PowerShell Script Get the User's Active Directory Fully Qualified Login Name for Specific Locked Out Accounts
I have a script which displays locked out accounts. It works great.
I'd like to display the fully qualified Active Directory Login Name instead of the LastName, First Name:
Example: Davis, Susan
Want instead: Domain\Susan.Davis
I'd also like to include an additional filter to look for only Domain\Susan.Davis OR Domain\Robin.Givens
Here is my script:
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = "(&(objectClass=User)(lockoutTime>=1))"
$colProplist = "name","samaccountname"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i) | out-null}
$colResults = $objSearcher.FindAll()
foreach ($objResult in $colResults) {
$domainname = $objDomain.name
$samaccountname = $objResult.Properties.samaccountname
$user = [ADSI]"WinNT://$domainname/$samaccountname"
$ADS_UF_LOCKOUT = 0x00000010
if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
$objResult.Properties.name
John
John
Sorry, I should have mentioned that the cmdlets I'm using are part of the Active Directory module. You'll need to install the RSAT (Win7+) to use them.
If you'd rather stick with your DirectorySearcher methods instead of moving to the AD module, you can adjust your output by using something like this instead:
if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
"$domainname\$($objResult.Properties.samaccountname)"
$domainname might not be what you're expecting, just FYI.
As for filtering, you can add to the if statement and check for your known usernames only.
Don't retire TechNet! -
(Don't give up yet - 12,700+ strong and growing)
Similar Messages
-
Hi Experts,
I am trying to build a PowerShell Script to get the details Like Scope,Last Deployed date and Name for a Solution Deployed in the Farm.
Can anyone advise on this please.
RegardsGet-SPSolution|Select Name,Scope,LastOperationResult,LastOperationEndTime|Export-CSV "SPInstalledSolutions.csv" -NoTypeInformation
SPSolution properties
Get-SPSolution
This post is my own opinion and does not necessarily reflect the opinion or view of Slalom. -
We want to authenticate both a device (iPad) to our corporate WLAN, but after authenticating the device we would also like to authentiate the user in Active Directory if possible. Has anyone had any experience with this?
You need to make sure that the server sends the "GeoTrust DV SSL CA" intermediate certificate.
See:
* http://www.networking4all.com/en/support/tools/site+check/ (www.ucfs.net)
* https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO9557
* https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1422 -
Hi all, I have an Exchange 2013 SP1, I have installed a third-party SSL certificate and correctly on the server, but when I assign the POP and IMAP services, I see this error
The certificate with thumbprint XXXXXXXXX and subject '*. Xxxx.yyy' can not be used for POP SSL / TLS connections because the matter is not a fully qualified domain name (FQDN). Use the Set-POPSettings X509CertificateName command to set the FQDN of the service.
I tried to run this command and restart the POP and IMAP services
ImapSettings set-ca-server-1-X509CertificateName mail.xxxxx.yyy
POPSettings set-ca-server-1-X509CertificateName mail.xxxxx.yyy
But the POP and IMAP services, the certificate is not assigned.
You know as you can solve
regards
Microsoft Certified IT Professional Server AdministratorHi,
Before we go further, I’d like to confirm if you can use POP and IMAP properly.
If everything goes well, we can safely ignore it:
http://www.hsuconsulting.com/wildcard-ssl-certificate-exchange-2013-imap-and-pop-error/
If not, we can try the following commands :
Set-POPSettings -ExternalConnectionSetting {mail.domain.com:995:SSL}
Set-ImapSettings -ExternalConnectionSetting {mail.domain.com:993:SSL}
http://careexchange.in/how-to-enable-and-configure-pop-imap-in-exchange-2013/
Note: Microsoft is providing the above information as convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information
found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support -
How to get the user's home directory in Unix if I know the username?
