Find users in too many groups

Large Kerberos tokens (caused by too many groups listed in them) can be an issue in some environments (I’ve just had a similar trouble myself in an ADFS deployment). Luckily PowerShell is here to help. This quick script will list all users who are members of more than 75 groups:

$limit = 75
Get-QADUser -SizeLimit 0 -DontUseDefaultIncludedProperties |
  ForEach-Object {
    $groups = Get-QADGroup -ContainsIndirectMember $_.DN -SizeLimit $limit `
      -DontUseDefaultIncludedProperties -WarningAction SilentlyContinue
    if ($groups.Count -ge $limit) { $_ }
  }

Here’s a quick overview of what the script is doing:

1. I assign the limit (75) to a variable. This is just for my convenience of reuse. E.g. I could turn this line into param($limit = 75) – and save this as a parameterized script or turn it into a function.
2. I user Get-QADUser to retrieve all (-SizeLimit 0) user accounts from my current domain and I make sure to not retrieve any attributes along – so I save memory and improve performance (-DontUseDefaultIncludedProperties)
3. For each user in my domain, I retrieve the first 75 (-SizeLimit $limit) groups to which the user belongs directly or through nesting (-ContainsIndirectMember $_.DN). There’s obviously no need to retrieve all groups – we just need to know if the user reached the limit. Again, we do not need any attributes (-DontUseDefaultIncludedProperties). I also tell PowerShell to not warn me if there are more groups than the size limit I specified (-WarningAction SilentlyContinue).
4. Finally, if indeed we reached the limit, I output that user object.

You can obviously then just see the list on the screen or output it to CSV or HTML report.

Tags: AD, AD cmdlets, Active Directory, Examples, PowerShell, cmdlets, one-liner, oneliner
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

Get a list of users’ email addresses

Here’s a one-liner to turn members of a group into a list of email addresses, separated by semicolon. I am using it every now and then when someone from our partners (which obviously do not have access to our address book) ask me for a list of folks to include in some discussions, or grant access to some resources, and so on.

Here’s the oneliner (for PowerShell v2):

(Get-QADGroupMember MyGroupName -Type user -Indirect |
    Select -expand Email) -join ';'

PowerShell v1 version has a slightly different syntax for join:

[string]::join(';',
  (Get-QADGroupMember MyGroupName -Type user -Indirect |
    Select -expand Email))

And here’s a quick explanation of what it does:

• I use Get-QADGroupMember to retrieve all members of the group. Note that -Indirect parameter gives me all members of nested groups, and -Type user makes sure that nested groups themselves get excluded.
• Then I am taking the collection of user objects and turn that into a collection of just one property of the objects (Email) using  Select -expand.
• Finally I am using join to turn that collection into a string and using semicolon as separator.

Hope this is useful.

List all empty OUs

Here’s a one-liner you can use to quickly find empty organizational units in your Active Directory:

Get-QADObject -Type organizationalUnit -DontUseDefaultIncludedProperties |
  where {
    -not ( Get-QADObject -SearchRoot $_.DN -DontUseDefaultIncludedProperties `
    -SearchScope OneLevel -SizeLimit 1 -WarningAction SilentlyContinue )
  }

A quick explanation of what I am doing here:

1. I am retrieving all organizationalUnit objects from my domain (and use the -DontUseDefaultIncludedProperties switch to save a few milliseconds )
2. Then for each of the OUs I am retrieving all AD objects that are in that OU by doing a Get-QADObject and limiting the search scope to the DN of the current OU.
3. Note that (like we did when looking for large groups) I am using the -SizeLimit parameter to see if I can get 1 item in the call (all I need is to learn whether there is anything in the OU – I don’t need the whole list) – which obviously makes the whole script magnitudes of time faster. I use -SearchScope
4. Based on Kirk’s recommendation I am using -SearchScope OneLevel to exclude the OU itself.
5. I am using -not operator so I get only the OUs for which this Get-QADObject evaluates to $null (nothing found) and thus -not $null evaluates to $true.

