconnect from the LDAP server.
l_retval := dbms_ldap.unbind_s(ld => l_session);
--dbms_output.put_line('L_RETVAL: ' || l_retval);
end;

How to create LDAP filter-based rule to check Group membership in OAM

Hi folks,
I'm having hard time creating an authorization rule to verify ldap group membership. I've followed "Configure User Authorization" article from Oracle website (http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2authz.htm#BABHBFEJI) and created an Authorization scheme w ldap_attribute_name as User Parameter and ruleExpression as Required Parameter. Then, inside my policy I created an Authorization Rule based on my Authz scheme w Allow Access attrib filter-based Rule which looks like this:
ldap://ldap_server:port/ou=People,o=Company,c=US??sub?(ldap_attribute_name=ldap_attribute_value)
This works fine.
Now, I've added another filter-based rule under the same Authz Rule/Allow Access:
ldap://ldap_server:port/ou=Groups,o=Company,c=US?uniqueMember?sub?(&(objectClass=groupOfUniqueNames)(cn=ldap_group_name))
While query looks somewhat correct and works as a command-line argument (slightly modified format), it does not work in OAM (meaning people w out req-d group membership can still login).
Can someone steer me to the right direction as to what do I need to do:
1. Change/fix the ldap query
2. Create new Authz scheme with uniqueMember userParameter; create new Authz rule based on new authz scheme; create new Allow Access filter rule with the ldap query I have
3. Do smth else
Any help is greatly appreciated.
Thank you, Roman

You can create two authorization rules
First for user with attribute
and second for group
and then in authorization expression you can have AND of these two.
Regarding your query...
First ... If your requirement is to give access to all the members of a particular group then you don't require any ldap filters
All you have to do is in the authorization rule -> Allow access -> Select People (here you have to select group so click on the group tab, its little hard to see but its there in light blue color on dark blue tab) -> select the group you want to give access
Second.. If your requirement is such that you want to give access to a member of a group which has certain attribute lets say group with status active ( In this case you are not aware of the name of the group because user can be a member of any group but you want to give access only to the group with specific attribute.) then you have to write custom authorization plugin.
If the option is second let me know i can give you a solution which will work for a single domain without any effort of developing a major plugin.
Hope this helps,
Sagar

Getting list of all users and their group memberships from Active Directory

Hi,
I want to retrieve a list of all the users and their group memberships through JNDI from Active Directory. I am using the following code to achieve this:
==================
import javax.naming.*;
import java.util.Hashtable;
import javax.naming.directory.*;
public class GetUsersGroups{
     public static void main(String[] args){
          String[] attributeNames = {"memberOf"};
          //create an initial directory context
          Hashtable env = new Hashtable();
          env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
          env.put(Context.PROVIDER_URL, "ldap://172.19.1.32:389/");
          env.put(Context.SECURITY_AUTHENTICATION, "simple");
          env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
          env.put(Context.SECURITY_CREDENTIALS, "p8admin");
          try {
               // Create the initial directory context
               DirContext ctx = new InitialDirContext(env);
               //get all the users list and their group memberships
               NamingEnumeration contentsEnum = ctx.list("CN=Users,DC=filenetp8,DC=com");
               while (contentsEnum.hasMore()){
                    NameClassPair ncp = (NameClassPair) contentsEnum.next();
                    String userName = ncp.getName();
                    System.out.println("User: "+userName);
                    try{
                         System.out.println("am here....1");
                         Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should be returned
                         System.out.println("am here....2");
                         Attribute groupsAttribute = attrs.get(attributeNames[0]); // memberOf
                         System.out.println("-----"+groupsAttribute.size());
                         if (groupsAttribute != null){
                              // memberOf is a multi valued attribute
                              for (int i=0; i<groupsAttribute.size(); i++){
                              // print out each group that user belongs to
                              System.out.println("MemberOf: "+groupsAttribute.get(i));
                    }catch(NamingException ne){
                    // ignore for now
               System.err.println("Problem encountered....0000:" + ne);
               //get all the groups list
          } catch (NamingException e) {
          System.err.println("Problem encountered 1111:" + e);
=================
The following exception gets thrown at every user entry:
User: CN=Administrator
am here....1
Problem encountered....0000:javax.naming.NamingException: [LDAP: error code 1 -
000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
]; remaining name 'CN=Administrator'
I think it gets thrown at this line in the code:
Attributes attrs = ctx.getAttributes(userName, attributeNames);
Any idea how to overcome this and where am I wrong?
Thanks in advance,
Regards.