I have a problem to determine a user's home directory in Solaris system.
for example, I know the username as "smith", how can I know smith's
home directory (the absolute path string)? pls help me...if the user is the one running the program, you can always get the home directory using System.getProperties ("user.home");
If you are trying to get the properties of another user, you could try using setProperties to change the user name first, before getiting the home directory, but it probably won't work because of the security manager. You could read the /etc/passwd file and parse the path out, but once again, the user of the code would have to have appropriate permission. -
Get all users from Active Directory
Dear All,
I would like to retreive all USERS from the AD.
I finaly could connect to an AD server but I couldn't perform the search.
I got a javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
--> Does it mean that my query is incorect.
I think I am missing something obvious. but what?
Can somebody please help me or point me to some working code sample.
Thanks in advance.
Karim.
//======== Test Code =============
String THIS_INIT_CONT_FAC="com.sun.jndi.ldap.LdapCtxFactory";
String THIS_PROV_URL=url;
String THIS_SEC_AUTH="simple";
String THIS_SEARCHBASE="CN=Users, CN=domain, CN=com";
String THIS_ATTRS[] = {"mail"};
try {
String THIS_FILTER="(objectClass=user)";
System.out.println("Testing LDAP Program");
System.out.println("************************************************************");
String THIS_SEC_PRIN="";
String THIS_SEC_CRED="";
System.out.println("Cont Fac : " + THIS_INIT_CONT_FAC);
System.out.println("LDAP Server : " + THIS_PROV_URL);
System.out.println("Auth Method : " + THIS_SEC_AUTH);
System.out.println("Search Base : " + THIS_SEARCHBASE);
System.out.println("Filter : " + THIS_FILTER);
System.out.println("Login : " + THIS_SEC_PRIN);
System.out.println("Credentials : " + THIS_SEC_CRED);
System.out.println("************************************************************");
Hashtable env=new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, THIS_INIT_CONT_FAC);
env.put(Context.PROVIDER_URL, THIS_PROV_URL);
env.put(Context.SECURITY_AUTHENTICATION, THIS_SEC_AUTH);
env.put(Context.SECURITY_PRINCIPAL, THIS_SEC_PRIN);
env.put(Context.SECURITY_CREDENTIALS, THIS_SEC_CRED);
DirContext ctx = new InitialDirContext(env);
System.out.println("LDAP TEST Login Successful!");
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration results = ctx.search(THIS_SEARCHBASE,THIS_FILTER, constraints);
int namecount=0;
System.out.println("LDAP TEST Results : " + results);
System.out.println("LDAP TEST Pre-Hit ! ");
} catch(AuthenticationException ae) {
ae.printStackTrace();
System.out.println("Incorrect Password or UserName");
return false;
} catch(Exception e) {
e.printStackTrace();
System.out.println("Error accessing LDAP");
return false;
// ============ OUTPUT =====================
Testing LDAP Program
Cont Fac : com.sun.jndi.ldap.LdapCtxFactory
LDAP Server : ldap://192.168.2.3:389/
Auth Method : simple
Search Base : CN=Users, CN=domain, CN=com
Filter : (objectClass=user)
Login :
Credentials :
LDAP TEST Login Successful!
javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
If you want to list all the users then you don't need to perform a search. Just list them.
private void list(String contextName)
try
// get enumeration of NameValuePairs
NamingEnumeration contentsEnum = ctx.list(contextName);
while (contentsEnum.hasMore())
System.out.println(contentsEnum.next());
catch (NamingException e)
System.err.println("Problem listing context contents: " + e);
}You will want to call this using something like this:
list("CN=Users, CN=domain, CN=com");One caveat, there is a restriction on the number of results returned so this will still throw an LDAP exception if you have a lot of users.
Not sure how to get around that. Never needed to look. Don't expect it is hard though. -
Hi, Im trying to get the whole path in my server, so i tried that with this following code
Get-ChildItem $sourceFolder -Recurse | ?{$_.PsIsContainer} |Get-Acl
But then, it showed me somtehing like this :
Get-ChildItem : The specified path, file name, or both are too long. The fully qualified file name must be less than 260 characters, and the directory name must be less than 248 characters.