P.S. This is the code I was using initially, which I then corrected based on Kirk’s comments below:

$emptyOUs = Get-QADObject -Type organizationalUnit -DontUseDefaultIncludedProperties | where {(Get-QADObject -SearchRoot $_.DN -SizeLimit 2 -DontUseDefaultIncludedProperties).Count -lt 2}

Tags: AD, AD cmdlets, Active Directory, Examples, PowerShell, cmdlets, one-liner
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

Skype for administrators

Call any user in Active Directory or Exchange right from your administrative console, with a single click dial into any conference call (with participant passcode dialed for you ) – all of that is possible with the latest extension for PowerGUI.

PowerGUI Skype PowerPack adds Call buttons for all user accounts and mailboxes, as well as people in your corporate organizational chart. In addition to this you can obviously call any of your Skype contacts or any conference call appointments listed in your Outlook.

Check out this 7-minute demo here (highly recommended to watch in HD and full screen):

As always, all the code behind any nodes and actions can be found in their properties, so you can learn how this actually works, modify the pack to suite your needs or extend it to add calling capabilities to whichever other systems you are managing!

This blog post by Shafqat Ahmed helped me a lot when I started working on the PowerPack. My scripts in the pack are basically enhancements built on top of his excellent post.

Download Skype PowerPack here and let us know what you think.

Tags: AD, Active Directory, Demo, Exchange, PowerGUI, PowerPack, PowerShell, Skype
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

Adding Direct Reports action

Here’s my quick addition to Kamran’s “How to export data from Active Directory using the free PowerGUI tool“:

If you might need to find users managed by someone more than once, there are a couple of ways you can make this simpler for your self:

A. Download and install free Org Chart powerpack, or

B. Follow these instructions to add a Direct Reports button to PowerGUI admin console:

1. Start PowerGUI admin console and browse to Active Directory / Users.

2. In the right-hand pane, right-click the category to which you want to add the action and pick New / Script Action from the shortcut menu.

3. In the New Action dialog box, type in the action name (e.g. Direct Reports), and script:

$input | ForEach-Object {
    Get-QADUser -Manager $_
}

(The script is quite trivial: for each user account currently selected in the PowerGUI grid, we get the list of AD users which have this object specified as Manager).

3. On that same dialog box, click the Display Configuration button, and then in the Display results group, select the Display the results in a nested view option.

This tells PowerGUI that your action outputs objects to the grid (which it does – we need to see the reports selected user has!)

4. That’s it! Click OK on both dialog boxes, select the user account whose reports you need to see, and click your newly added Direct Reports action.

Big thanks to Kamran for posting his original tip and video.

Tags: AD, AD cmdlets, Active Directory, Blogosphere, PowerGUI, PowerShell, cmdlets
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

Fastest way to retrieve AD objects

DontUseDefaultIncludedProperties is the AD cmdlets parameter you need when you want to get AD objects fast without extra properties you do not need. For example, I have just used it in my script to locate the largest groups in our Active Directory. Let’s talk about how effective it really is and how it works under the covers.

First, of all, let me prove that it is indeed very efficient. Here’s the same Get-QADUser run 100 times with and without the parameter:

[PS] C:\>Measure-Command { for ($i=0;$i -lt 100;$i++) { $a = Get-QADUser -SamAccountName dsotnikov -DontUseDefaultIncludedProperties } }

...
Seconds : 3
Milliseconds : 951
...


[PS] C:\>Measure-Command { for ($i=0;$i -lt 100;$i++) { $a = Get-QADUser -SamAccountName dsotnikov } }

...
Seconds : 7
Milliseconds : 526
...

That’s twice as fast with the parameter than it is without it!

Why? Because DontUseDefaultIncludedProperties makes the cmdlet only retrieve 2 attributes: distinguishedName и objectClass, whereas the cmdlet without it will go get quite a few other properties.

You can easily see which attributes got retrieved by running:
$a = Get-QADUser -SamAccountName dsotnikov -DontUseDefaultIncludedProperties
$a.Cache.AttributesInCache

The interesting thing is that the cmdlet is even smarter with subsequent use of the object. For most properties (to be specific, for all regular .NET properties of the object but not PowerShell dynamic NoteProperties), we will go and retrieve the property once you request it later on. E.g. this will actually work and give you the account description:

$a = Get-QADUser -SamAccountName dsotnikov -DontUseDefaultIncludedProperties
$a.Description

And this will retrieve a whole bunch of attributes:
Get-QADUser -SamAccountName dsotnikov -DontUseDefaultIncludedProperties | Format-List *

You can obviously keep using $a.Cache.AttributesInCache to check which ones we retrieve.

