Recently our IT dept was going through yearly Audit and we had to provide active directory details asked by the auditor team. I used few commands that saved lot of time to get our desired/trimmed results. and since I mostly use my Ubuntu box to manage large portion of my network, therefore i made few scripts using these commands to be executed from linux based pc.
I had to repeat the whole search criteria every time by refreshing the memory/google, and since it this is a repeating task , and I had to go through the search process every time, I thought to make all these documented so that I can retrieve them when required.
I also linked these scripts with the Linux base WEBMIN, so they can be called by GUI for support staff as well.
Most queries are executed from Linux base system using WINEXE, if you are using windows only then you may want to modify it as required, I am just showing an way of executing AD commands via powershell using *nix 🙂 . The most annoyed thing was to wrap the commands in single/double quotes along with other parameters to make it single liner execution bomb.
Some of following commands are wrapped for linux base execution, and some are common powershell commands, make sure to run import-module activedirectory command before querying AD instance]
Make sure to change the IP / credentials as required.
#Total number of user accounts in AD
(Get-ADUser -filter *).count
#Total number of user accounts in an OU / #Replace the 'SearchBase' word with your own OU path.
(Get-ADUser -filter * -searchbase "OU=Test, OU=MyCompany, DC=Domain, DC=Local").count
#Total number of enabled/disabled accounts in AD
(Get-AdUser -filter * |Where {$_.enabled -eq "True"}).count
(Get-ADUser -filter * |Where {$_.enabled -ne "False"}).count
#Total number of user accounts in a Group
(Get-ADGroupMember -Identity "Administrators").count
Get user Password Expiration Date:
List all users, password last set date and if the password never expires.
Net user AD_USERNAME /domain]
Display User name and upcoming Password expiration …
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
Script for linux to fetch users list not logged in from past XX Days & Email it to admin (Worked on 2008)
Will not work with 2012/2016
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/temp
#set -x
# This bash script will query remote lotus domino mail server storage using Powershell Commands.
# It will send report via email with erelevant details, Very useful some times.
# Syed Jahanzaib / aacableAThotmailDOTcom
# http://aacableDOTwordpressDOTcom
# 20-feb-2017
COMPANY="ZAIB"
SRVNAME="XXXXX"
IP="10.0.0.1"
DOMAIN="XXX"
PASS="XXXXX"
ID="XXXX"
TEMP_HOLDER="/tmp/domain_inactive_users_list.txt"
> $TEMP_HOLDER
DATE=`date`
DAYS="30"
# GMAIL DETAILS to send EMAIL alert
GMAILID="agpmonitor@gmail.com"
GMAILPASS="Welcome2agp"
# Add recipient email address below
ADMINMAIL1="aacableAThotmailDOTcom"
MSG_SUB="$COMPANY - Domain users not logged in last $DAYS days Report @ $DATE"
MSG_BODY="$COMPANY - $SRVNAME - List of domain users not logged in last $DAYS days
@ $DATE
"
FOOTER="Automated Weekly Report Generated using Linux Powered Powershell !!
Sys. Admin
$COMPANY IS Dept."
echo "
$MSG_BODY
" > $TEMP_HOLDER
#Full size of Lotus ARCHIVE Folder only
USER_LIST=`winexe -U $DOMAIN/$ID%"$PASS" //$IP 'powershell.exe -inputformat none -command "$DaysInactive = $DAYS; $time = (Get-Date).Adddays(-($DaysInactive)); Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties * | select Name,UserPrincipalName,Enabled,LockedOut,Created,LastLogonDate"'`
echo "List of $COMPANY Domain users who have not logged since past $DAYS ..."