I tried to find the solver everywhere and mostly they propose to change the path name, which is impossible, since I am working with my company server, and those folder have already there before i start to work here, then the other ask me to use robocopy,
but all of the trick just dont work
is there any way to solve this problem? thanksThere is no simple solution to this. And it is not a limitation of powershell itself, but of the underlying NTFS file system.
If the problem is that a folder with a name longer than 248 exists anywhere within your directory structure, you are hooped.
If the problem is that some fully qualified path names exceed 260 characters, then, in those cases, the solution already given is to create a psdrive partway up the path from the drive letter or server/share root of the path. Unfortunately, the output produced
will be relative to that psdrive and not to what is specified as the $sourcefolder.
unless you already know where those problematic paths are, you might consider trying to trap those errors and have your script figure out where it needs to create psdrives. You might then be able to calculate the equivalent path for each file or folder and
output that. the programming effort would be simpler to just created a psdrive for each folder encountered, however I expect that would be very inefficient.
Al Dunbar -- remember to 'mark or propose as answer' or 'vote as helpful' as appropriate. -
What is the powershell command to get the user count in Active Directory
What is the powershell command to get the user count in Active Directory
Get-ADuser
REF: http://blogs.technet.com/b/heyscriptingguy/archive/2012/10/30/powertip-single-line-powershell-command-to-list-all-users-in-an-ou.aspx
This post is provided AS IS with no warranties or guarantees, and confers no rights.
~~~
Questo post non fornisce garanzie e non conferisce diritti -
Script to get the user details by running a view from powershell
Hi,
I have a use-case of getting the list of users, who got modified in last one week or so. There was no direct way of getting the results as office-365 doesn't have the option. As i posted in a forum they suggested to use view based for retrieving
the user details. I was able to get some user details through UI. When i asked for the option of getting it from powershell they suggested to post in this forum. Link on the question posted in forum is
community.office365.com/en-us/forums/148/p/212305/646170.aspx#646170 your help is appreciated. Thanks in AdvanceHi Sam,
My list of servers are exported from CMDB data base and filter criteria i have used is role,status and first few characters of the server name.
$CIlist = Import-Csv C:\Scripts\DiskSpace\Servers_CI.csv
$diskspace = @()
$CIlist | where {($_.Name -like '*XXXXXXXX*') -and ($_.Role -like '*XXXXXXXXXX*') -and ($_.Status -like '*XXXXXXXXXXXXXX*') } |
select Name | FT
# This part gives the list of servers.
# below script gives the hard disk details of servers from a list
$comp= Get-Content "C:\Scripts\DiskSpace\systems.txt"
$diskvalue = @()
foreach($pc in $comp)
if (test-connection -CN $pc -Count 1 -erroraction silentlycontinue)
$diskvalue += Get-WmiObject -Class Win32_logicaldisk -ComputerName $pc -Filter DriveType=3 |
Select SystemName , DeviceID , @{Name=”size(GB)”;Expression={“{0:N1}” -f($_.size/1gb)}}, @{Name=”freespace(GB)”;Expression={“{0:N1}” -f($_.freespace/1gb)}}
$diskvalue | Export-Csv C:\Scripts\DiskSpace\DiskReport.csv -NoTypeInformation
else
"$pc `t offline" | Out-file C:\Scripts\DiskSpace\offlinesystems.csv -encoding ASCII -append
Is there any option to pass the result of first part to second part without exporting to a csv ot txt. or club this both together ??