Pretty cool, isn’t it?

The only other thing I would note is the difference between:

Get-QADUser -SamAccountName dsotnikov -DontUseDefaultIncludedProperties

and

Get-QADUser dsotnikov -DontUseDefaultIncludedProperties

The former is way more efficient than the latter because the -SamAccountName parameter (or any other parameter besides the generic implied -Identity) lets us optimize the query specifically to search by that attribute rather than do the Ambiguous Name Resolution which we use otherwise. Be specific in your parameters and we will give you the fastest results!

Tags: AD, AD cmdlets, Active Directory, Examples, KB, Knowledge Base, PowerShell
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

Find large AD groups

Here’s a quick script which I wrote yesterday for one of our professional services engineers. Basically they wanted to give customer a report for large groups, i.e. groups with more than certain number of user accounts including the ones in nested groups.

This turned out to be very straight-forward with QAD cmdlets.

The script is below:

function Get-LargeADGroup {
param($limit = 75)

 Get-QADGroup | Foreach-Object {
   $members = $_ |
           Get-QADGroupMember -Indirect -Type 'user' `
              -DontUseDefaultIncludedProperties `
              -SizeLimit ($limit+1) -WarningAction SilentlyContinue
   if ( ($members -ne $null) -and
        ($members.gettype().Name -eq 'Object[]') -and
        ($members.Count -ge $limit)) {
     $_
   }
 }
}

#Usage
Get-LargeADGroup -limit 75 | Select Name, DN | Export-Csv c:\largegroups.csv

One trick worth pointing out is the use of -SizeLimit to not retrieve all members of the group – after all I just need to know if there is more than certain number of them.

Hope this helps!

Active Directory and CSV files

Here’s a new quick tip from Darin on AD exports and imports from within PowerGUI:

As usual, short and to the point.

Using CSV and text files in PowerGUI when managing AD is quite common. For example, I have seen people adding script node like:

Get-Content '\\server\share\users.txt' | Get-QADUser

If users.txt has a bunch of usernames (one per line) this outputs actual user accounts to the PowerGUI grid, which you can then manage with all the actions (disable, reset passwords, and so on.)

Alternatively, some customers are just using

Import-Csv

in a node and then define some actions to perform various activities based on the fields in the grid.

Also, although Darin did not show that, you can create your own export to CSV and use something like

Select Name, samAccountName | Export-Csv

to pick specific columns to be exported.

And there’s whole update from CSV scenario… Man, I could go on and on with these!

Tags: AD, Active Directory, Demo, PowerGUI, PowerShell, Webcast, video
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

What was that group again?

A simple one-liner can help. Just earlier today I could not remember the name of a particular distribution list but knew a couple of its members. The quick one-liner to help me out was:

Get-QADGroup -ContainsMember ('User A', 'User B')

And while we are on it, here’s an even better one-liner if you want to find a DL which has all direct reports of, say, your company’s VP:

Get-QADGroup -ContainsMember (Get-QADUser -Manager 'User C')

And obviously if such a DL does not exist, you should probably just go ahead and create it

New-QADGroup -Name 'Top Managers' -Member (Get-QADUser -Manager 'User C')

I love PowerShell.

Tags: AD, AD cmdlets, Active Directory, Examples, PowerShell, one-liner
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

AD Recycle Bin management console

Windows Server 2008 R2 ships with a great new object undelete feature – Active Directory Recycle Bin. The only problem with this feature (apart from requiring 2008 R2 functional level ) is that PowerShell command-line is the only management interface shipped for the feature.

Well, not anymore. Check out the free GUI Kirk has put together with PowerGUI (make sure you click the HD button when watching this and make it full screen):

It keeps amazing me how great PowerGUI is when you need such GUIs on top of anything exposing PowerShell.

Read more about the PowerPack in Kirk’s blog.

Download the PowerPack here.