Need to correlate Container (samAccountNames) names to actual AD Users

This topic contains 11 replies, has 4 voices, and was last updated by Profile photo of Jeff Taylor Jeff Taylor 4 months, 2 weeks ago.

  • Author
    Posts
  • #65512
    Profile photo of Jeff Taylor
    Jeff Taylor
    Participant

    I have run a report against a Container (PowerBroker/Likewise) that contains other containers that are clearly based on AD samAccountNames, but since there are 24,000 of them, I want to pipe these names into a script that will find them in AD and return a select set of properties (full name, DN, whatever)

    My working one-liner:

    Get-ADObject -filter * -SearchBase  'CN=Users,CN=$LikewiseIdentityCell,OU=SERVERS,DC=domain,DC=company,DC=com' `
    -Properties * | select name | ??

    Is it possible to pipe the results and "correlate" against AD user objects in this same domain?

  • #65515
    Profile photo of Don Jones
    Don Jones
    Keymaster

    If you do a Select -Expand Name, and the name is in fact a samAccountName, you should be able to pipe it to Get-ADUser. But that'll just get the user objects. I'm not sure what you mean by "correlate."

    • #65658
      Profile photo of Jeff Taylor
      Jeff Taylor
      Participant

      Don This totally works thanks!

      I've worked it up this far now:

      Get-ADObject -filter * -SearchBase  'CN=Users,CN=$LikewiseIdentityCell,OU=SERVERS,DC=Domain,DC=company,DC=com' `
      -Properties * | select -ExpandProperty name | Get-ADUser -Properties * |
      select DistinguishedName,samAccountName,memberOf |fl

      ..and my results:

      DistinguishedName : CN=Clucker Hutch,OU=Infra,OU=Users,OU=Online,DC=Domain,DC=Company,DC=com
      samAccountName    : CHutch
      memberOf          : {CN=ENGRS,OU=PROD,OU=Online,DC=Domain,DC=Company,DC=com, 
                          CN=ACS,OU=GROUPS,OU=PRODGROUPS,OU=Online,DC=Domain,DC=Company,DC=com, 
                          CN=ACS_U,OU=ACS_GROUPS,OU=PRODGROUPS,OU=Online,DC=Domain,DC=Company,DC=com, CN=Inf,OU=Sec,DC=Domain,DC=Company,DC=com...}

      ..but would like to EXPAND the memberOf groups, while not losing the DistinguishedName,samAccountName select in the process

  • #65682
    Profile photo of Peter Jurgens
    Peter Jurgens
    Participant

    No need to use get-adobject if you're just piping the results to get-aduser anyway. -filter and -searchbase are available on get-aduser as well and can be used in the same way as you've done. Also DN and name are included by default in the output from get-aduser so no need to use -properties *, in fact this will significantly slow down the execution of the command. Instead explicitly name properties that you want returned that aren't already included by default.

    Regarding the memberof attribute, since this is a multi-valued attribute it's returned as a collection. How do you want it looking in your output?

    • #65683
      Profile photo of Jeff Taylor
      Jeff Taylor
      Participant

      Peter,

      let me try get-AdUser alone then (but the names came from the names of these containers that are based on usernames)

      output I want DistinguishedName,samAccountName, and all the groups they are memberOf in a csv

      TESTED: Need Get-ADobject first per my original one liner.

      I did per your suggestion, optimize a bit here:

      Get-ADObject -filter * -SearchBase  'CN=Users,CN=$LikewiseIdentityCell,OU=SERVERS,DC=Domain,DC=company,DC=com' `
      -Properties * | select -ExpandProperty name | Get-ADUser -Properties memberOf |
      select DistinguishedName,samAccountName,memberOf |fl

      ..however, I still need the output of the memberOf's

  • #65710
    Profile photo of Ron
    Ron
    Participant

    Getting reasonable output for MemberOf in a CSV is a bit of work and problematic if any of the groups are outside of the domain. If you are happy just getting the DNs, you can do this:

    select DistinguishedName,samAccountName,@{name="MemberOf"; Expression={$_.MemberOf -join "|"}}

    If you want names, you need to break the command up and create the MemberOf string by looking up the groups to get the groups samaccountname, and then join those into a string.

    • #65755
      Profile photo of Jeff Taylor
      Jeff Taylor
      Participant

      Awesome Ron thank you. I think the SOX folks will be fine with this. Couple of followup questions.

    • Why does the memberOf property represent a bigger challenge to the select. Is it because of it being multi-valued?
    • Where can I study the theory behind this kind of named expression to pull out the DN as you did here?
    • I have all of Dons and Manning press books (but read very slowly) 🙂

  • #66298
    Profile photo of Jeff Taylor
    Jeff Taylor
    Participant

    I wanted more info from the get-ADuser portion of script and tried this:

    Get-ADObject -filter * -SearchBase  'CN=Users,CN=$LikewiseIdentityCell,OU=SERVERS,DC=DOMAIN,DC=Company,DC=com' `
    -Properties * | select -ExpandProperty name | Get-ADUser -Properties memberOf |
    select DistinguishedName,samAccountName,displayname,cn,whencreated,whenchanged,enabled,passwordlastset,`
        passwordneverexpires,lockedout,cannotchangepassword, `
        passwordnotrequired,@{name="MemberOf"; Expression={$_.MemberOf -join "|"}} |
        Export-Csv .\AllUsers_v2 -NoTypeInformation

    I get the previous (3) properties but not my added ones. How can I get all please?

    thank you

  • #66300
    Profile photo of Don Jones
    Don Jones
    Keymaster

    CSV just isn't designed to hold multi-valued properties like that.

  • #66304
    Profile photo of Ron
    Ron
    Participant

    You aren't retrieving those extra properties, only memberof plus the basic properties always returned.

    "Get-ADUser -Properties memberOf"

    Try this:

    > get-aduser "(yourID)" | fl *

    You should get about 10 properties by default. If you want more, you have to add them with the -properties parameter, just as we added MemberOf above. So, change that section to be more like this:

    "Get-ADUser -Properties memberOf,displayname,cn,whencreated,..."

    You can specify all "-properties *", but that will slow things down and chew up a lot of memory, bandwidth, etc in a large AD.

  • #66310
    Profile photo of Jeff Taylor
    Jeff Taylor
    Participant

    feeling dumb..I knew that and missed it. Sorry for the unnecessary ask. Working now and thanks again for the second set of eyeballs.

  • #65788
    Profile photo of Ron
    Ron
    Participant

    The bulk of my PS knowledge came from the university of Google.

    Yes, attributes with multiple values do know fit well it a flat file format.

  • You must be logged in to reply to this topic.