In this sentence:
Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should
It seems Ok when I add "CN=Users,DC=filenetp8,DC=com" after userName, just as
userName + ",CN=Users,DC=filenetp8,DC=com"
But I still have some problem with it.
Hope it will be useful for you.

Get AD group membership doesn't work for global groups

I want to pull the group membership for OBIEE directly from AD.
This has been covered in many blogs and forums, no problem, I've found some user created functions - basically all of it uses
DBMS_LDAP package methods
with one exception that additionally to it also uses
DBMS_LDAP_UTL.get_group_membership
ALL THOSE functions work BUT I've verified it with the actual group membership from AD or adfind tool (http://www.joeware.net/freetools/tools/adfind/index.htm)
The list returned by Oracle packages doesn't match, or to be exact only partially matches the factual AD list.
I've done some research and found there are three types used for defining group's scope by AD:
Domain Local, Global, or Universal
(http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx)
leaving the first one out of the scope as we don't use it
- I've verified and found ALL missing ONES are defined as GLOBAL
All the Oracle funcitons I've found correctly pulls only UNIVERSAL group memberships and none of GLOBAL
Microsoft documentation says that both of them (Universal and Global) have forest-wide visibility....
and so AdFind can list both..
so why Oracle limits the search to UNIVERSAL ones only?
Maybe it's a matter of initialize those DBMS_LDAP packages differently or passing slightly different parameters??
I've really tried a lot of this code in different combinations but no joy
Has anyone got some ideas?

...I try to block the usage of the command prompt only on this server.
I have the same question as jrv: Why? It doesn't increase security. The command prompt is a program, not a security boundary.
Disabling the command prompt does NOT increase security
-- Bill Stewart [Bill_Stewart]

Get-aduser -filter -memberof group name issues

I want to use powershell to return all users who are domain admins into a CSV
Are these commands close to what I should be doing?
get-aduser -filter -memberof "domain admin"
get-adgroupmember -filter "-eq 'Domain Admin'"
Then I will exporting to CSV with this working part of the script.
-Properties * | Select-Object -Property Name,DisplayName,Title,EmailAddress,GivenName,sn,StreetAddress,Office,City,State,PostalCode,Country,OfficePhone,Company,HomePhone,mobile,Department | Sort-Object -Property Name | export-csv c:\UserPropertiesCSV.csv

If you want more information than is being returned by Get-ADGroupMember, you can pipe the results into Get-ADUser.
Get-ADGroupMember "Domain Admins" |
Get-ADUser -properties Displayname, Title, EmailAddress, GivenName, sn, StreetAddress, Office, City, State, PostalCode, Country, OfficePhone, Company, HomePhone, Mobile, Department |
Select-Object Name, DisplayName, Title, EmailAddress, GivenName, sn, StreetAddress, Office, City, State, PostalCode, Country, OfficePhone, Company, HomePhone, Mobile, Department |
Export-CSV ".\results.csv"

AD Group Membership with User From Domain Outside of Forest

Here's one to twist your brain around -
I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
Approach #1
Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
Approach #2
Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
adTHANKSvance
Eric

You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
//Specify the Base for the search
String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
Good luck.

Report of Groups owned along with group memberships for each group, all in a single .csv file

Hello all,
What I'm trying to do is generate a report of all groups owned by a specific user, along with the group memberships, and output it all to a single .csv file. In the .csv file, I would like to have the group names as the column headers, and underneath
the group name, list all the members of the group down through the column. So for example, if User1 owns 3 groups, the output would look like:
What I'm having trouble with is outputting the objects to the .csv using New-Object psobject, and I'm starting to wonder if there is an easier way to do this and my brain is just fried.
Any ideas?

OK so I can try and give some code here, but I'm asking more of a concept question about how PowerShell builds objects so I'm not sure it will help....
$User = "User1"
get-adgroup -filter {managedby -eq $user} -pr member | %{
$_.name
$_.member
OK so this is a simple script that outputs a group name followed by the membership, all in a single column. What I would like is for the group names to each be the header of a column, and have the membership listed underneath. For example:
Is this possible in PowerShell?