ToJo -
How to get the user created at and modified at properties for a site collection using powershell
Hi guys, I Know how to get the list of users of a site collection by Get-SPUser cmdlet but hte problem is that this cmdlet doesnt give me the user Created at and modifed at properties
can any one tell me how to get these values via powershell????
ps: ignore the 2013 screenshot.. i just want a way to get those values .. if you provide me solution in either 2010 or 2013 , i will crack the other..
plz guys help me ...Get the User Information list and then get the user from that list
$web = Get-SPWeb "siteUrl"
$userInfoList = $web.SiteUserInfoList
$userItem = $userInfoList.Items[0]; #0 here is just for demonstration. You take the user you want here or loop through all users.
$created = $userItem["Created"]
$modified = $userItem["Modified"] -
Saving the password of a user in active directory using java
Hello, i am trying to use java to build a class that creates a user in Active directory 2012.But the problem is that when the user is created the password is not being saved.
Can anybody help on this knowing that i tried to save in the fields userPassword and unicodePwd.
Thanks.DirContext ctx = new InitialDirContext(pr);
BasicAttributes entry = new BasicAttributes(true);
String entryDN = "cn=CharbelHad,ou=test users,dc=test,dc=dev";
Attribute cn = new BasicAttribute("cn", "ChHad");
Attribute street = (new BasicAttribute("streetAddress", "Ach"));
Attribute loginPreW2k = (new BasicAttribute("sAMAccountName", "[email protected]"));
Attribute login = (new BasicAttribute("userPrincipalName", "[email protected]"));
Attribute sn = (new BasicAttribute("sn", "Chl"));
Attribute pwd = new BasicAttribute("unicodePwd", "\"Ch@341\"".getBytes("UTF-8"));
Attribute userAccountControl = new BasicAttribute("userAccountControl", "512");
Attribute oc = new BasicAttribute("objectClass");
oc.add("top");
oc.add("person");
oc.add("organizationalPerson");
oc.add("user");
// build the entry
entry.put(cn);
entry.put(street);
entry.put(sn);
entry.put(userAccountControl);
entry.put(pwd);
entry.put(login);
entry.put(loginPreW2k);
entry.put(oc);
ctx.createSubcontext(entryDN, entry); -
How to get the user active stauts in jspdynpro
How to get the user active status in jspdynpro.
I want check weather a user is active or not (Collaboration Launch Pad functionality)
in jspdynpage.
Thank's in advance,
Mr.ChowdaryHi Eddy,
Here the scenario is to get the data of a field from the user defined table to pass the extracted values as a input to the XL reporter, which will be selected while generating the report.
It would be great if you provide any solution for this problem.
Thanks. -
What is the Point of Active Directory/LDAP Specification?
My college threw an interesting curve ball today and I couldn't give him a good enough answer. The question was simple 'What is the point of active directory'. Now I don't have a lot of exposure to active directory, but I thought I could easily answer. My argument was; If you have a group of objects its easy to look up attributes for those objects using active directory. For example, if you have a group in AD and you want to verify the users of that group you simply look up the member attribute of that group. However he argued, rightly so, that you can do that with a table in a database, why do that in AD. I couldn't give him a good enough answer and now I'm curious. Given the above example, why use AD over a database?
To me AD is a way to manage a set of resources, whatever they are, by mapping them to objects that have however many attributes. But we could do that in a database, whats the point of AD? Why do you use AD?I come from a primarily database centric background. Just like life experience, it casts a certain perspective on problems. Database people solve things with databases. Directory people solve things with directories. Everyone has their perspective. It's not really about who's right and who's wrong. It's about perspective because people are most likely to go with what's familiar when given a problem. It's easy to have this conversation in a educational environment but when you're on the job it's about turf, schedules and careers. My latest job (in which this debate comes up a lot) has been about directories which has been a very enlightening experience because I've been given a gift of perspective. I can put on the directory hat and look at it from another angle.
