Dowst.Dev

Check sAMAccountName Requirements

Function Check-sAMAccountName {
    [CmdletBinding()]
    [OutputType([string])]
    param(
        [parameter(Mandatory=$true)]
        [string]$ScriptParameters
    )
    # exclude the characters " * + , / : ; < = > ? @ [ \ ] |
    $excludedChars = 34,42,43,44,47,58,59,60,61,62,63,64,91,92,93,124
    $StringBuilder = New-Object System.Text.StringBuilder
    # split name into Char Array and check each character
    $sAMAccountName.ToCharArray() | ForEach-Object{
        try{
            # convert char to ascii decimal
            $ascii = [byte][char]$_
            # check if char is in the excluded range, if not add to string builder
            if($ascii -le 32 -or $excludedChars -contains $ascii){
                Write-Verbose "$_ - excluded character"
            } else {
                $StringBuilder.Append($_) | Out-Null
            }
        }
        catch{
            Write-Verbose "$_ - None ascii character"
        }
    }

    # create new name string after removing excluded charaters
    $newName = $StringBuilder.ToString()

    # check that name is less than 20 characters
    if($newName.Length -gt 20){
        $newName = $newName.Substring(0,20)
    }

    # Check that last character is not the period character, ".". Remove if found
    $newName = [regex]::Replace($newName,".$","")

    $newName
}

Details

This function will check a string to confirm that it meets the requirements for creating a sAMAccountName. The requirements are based on the Objects with sAMAccountName Attribute section of the Active Directory: Requirements For Creating Objects wiki article.

Example

PS C:\> Function Check-sAMAccountName {
>>     [CmdletBinding()]
>>     [OutputType([string])]
>>     param(
>>         [parameter(Mandatory=$true)]
>>         [string]$ScriptParameters
>>     )
>>     # exclude the characters " * + , / : ; < = > ? @ [ \ ] |
>>     $excludedChars = 34,42,43,44,47,58,59,60,61,62,63,64,91,92,93,124
>>     $StringBuilder = New-Object System.Text.StringBuilder
>>     # split name into Char Array and check each character
>>     $sAMAccountName.ToCharArray() | ForEach-Object{
>>         try{
>>             # convert char to ascii decimal
>>             $ascii = [byte][char]$_
>>             # check if char is in the excluded range, if not add to string builder
>>             if($ascii -le 32 -or $excludedChars -contains $ascii){
>>                 Write-Verbose "$_ - excluded character"
>>             } else {
>>                 $StringBuilder.Append($_) | Out-Null
>>             }
>>         }
>>         catch{
>>             Write-Verbose "$_ - None ascii character"
>>         }
>>     }
>>     # create new name string after removing excluded charaters
>>     $newName = $StringBuilder.ToString()
>>     # check that name is less than 20 characters
>>     if($newName.Length -gt 20){
>>         $newName = $newName.Substring(0,20)
>>     }
>>     # Check that last character is not the period character, ".". Remove if found
>>     $newName = [regex]::Replace($newName,".$","")
>>     $newName
>> }
>> 
>> $sAMAccountName = 'boberton . smithingtonworth"[].:;|=+*?<>/\,'
>> Check-sAMAccountName $sAMAccountName -verbose

VERBOSE:   - excluded character
VERBOSE:   - excluded character
VERBOSE: " - excluded character
VERBOSE: [ - excluded character
VERBOSE: ] - excluded character
VERBOSE: : - excluded character
VERBOSE: ; - excluded character
VERBOSE: | - excluded character
VERBOSE: = - excluded character
VERBOSE: + - excluded character
VERBOSE: * - excluded character
VERBOSE: ? - excluded character
VERBOSE: < - excluded character
VERBOSE: > - excluded character
VERBOSE: / - excluded character
VERBOSE: \ - excluded character
VERBOSE: , - excluded character
boberton.smithingto

User

Get AD Users by Last Logon Date

Get-ADUser -Filter * -SearchBase "CN=Users,DC=contoso,DC=com" -ResultPageSize 0 -Property CN, LastLogonTimestamp |
    Select-Object -Property CN, SamAccountName, @{ n = "LastLogonDate"; e = { [datetime]::FromFileTime( $_.lastLogonTimestamp ) } } |
    Sort-Object -Property LastLogonDate

Details

Gets the Active Directory users in a given OU and sorts them by Last Logon Date.