Read group membership for a user object and populate every group with matching user from another domain

I have LON\JSmith in LON domain and DEL\JimSmith in DEL domain
I would like to extract group memberships of LON\JSmith in LON domain and append matching by email (i.e. DEL\JimSmith) user object in every group in LON domain.
for instance
LON\JSmith and DEL\JimSmith is the same person and has same email address [email protected]
LON\JSmith belongs to 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey
The outcome of the script should be
LON\JSmith; DEL\JimSmith should be in 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey.
How can i do it?
Navgup

Hi Navgup,
Please refer to the script below, to query users in other domain by specifying the parameter "-Server" in the cmdlet "get-aduser", and also note I haven't tested the script below:
import-module activedirectory
get-adgroupmember "group"|foreach{
$email=(get-aduser $_.samaccountname -properties *).EmailAddress#get the user email
Get-ADUser -filter {EmailAddress -eq $email} -properties * -server DomainB.company.com|select samaccountname, memberof}#filter user name and group with the email in other domain
To get users across domain, please also refer this blog:
Adding/removing members from another forest or domain to groups in Active Directory:
http://blogs.msdn.com/b/adpowershell/archive/2010/01/20/adding-removing-members-from-another-forest-or-domain-to-groups-in-active-directory.aspx?Redirected=true
I hope this helps.

Group membership redirect with AD LDS

I have my LDS instance synchronized with my AD environment. I am only synchronizing objectClass=user. I am creating userProxyFull objects on the LDS side. Authentication is working as I have tested authenticating with an AD user to LDS.
My application person would like to query group membership, that is the group membership that exists in AD. Is it possible to redirect group membership queries so that the group membership information from AD is provided to the application that is using
the userProxyFull object in LDS?
Thanks,
Paul

Hi,
why do you need userProxy and AD LDS, is it that the application can only support LDAP simple bind or that you need a form of distinguishedName other than that in your AD or that the application cannot reach your DCs?
To do Authorization, if you have ruled out having the application query AD DCs, your options are:
[1] have the application maintain an Authorization database and sync that from your AD or provisioning system if you really need it to follow AD group membership
[2] use adamsync to sync the groups as well as doing the userProxy transform, something like:
        <object-filter>(|(objectClass=user)(objectClass=group))</object-filter>
        <attributes>
        <include>objectSID</include>
        <include>member</include>
        <exclude></exclude>
        </attributes>
it would be best to spin up another AD LDS instance to try this against. You then need to test adding and removing users from the AD groups and check that those changes sync. This might work but unfortunately the more creative you get with object-filter
in adamsync, the more surprising the results tend to be.
[3] a variation on [1], ldif export your group memberships from AD and import into AD LDS (distinguishedName re-writing may be required)
[4] have the application bind with the userProxy credentials to the rootDSE of the AD LDS instance and read tokenGroups to get a list of SIDs that you then need to resolve into groups (I mention this for completeness but it's possibly more complex application
development than you would want to do...)
Other options are:
use a virtual directory tool
use a different sync tool e.g. FIM or
Quest One Connect
disclaimer: I have never used the latter.
review the application to see if direct AD DC access is possible.
Lee Flight

PowerShell: AD Group Membership

Is it possible to generate group membership for all groups in AD, b member of that group?
Thanks
*alex

One good thing about using DirectoryServices.DirectorySearcher in PowerShell is that the syntax is so similar to similar VBScript programs using ADODB. The first program in VBScript would be as follows:
Option Explicit
Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strName, strDN
Dim strLine, arrMembers, strMember
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"
' Filter on group objects.
strFilter = "(objectCategory=group)"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sAMAccountName,member"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 200
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
    ' Retrieve values and display.
    strDN = adoRecordset.Fields("distinguishedName").Value
    strName = adoRecordset.Fields("sAMAccountName").Value
    strLine = """" & strDN & """,""" & strName & """"
    arrMembers = adoRecordset.Fields("member").Value
    If Not IsNull(arrMembers) Then
        For Each strMember In arrMembers
            strLine = strLine & ",""" & strMember & """"
        Next
    End If
    Wscript.Echo strLine
    ' Move to the next record in the recordset.
    adoRecordset.MoveNext
Loop
' Clean up.
adoRecordset.Close
adoConnection.Close
The second program, where sAMAccountName's are substituted for member DN's, would be as follows:
Option Explicit
Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strName, strDN
Dim strLine, arrMembers, strMember, objMemberList
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"
' Retrieve all users, groups, and computers.
strFilter = "(|(objectCategory=user)(objectCategory=group)(objectCategory=computer))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sAMAccountName"
' Dictionary object (hash table).
Set objMemberList = CreateObject("Scripting.Dictionary")
objMemberList.CompareMode = vbTextCompare
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 200
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the recordset.
Do Until adoRecordset.EOF
    ' Retrieve values and display.
    strDN = adoRecordset.Fields("distinguishedName").Value
    strName = adoRecordset.Fields("sAMAccountName").Value
    ' Skip contacts.
    If (strName <> "") Then
        objMemberList.Add strDN, strName
    End If
    ' Move to the next record in the recordset.
    adoRecordset.MoveNext
Loop
' Recordset must be closed before it can be opened again.
adoRecordset.Close
' Filter on all group objects.
strFilter = "(objectCategory=group)"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sAMAccountName,member"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
    ' Retrieve values and display.
    strDN = adoRecordset.Fields("distinguishedName").Value
    strName = adoRecordset.Fields("sAMAccountName").Value
    strLine = """" & strDN & """,""" & strName & """"
    arrMembers = adoRecordset.Fields("member").Value
    If Not IsNull(arrMembers) Then
        For Each strMember In arrMembers
            If (objMemberList.Exists(strMember) = True) Then
                ' Substitute the sAMAccountname from dictionary object.
                strLine = strLine & ",""" & objMemberList(strMember) & """"
            Else
                ' Use the Distinguished Name.
                strLine = strLine & ",""" & strMember & """"
            End If
        Next
    End If
    Wscript.Echo strLine
    ' Move to the next record in the recordset.
    adoRecordset.MoveNext
Loop
' Clean up.
adoRecordset.Close
adoConnection.Close
Richard Mueller - MVP Directory Services