To get back to your professor's question. The answer is easy. LDAP (AD or other) is an application above a database. It has a data store behind it, in most cases we can just assume this is a database. So, in short, it's apples to oranges. But if we insist on comparing which makes the better juice, let's look at how we'd make a database like a directory. We could create a data model with an attributes table, an entries table and so on. We can deconstruct what LDAP data structures really are and implement each type as a table with FK/PK relationships and so on. It's sure to work because there are already so many products on the market doing this very thing. But think about the effort now. How are you going to add new users? A front-end? Stored procedures? Scripts? How are you going to keep someone from seeing things they shouldn't? You have to insert an object into all the right tables to ensure that your data is consistent and valid. In a pure database, you're trying to create ACLs on database rows. Now you're writing a full featured application with a lot of complexity. Given enough directory features, the database isn't going to be able to do everything without an external application.
What is the point of LDAP? It's got hierarchy, ACLs, group of unique names functionality and things that are a layer of abstraction above the data store. I love databases but if you start designing out a directory server from scratch you'll realize it's far beyond comparing a user.ldif to a row in a user table. They are similar in appearance but different types of software.
Edited by: milkfilk on Dec 16, 2008 11:48 AM
Edited by: milkfilk on Dec 16, 2008 11:54 AM -
Creating a windows user in Active Directory
I am trying to create a user in Active Directory that can log on as any other Windows user, but when I try to log into Windows, I get the following error message:
"The local policy of this system does not allow you to logon interactively".
Are there any attributes or objectclass settings that must be set for the user to allow interactive logons?
Thanks in advance!This has nothing to do with JNDI, the object class or attributes.
I assume that you are trying to logon locally to the domain controller with the new user that you have just created.
By default, the domain controller's policy only allows specific users or members of a group to logon locally at the domain domain controller's console.
Either edit the domain controller'sgroup policy and add your newly created user to the list of users permitted to logon locally, or add the user to a group which has already been granted permission to logon locally. -
Search a user in Active Directory by his name
Hi all,
Is there a way to search a user in an Active Directory with some attributes ? For example, I would like to find all the users whose firstName is "Guillaume".
I use a Provider connected to an Active Directory to authenticate and it works fine. I have also implemented an UUP to get the profile of a user in this AD.
But for the moment, the only way I can find a user by his name is to
* get all the users from the AD (userProviderControl.getUserNames("*", SIZE_MAX))
* Then for each username :
- get his profile with PropertyControl and ProfileWrapper (each user has a ldap propertyset filled by the UUP) ==> propertyControl.getProperty(profileWrapper, PROPERTYSET_LDAP, PROPERTY_LDAP_FIRSTNAME) )
* Browse all the user profiles retrieved and find the good one.
Is there an API to do what I want ?
I'm using Oracle WebLogic Portal 10.
Thanks for your help
Guillaume
Edited by: user10185882 on 3 nov. 2008 06:07A DistinguishedName is of the form e.g. "cn=username, ou=Users,dc=hostname,dc=com". In other words it contains attribute names and values for each name component. Evidently your DN doesn't do that.
Maybe you are looking for
-
Family Sharing and free apps - add to my own purchase history?
Hi, my wife has a collection of free iPhone apps on her Apple ID's purchase history. We have set up Family Sharing, and all is working well - we can share and install each other's apps. However, is there a way to add free apps she has previously down
-
Disk too slow and system overload error
I like many other users am having problems with the "disk too slow or system overload error (-10010)." It only seems to occur during playback attempts, seeing as I recorded with no problems yesterday, and only began happening today (granted, I have n
-
After system restore TM backup too large to fit on same drive
I just had to get a new hard drive at the Apple store and thus completed a system restore using time machine. My problem now is I am getting errors when TM goes to do a backup (it is saying there is not enough room on the drive). Is there a way to ge
-
Hi - I have created a Word document with hyperlinks within the document. I have then created a .pdf from the document. Is there anyway I can modify the existing links to open in a new window from the .pdf? Thanks! Jessica
-
What's with removing the reviewer's option to view in cloud?
We've come to count on sending files for shared review in the Acrobat.com cloud system. There's been an abrupt change in the automated file handling for shared reveiw that is creating confusion and aggrivating connectivity problems. Now, when I send