Example

PS C:\> Get-ADUser -Filter * -SearchBase "CN=Users,DC=contoso,DC=com" -ResultPageSize 0 -Property CN, LastLogonTimestamp |
>>     Select-Object -Property CN, SamAccountName, @{ n = "LastLogonDate"; e = { [datetime]::FromFileTime( $_.lastLogonTimestamp ) } } |
>>     Sort-Object -Property LastLogonDate


CN                                      SamAccountName                          LastLogonDate
--                                      --------------                          -------------
Buddy Guy                               bguy                                    11/28/2012 7:54:47 AM
Mike Dexter                             MDexter                                 11/28/2012 8:48:02 PM
Bill Gates                              BGates                                  4/9/2013 1:43:58 PM
Carl Sagan                              CSagan                                  2/6/2014 2:38:04 PM
Bill Bryson                             BBryson                                 12/11/2015 2:05:54 PM
Carl S. Robot                           crobot                                  2/16/2016 1:17:25 PM
Mike Ness                               mness                                   10/3/2018 3:42:13 PM
Administrator                           Administrator                           10/26/2018 1:19:51 PM

User

Get AD Users by Last Password Change Date

Get-ADUser -Filter * -SearchBase "CN=Users,DC=contoso,DC=com" -ResultPageSize 0 -Property CN, pwdLastSet |
    Select-Object -Property CN, SamAccountName, @{ n = "PwdLastSetDate"; e = { [datetime]::FromFileTime( $_.pwdLastSet ) } } |
    Sort-Object -Property PwdLastSetDate

Details

Gets the Active Directory users in a given OU and sorts them by Password Last Set Date.

Example

PS C:\> Get-ADUser -Filter * -SearchBase "CN=Users,DC=contoso,DC=com" -ResultPageSize 0 -Property CN, pwdLastSet |
>>     Select-Object -Property CN, SamAccountName, @{ n = "PwdLastSetDate"; e = { [datetime]::FromFileTime( $_.pwdLastSet ) } } |
>>     Sort-Object -Property PwdLastSetDate


CN                                      SamAccountName                          PwdLastSetDate
--                                      --------------                          --------------
Bill Bryson                             BBryson                                 11/27/2018 11:01:38 AM
Mike Dexter                             MDexter                                 11/28/2018 8:47:44 PM
Terry Pratchett                         TPratchett                              3/30/2019 5:32:14 PM
Bill Gates                              BGates                                  3/9/2019 1:43:33 PM
Carl Sagan                              CSagan                                  3/21/2019 5:19:45 PM
Carl S. Robot                           crobot                                  3/22/2019 6:37:02 AM
Mike Ness                               mness                                   4/3/2019 3:41:06 PM

User

Get FSMO Roles

# Get the Domain Level Roles
Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator
# Get the Forest Level Roles
Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster

Details

Return all the domain and forest level FSMO roles.

Example

PS C:\> Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator
>> Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster

InfrastructureMaster                 RIDMaster                            PDCEmulator
--------------------                 ---------                            -----------
DC01.contoso.com                     DC01.contoso.com                     DC01.contoso.com


DomainNamingMaster                     SchemaMaster
------------------                     ------------
DC01.contoso.com                        DC01.contoso.com

Domain Controller | FSMO

Get the AD Groups for a User with 1 Level of Inheritance

# Get the direct group memberships
$UserGroups = Get-ADPrincipalGroupMembership $UserName | 
    Select distinguishedName, GroupCategory, GroupScope, name, objectClass, objectGUID, SamAccountName, SID, 
            @{l='Membership';e={'Direct'}}, @{l='Parent';e={$null}}
# Get the group membership 1 level down
foreach($group in $UserGroups){
    $UserGroups += Get-ADPrincipalGroupMembership -Identity $group.distinguishedName | 
        Select distinguishedName, GroupCategory, GroupScope, name, objectClass, objectGUID, SamAccountName, SID, 
                @{l='Membership';e={'Inherit'}}, @{l='Parent';e={$group.distinguishedName}}
    
}
# Display results
$UserGroups | FT name, GroupCategory, GroupScope, Membership, Parent -AutoSize

Details

Gets the Active Directory Groups a user is a member of and any other groups that they inherit from the direct membership, one level down.

Example

PS C:\> $UserName = 'bgates'
>> $UserGroups = Get-ADPrincipalGroupMembership $UserName |
>>     Select distinguishedName, GroupCategory, GroupScope, name, objectClass, objectGUID, SamAccountName, SID,
>>             @{l='Membership';e={'Direct'}}, @{l='Parent';e={$null}}
>> foreach($group in $UserGroups){
>>     $UserGroups += Get-ADPrincipalGroupMembership -Identity $group.distinguishedName |
>>         Select distinguishedName, GroupCategory, GroupScope, name, objectClass, objectGUID, SamAccountName, SID,
>>                 @{l='Membership';e={'Inherit'}}, @{l='Parent';e={$group.distinguishedName}}
>> }
>> $UserGroups | FT name, GroupCategory, GroupScope, Membership, Parent -AutoSize


name            GroupCategory  GroupScope Membership Parent
----            -------------  ---------- ---------- ------
Domain Users         Security      Global Direct
Tier 1               Security      Global Direct
Executives           Security      Global Direct
Users                Security DomainLocal Inherit    CN=Domain Users,CN=Users,DC=Contoso,DC=com
5-NotepadPP-App      Security      Global Inherit    CN=Domain Users,CN=Users,DC=Contoso,DC=com

groups | User

Search for AD User by Partial Name

Get-ADUser -Filter {Name -like '*joe*'}

Details

This snippet will allow you to search for an Active Directory user with all of part of their name.