Get-Recipient or Get-Mailbox and "white spaces" after import user to TXT files.

Hi Guys,
In this week I had small task to move mailboxes from old SBS to new Exchange user. I have done this task with small problems. I decided of course to use Powershell to make my life simple.
Step 1.
Get-Recipient | Select-Object name, Database | where database -Match "Mailbox Database" | FT - Property name | Out-File -FilePath c:\ex_users.txt
or
Get-Mailbox | select name, servername | where ServerName -match Server1 | select Name | Out-File -FilePath c:\ex_users.txt -Encoding UTF8
Unfortunately I had to spent some time to clean output files. After export files I noticed that something is wrong with text format.
How can I avoid "white spaces" ?

We always want to do our filtering as close to the left of a command as possible. Keeping this in mind, the first thing I looked for was to see if Get-Recipient had a filter parameter and it does.
Get-Recipient -Filter {Database -eq 'CN=Mailbox Database,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomin,DC=com'} | Select-Object -ExpandProperty Name | Out-File -FilePath 'C:\outfile-filter.txt'
This seemed somewhat cumbersome because it required a lengthy DistinguishedName (DN). By the way, to get the DN of a database, use a modified version of this code.
Get-MailboxDatabase -Identity databasename | Select-Object DistinguishedName
I decided we would try filtering with the Where-Object cmdlet much like you did in your example. Noticed that I bumped it to the left so our filter ran prior to our select - something you should always do.
Get-Recipient | Where-Object {$_.Database -match 'Mailbox Database'} | Select-Object -ExpandProperty Name | Out-File -FilePath 'C:\outfile-where.txt'
Whichever way you do this, either the first or third code sample should help you write your data to a text file without the white space issue. I haven't looked at your second example but I suspect you could use some of this post to figure that one out yourself.
Let us know and good luck.

Computer's group membership

I am trying to find a way to list the groups a computer knows it is a member of. Normally a computer only picks up a group membership change after a reboot. You can purge the kerb tickets and it will sometimes pick up the new membership.
I have a requirement to determine if a group membership has propigated to >300 servers for GPO filtering, but the only way I can find to validate this is by running a gpresult and checking the computer group memberships.
I started by trying to run a gpresult remotely but that does not always return the computer group membership. Is there a wmi call that can pull this or can a kerb ticket be dissasembled to get the memberships?

jrv,
I understand how Active Directory and the various methods of GPO provisioning work.
The systems in question (>300 production servers) have been added to a provisioning group. This group is used to filter application of a GPO. I need to validate the systems have picked up the new group membership before moving forward with a multi-step
implementation.
When a gpresult is run the output displays the groups the system is a member of in order to determine GPO application. I am trying to get this data from remote systems programatically, hence why I posted in this forum since I am specifically asking if anyone
knows of a WMI (or other) call that would return the computer group memberships.
As I re-organize a GPO structure in dire need of cleanup I am going to have to do this validation multiple times over a large number of servers. Being able to automate this process would help quite a bit.
"For computer accounts this requires a reboot." - See this article:
http://setspn.blogspot.com/2010/10/updating-servers-security-group.html

Get-Mailbox filter group membership

Similar Messages

Maybe you are looking for