Bulk Creating Active Directory groups

Stijn Vermoesen — Wed, 15 Jul 2009 11:04:43 +0000

One of my colleagues gave me a list of AD groups for the sharepoint environment he’s confguring. Instead of creating them manually I used the Quest ActiveRoles management shell.

import-csv ‘SecurityGroups.csv’ | foreach {
New-QADGroup -Parent $_.ParentContainer -Name $_.Name -sAM $_.Name -GroupScope $_.GroupScope -GroupType $_.GroupType
}

This script imports a .csv file to create the security groups. The .csv file contains the OU distinguished name, the group Name, the group type (security or distribution) and finally the scope (Domain Local, Global or Universal).

It looks like this:

Parentcontainer,Name,Grouptype,GroupScope
“OU=Sharepoint,DC=domain,DC=local”,SecurityGroup01,Security,DomainLocal

Posted in Active Directory, PowerShell, Quest Tagged: LDAP, PowerShell

ADFind Oneliners

Koen Vermoesen — Mon, 29 Jun 2009 12:51:37 +0000

I’m very fond of the powerful AdFind command line utility from joeware.net. Here’s a little list I’m keeping for my own reference:

Find the user behind a GUID:

adfind -binenc -gc -s subtree -b dc=test,dc=com -f "objectGUID={{GUID:????????-????-????-????-????????????}}" displayName

Likewise, you can use the same tool to find the e-mail address of a certain user:

adfind -gc -b dc=???,dc=??? -nodn -nolabel -f "sAMAccountName=??????" mail

The command above is actually part of script, so I used the “-nodn” and “-nolabel” parameters to have the tool only return the e-mail address. You obviously need to replace the question marks with something meaningful in the examples above.

List all distribution groups:

adfind -csv -nodn -f "(&(objectcategory=group)(mail=*))" displayname

List all contacts:

adfind -csv -nodn -f "(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=contact)) ))))" displayname

List all mailbox-enabled users:

adfind -csv -nodn -f "(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) ))))" displayname

Run a query against another domain:

adfind -h %servername% -u %domain%\%username% -up %password% -csv -nodn -f "displayname=John Doe" displayname

List all the members of a DL (and optionally use the resulting dn to retrieve some more readable information):

adfind -list -f "DisplayName=%displayname%" member
adfind -list -f "DisplayName=%displayname%" member | adfind -csv -nodn mailnickname displayname mail

Report on the usage of Extension Attributes:

adfind -csv -nodn -f "(|(ExtensionAttribute1=*)(ExtensionAttribute2=*)(ExtensionAttribute3=*)(ExtensionAttribute4=*)(ExtensionAttribute5=*)(ExtensionAttribute6=*)(ExtensionAttribute7=*)(ExtensionAttribute8=*)(ExtensionAttribute9=*)(ExtensionAttribute10=*)(ExtensionAttribute11=*)(ExtensionAttribute12=*)(ExtensionAttribute13=*)(ExtensionAttribute14=*)(ExtensionAttribute15=*))" displayname ExtensionAttribute1 ExtensionAttribute2 ExtensionAttribute3 ExtensionAttribute4 ExtensionAttribute5 ExtensionAttribute6 ExtensionAttribute7 ExtensionAttribute8 ExtensionAttribute9 ExtensionAttribute10 ExtensionAttribute11 ExtensionAttribute12 ExtensionAttribute13 ExtensionAttribute14 ExtensionAttribute15

Count the number of mailboxes on an exchange server:

adfind -c -f "msExchHomeServerName=/o=EMS/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=%servername%"

Imagine you’re working as a consultant/contractor for a large organisation and you want to know the end date of you contract:

adfind -tdcs -f "samaccountname=%UserName%" accountExpires

The “tdcs” parameter converts the time in a human readable format.

Somebody called you on your mobile phone and you want to know who:

adfind -list -f "telephoneNumber=*%extension%" displayname

More info

Posted in Active Directory, Scripting Tagged: ADFind, LDAP

Alfa BBT » LDAP

Bulk Creating Active Directory groups

ADFind Oneliners