echo "$USER_LIST" >> $TEMP_HOLDER
echo "----------------------------------------------
$FOOTER" >> $TEMP_HOLDER
cat $TEMP_HOLDER
sendemail -u "$MSG_SUB" -o tls=yes -s smtp.gmail.com:587 -t $ADMINMAIL1 -xu $GMAILID -xp $GMAILPASS -f $GMAILID -o message-file=$TEMP_HOLDER -o message-content-type=text
Command to get all Active Directory Users with particular information [April-2019]
Get-ADUser -Filter * -Properties * | select Name,UserPrincipalName,Created,Enabled,LastLogonDate |Out-File .\temp\zaib-ad-users-list.txt
24 September 2019 – PWC audit *** Zaib
Export all AD users with particular fields required by PWC audit. Handy cmd I made,
Get-ADUser -Filter * -Properties * | select Name,UserPrincipalName,Created,Enabled,LastLogonDate,@{n='pwdLastSet';e={[DateTime]::FromFileTime($_.pwdLastSet)}} |export-csv c:\temp\zaib-ad-users-list.csv
- Command to Display Total Number Of Active Directory Users [Including disabled/enabled accounts as well]
(get-aduser -filter *).count #OR get-aduser -filter * | measure-object | select-object count
- Command to Display Total Number Of Active Directory Users [Only ENABLED]
(get-aduser -filter *|where {$_.enabled -eq "True"}).count
#OR
get-aduser -filter 'enabled -eq $true' | measure-object | select-object count
- Command to Display Total Number Of Active Directory Users [Only DISABLED]
(get-aduser -filter *|where {$_.enabled -ne "False"}).count
- Command to Display All users along with every detail / information
Get-ADUser -Filter * -Properties *
- Command to display only single user information as mentioned
Get-ADUser ZAIB-USER-NAME -Properties *
- Command to display only specific information
Get-ADUser -Filter * -Properties * | select Name,UserPrincipalName,Enabled,LockedOut,Created,LastLogonDate
- Show Members from SPECIFIC GROUP group only
dsquery group -samid "Domain Admins" | dsget group -members | dsget user
- Show specific user OU & MemberOf
$user = get-aduser USERNAME;
$memb = (GET-ADUSER –Identity USERNAME –Properties MemberOf | Select-Object MemberOf).MemberOf -replace "DC=DCNAME*" -replace "CN="
$uo = $user.distinguishedname.substring($user.distinguishedname.indexof(",") + 1,$user.distinguishedname.Length - $user.distinguishedname.indexof(",") - 1)
write-host "$($user.Name) = $($uo.split(',')[0])"
echo "Member of:" $memb
- Command to get all users and show only following fields
UserPrincipalName,Created,Enabled,MemberOf
Get-ADUser -Filter * -Properties * | select UserPrincipalName,Created,Enabled,MemberOf |Format-Table -Property * -AutoSize | Out-String -Width 4096 | Out-File c:\1.txt
- Query for speciifc User belongs to which groups
winexe -U DOMAIN/ID%PASS //10.0.0.1 'powershell.exe -command "import-module activedirectory; (GET-ADUSER –Identity zaib.user –Properties MemberOf |  Select-Object MemberOf).MemberOf"'
- Get Members List of specific Group
Get-ADGroupMember "'"'Domain Admins'"' |Select name,distinguishedName |  Format-Table -AutoSize #OR Get-ADGroupMember "'"'Limited Internet Facility Group'"' |Select sAMAccountName| Format-Table -AutoSize
- Show All Users Created Dated Only using PowerShell
Get-ADUser -Filter * -Properties Created | Select-Object Name,Created | Sort-Object Created
- Show Users created in Last 30 days
Get-ADUser -Filter {whenCreated -ge $When} -Properties whenCreated
- Show Users created in specific after DATE RANGE
Get-ADUser -Filter * -properties whencreated | ? { $_.whenCreated -ge (get-date "January 1, 2017") -and  $_.whenCreated -le (get-date "January 31, 2017")} |Select Samaccountname,whenCreated,office
- Show Users created in specific after DATE RANGE
Get-ADUser -Filter * -properties whencreated | ? { $_.whenCreated -ge (get-date "'"'January 1, 2017'"') -and $_.whenCreated -le (get-date "'"'January 31, 2017'"')} |Select Samaccountname,whenCreated,office
- Show Users DELETED in specific DATA RANGE … [powershell commands]
[datetime]$StartTime = "1/1/2017"
[datetime]$EndTime = "1/15/2017"