Example

PS C:\> Get-ADUser -Filter {Name -like '*joe*'}

DistinguishedName : CN=Joe Smith2,OU=CS,OU=Departments,DC=contoso,DC=com
Enabled           : True
GivenName         : Joe
Name              : Joe Smith2
ObjectClass       : user
ObjectGUID        : 8d0518b0-1ac8-43eb-9cbe-7632ab0756cb
SamAccountName    : JSmith2
SID               : S-1-5-21-3626140723-2009596974-1128677527-1330
Surname           : Smith
UserPrincipalName : [email protected]

DistinguishedName : CN=Joe Smith4,OU=CS,OU=Departments,DC=contoso,DC=com
Enabled           : True
GivenName         : Joe
Name              : Joe Smith4
ObjectClass       : user
ObjectGUID        : 1af50eb1-035f-4f8d-9867-2bb903457b90
SamAccountName    : JSmith4
SID               : S-1-5-21-3626140723-2009596974-1128677527-1333
Surname           : Smith
UserPrincipalName : [email protected]

DistinguishedName : CN=Joe Smith,OU=CS,OU=Departments,DC=contoso,DC=com
Enabled           : True
GivenName         :
Name              : Joe Smith
ObjectClass       : user
ObjectGUID        : 7f56f7b5-df52-473a-b50a-3d0dab42114b
SamAccountName    : JSmith
SID               : S-1-5-21-3626140723-2009596974-1128677527-1326
Surname           :
UserPrincipalName : [email protected]

DistinguishedName : CN=Joe Smith3,OU=CS,OU=Departments,DC=contoso,DC=com
Enabled           : True
GivenName         : Joe
Name              : Joe Smith3
ObjectClass       : user
ObjectGUID        : 7520a5f9-0129-4e58-ba7a-c933a44009fa
SamAccountName    : JSmith3
SID               : S-1-5-21-3626140723-2009596974-1128677527-1331
Surname           : Smith
UserPrincipalName : [email protected]

DistinguishedName : CN=Joel Henry,OU=Service Delivery,OU=Std Users,DC=contoso,DC=com
Enabled           : True
GivenName         : Joel
Name              : Joel Henry
ObjectClass       : user
ObjectGUID        : 18d6de0c-c48a-4f29-838d-f6bfa0e0d35b
SamAccountName    : JHenry
SID               : S-1-5-21-3626140723-2009596974-1128677527-3697
Surname           : Henry
UserPrincipalName : [email protected]

DistinguishedName : CN=Joe Stewart,OU=Marketing,OU=Std Users,DC=contoso,DC=com
Enabled           : True
GivenName         : Joe
Name              : Joe Stewart
ObjectClass       : user
ObjectGUID        : e06e9982-be9d-4372-9d0e-c6fceab557a1
SamAccountName    : JStewart
SID               : S-1-5-21-3626140723-2009596974-1128677527-3372
Surname           : Stewart
UserPrincipalName : [email protected]

User

Search for AD User without AD module

# search based on SamAccountNamer
$strFilter = "(SAMAccountName=$username)"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"
# Add additional properties to return here
$colProplist = "name","SAMAccountName"
foreach ($i in $colPropList){
    $foo = $objSearcher.PropertiesToLoad.Add($i)
}
$colResults = $objSearcher.FindAll()
# formation output results
[System.Collections.Generic.List[PSObject]] $results = @()
foreach ($objResult in $colResults){
    $properties = @{}
    $objResult.Properties.GetEnumerator() | ForEach-Object{
        $properties.Add($_.Key,$_.Value[0])
    }
    $results.Add([pscustomobject]$properties)
}
$results

Details

This snippet will allow you to search for an Active Directory user without needing to install the Active Directory PowerShell module

Example

PS C:\> $username = "*svc*"
>> $strFilter = "(SAMAccountName=$username)"
>> $objDomain = New-Object System.DirectoryServices.DirectoryEntry
>> $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
>> $objSearcher.SearchRoot = $objDomain
>> $objSearcher.PageSize = 1000
>> $objSearcher.Filter = $strFilter
>> $objSearcher.SearchScope = "Subtree"
>> $colProplist = "name","SAMAccountName"
>> foreach ($i in $colPropList){
>>     $foo = $objSearcher.PropertiesToLoad.Add($i)
>> }
>> $colResults = $objSearcher.FindAll()
>> [System.Collections.Generic.List[PSObject]] $results = @()
>> foreach ($objResult in $colResults){
>>     $properties = @{}
>>     $objResult.Properties.GetEnumerator() | ForEach-Object{
>>         $properties.Add($_.Key,$_.Value[0])
>>     }
>>     $results.Add([pscustomobject]$properties)
>> }
>> $results

LDAP | User

Test AD User Credentials

Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('domain')
$DS.ValidateCredentials($UserName, $Password)

Details

Attempts to authenticate against domain controller and return true or false if it was able to authenticate successfully.

Example

PS C:\> $user = 'user01'
>> $password = 'Password01'
>> Add-Type -AssemblyName System.DirectoryServices.AccountManagement
>> $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('domain')
>> $DS.ValidateCredentials($UserName, $Password)

True

Credentials | User

My personal collection of all things PowerShell and automation

Categories

Tags

Follow Me