Get-ADObject -Filter {(isdeleted -eq $true) -and (name -ne "Deleted Objects") -and (ObjectClass -eq "user")} -includeDeletedObjects -property whenChanged | Where-Object {$_.whenChanged -ge $StartTime -and $_.whenChanged -le $EndTime} |Select Name,whenChanged |Format-Table
- SHOW DELETED USERS
[sourceode]Get-ADObject -Filter ‘isDeleted -eq $True -and ObjectClass -like “user”‘ -IncludeDeletedObjects[/sourceode]
- REMOVE DELETED USERS FROM AD RECYCLEBIN
[sourceode]Get-ADObject -Filter ‘isDeleted -eq $True -and ObjectClass -like “user”‘ -IncludeDeletedObjects | Remove-ADOjbect[/sourceode]
- SHOW DISABLED USERS ONLY
#Method 1 using PS search-adaccount -UsersOnly -AccountDisabled | select samAccountName
- Show users who have not logged in Since 60 days
import-module activedirectory; $domain = "DOMAIN-NAME"; $DaysInactive = 60; $time = (Get-Date).Adddays(-($DaysInactive)); Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp
# Method 3 using dsquery
dsquery user "dc=Your_Domain_Name" -inactive 2
- Show DISABLED Users Only using DSQUERY
dsquery user -disabled | dsget user -display -email -dept -title
- Show Only Specific User Details [ Method#2]
Net user ZAIB /domain
- Export DHCP Backup using NETSH/EXPORT_DHCP
#NETSH METHOD netsh dhcp server export c:\temp\DC01.AGP.LOCAL_DHCP_Backup_TXT_%date:~-10,2%-%date:~-7,2%-%date:~-4,4%---%time:~0,2%-%time:~3,2%.txt all #POWERSHELL METHOD Powershell.exe -ExecutionPolicy Bypass -File c:\temp\dhcp_export-powershell.ps1
- Get DHCP info from server to acquire some customized report
# 10.0.0.1 IS DOMAIN # 10.0.0.0 is our scope netsh dhcp server scope 10.0.0.0 show clients 1'
- Dump DHCP SERVER DETAILS IN FILE for some specific purpose, i required to get mobile devices list
# Dump DHCP
# 101.11.11.5 IS DOMAIN
# 101.11.14. IS MOBILE DEVICES IP SERIES, SO WE ARE CATCHING IT
# 101.11.11.36 IS GATEWAY
# 101.11.11.6 IS OTHER GATEWAY
# rem netsh dhcp server \\DCSERVERNAME dump > /tmp/dhcp_temp.txt
# rem cat /tmp/dhcp_temp.txt | grep 101.11.14. | awk '{ print $11,$12}' | sed -e 's/"101.11.11.6"//g' -e 's/"101.11.11.36"//g' -e 's/"//g' -e 's/ BOTH//g' | sed '/ \r/d' | sort
# rem cat /tmp/dhcp_temp.txt | grep 101.11.14. | awk '{ print $11,$12}' | sed -e 's/"101.11.11.6"//g' -e 's/"101.11.11.36"//g' -e 's/"//g' -e 's/ BOTH//g' | sed '/ \r/d' | sort | wc -l
24-Oct-2018
Extract Users from Group with name/description only to CSV file
Get-ADGroupMember -Identity "Full Internet Access Group" |Where-Object { $_.objectClass -eq 'user' } |Get-ADUser -Properties * | Select UserPrincipal
Name,Description |Out-File .\temp\full2.csv
(Get-ADGroupMember -Identity "Limited Internet Facility Group").count
(Get-ADGroupMember -Identity "Full Internet Access Group").count
Add/Replace AD attributes via powershell cmd
SET-ADUSER ali.akbar –replace @{userPrincipalName="test.user@xxx.com.pk"}
SET-ADUSER ali.akbar –replace @{mail="test.user@xxx.com.pk"}
SET-ADUSER ali.akbar –replace @{mailNickname="test.user"}
SET-ADUSER ali.akbar –replace @{targetAddress="test.user@xxx.com.pk"}
SET-ADUSER ali.akbar –replace @{proxyAddresses="SMTP:test.user@xxxxxx.onmicrosoft.com"}
Regard’s
Syed Jahanzaib
Syed Jahanzaib - Personal Blog to Share Knowledge ! 
::JAZAK ALLAH::
Sir,
Kindly send me IBM Lotusnotes Server 8.5 installation steps.
LikeLike
Comment by ABBAS — January 19, 2013 @ 8:27 AM
Installing IBM Lotus Domino Server is fairly easy as compare to other email servers, just a couple of clicking NEXT button and you are done. There are various step by step guides and videos available on the youtube and Google. I will make one in my free time.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — January 19, 2013 @ 11:21 AM
[…] https://aacable.wordpress.com/2013/01/16/active-directory-dsquery-miscellenous-commands-with-syntax/ […]
LikeLike
Pingback by Howto Manage Active Directory using Webmin/Linux Customized Panel | Syed Jahanzaib Personnel Blog to Share Knowledge ! — February 26, 2013 @ 2:07 PM
AssAlam o alikum sir please tell us about AC Auditing in server 2008 r2 how to configure Audiiting
LikeLike
Comment by umer — August 3, 2013 @ 11:47 PM