Powershell script . Can anyone mention what it does.

Hi,

Powershell script . Can anyone mention what it does.

Regards
Sharath
Get-QADObject -SearchRoot "OU=Countries,DC=Dev,DC=co,DC=uk" `
    -LdapFilter "(&(objectCategory=person)(mail=*)(memberOf=*))" -IncludedProperties mail | %{
  $Groups = [String]::Join(";", $($_.memberOf | %{ (Get-QADGroup $_).Name }))
	
  "$($_.Mail);$Groups"
} > "GroupMembership.txt"

Open in new window

LVL 11
bsharathAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DanielSVCommented:
It gets some data from a AD-server, and puts it into GroupMembership.txt.
0
bsharathAuthor Commented:
Hope it queries email addresses of all users in an OU and gets membership. Instead of Email address what is it i need to change to work for Display name.
What should i change for the script to work with display name rather than email id's
0
Chris DentPowerShell DeveloperCommented:

You just need to change $_.Mail to $_.DisplayName.

Chris
Get-QADObject -SearchRoot "OU=Countries,DC=Dev,DC=co,DC=uk" `
    -LdapFilter "(&(objectCategory=person)(mail=*)(memberOf=*))" -IncludedProperties mail | %{
  $Groups = [String]::Join(";", $($_.memberOf | %{ (Get-QADGroup $_).Name }))
        
  "$($_DisplayName);$Groups"
} > "GroupMembership.txt"

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

bsharathAuthor Commented:
Chris even though the script queries for Display name can i get the email address in the txt file. As i have another script of your that users email address to update please

I want to use display name to get groups but the txt file has to have the email address;groupname
0
Chris DentPowerShell DeveloperCommented:

This script executes this query:

"(&(objectCategory=person)(mail=*)(memberOf=*))"

It does not use either the displayName or Email to get to that (although it does only request accounts that have mail set).

The only place Mail / DisplayName is used is in the output. If you want mail, drop back to the original version of the script.

Chris
0
bsharathAuthor Commented:
Chris does the script check for all Domains the groups might be. As you know i have root and few child Domains.
This script is like GOD to me... Which was working fine now its not always working the same...
Some times get this error

Get-QADGroup : 0000202B: RefErr: DSID-0310063C, data 0, 1 access points
    ref 1: 'ENGGroup.co.uk'
At line:3 char:65
+   $Groups = [String]::Join(";", $($_.memberOf | %{ (Get-QADGroup <<<<  $_).Name }))
    + CategoryInfo          : NotSpecified: (:) [Get-QADGroup], DirectoryAccessException
    + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.DirectoryAccessException,Quest.Act
   iveRoles.ArsPowerShellSnapIn.Powershell.Cmdlets.GetGroupCmdlet

When i query 1 Ou get the details right as picks the members from all domains . where ever the user is a member and some times just the local domain groups

please help
0
bsharathAuthor Commented:
For the same OU i ran with the.
$_.Mail  and did not get any root domain groups
and with $_.DisplayName. i got all i wanted even though i got the above error
0
Chris DentPowerShell DeveloperCommented:

It doesn't make any difference whether you use $_.Mail or $_.DisplayName, it's just outputting fields from the user.

To get a complete picture of all groups a user is in you need two queries. One to search the users domain, and one to search the Global Catalog.

Chris
0
bsharathAuthor Commented:
Any tweeking Chris to get this acurate data.

Just now i ran 5 times on 1 specific Ou and it gets different data each time.
Can you do some checks please
0
Chris DentPowerShell DeveloperCommented:
Try this.

You will need to feed it a Global Catalog server at the top.

I can't test or verify any of these. I have a single-domain forest so I can't possibly replicate your current scenario.

Chris
$GC = Connect-QADService "SomeGlobalCatalog.domain.com" -UseGlobalCatalog

Get-QADObject -SearchRoot "OU=Countries,DC=Dev,DC=co,DC=uk" `
    -LdapFilter "(&(objectCategory=person)(mail=*)(memberOf=*))" -IncludedProperties mail | %{

  # Get all groups from the current domain (accounts for Domain Local and Global)
  $Groups = Get-QADGroup -LdapFilter "(member=$($_.DN))" | Select-Object Name

  # Get all groups from the Global Catalog (accounts for Universal)
  $Groups += Get-QADGroup -LdapFilter "(member=$($_.DN))" -Connection $GC | Select-Object Name

  # Find unique group names and combine into a string
  $Groups = [String]::Join(";", $(($Groups | Select-Object Name -Unique) | %{ $_.Name }))

  "$($_.Mail);$Groups"
} > "GroupMembership.txt"

Open in new window

0
bsharathAuthor Commented:
Thanks Chris
Should this line be as this

SomeGlobalCatalog.domain.com
Servername.domain.local
0
Chris DentPowerShell DeveloperCommented:

Yep, just pick a running Global Catalog from that forest for it to use.

Chris
0
bsharathAuthor Commented:
Chris i get this repeatedly
Exception calling "Join" with "2" argument(s): "Value cannot be null.
Parameter name: value"
At line:8 char:25
+ $Groups = [String]::Join <<<< (";", $(($Groups | Select-Object Name -Unique) | %{ $_.Name }))
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException
0
Chris DentPowerShell DeveloperCommented:

Try this.

Chris
$GC = Connect-QADService "Servername.domain.local" -UseGlobalCatalog

Get-QADObject -SearchRoot "OU=Countries,DC=Dev,DC=co,DC=uk" `
    -LdapFilter "(&(objectCategory=person)(mail=*)(memberOf=*))" -IncludedProperties mail | %{

  # Get all groups from the current domain (accounts for Domain Local and Global)
  $DomainGroups = Get-QADGroup -LdapFilter "(member=$($_.DN))" | %{ $_.Name }

  # Get all groups from the Global Catalog (accounts for Universal)
  $GCGroups = Get-QADGroup -LdapFilter "(member=$($_.DN))" -Connection $GC | %{ $_.Name }

  $Groups = $DomainGroups + $GCGroups | Select-Object -Unique

  # Find unique group names and combine into a string
  $Groups = [String]::Join(";", $Groups)

  "$($_.Mail);$Groups"
} > "GroupMembership.txt"

Open in new window

0
bsharathAuthor Commented:
Get the same error
Exception calling "Join" with "2" argument(s): "Value cannot be null.
Parameter name: value"
At line:9 char:25
+ $Groups = [String]::Join <<<< (";", $Groups)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException
0
Chris DentPowerShell DeveloperCommented:

That means that some users are coming back with no Domain Groups and no GC Groups.

You may have to set a Search Root as below. Find this value and fix it up please:

-SearchBase "DC=RootDomain,DC=com"

Chris
$GC = Connect-QADService "Servername.domain.local" -UseGlobalCatalog

Get-QADObject -SearchRoot "OU=Countries,DC=Dev,DC=co,DC=uk" `
    -LdapFilter "(&(objectCategory=person)(mail=*)(memberOf=*))" -IncludedProperties mail | %{

  # Get all groups from the current domain (accounts for Domain Local and Global)
  $DomainGroups = Get-QADGroup -LdapFilter "(member=$($_.DN))" | %{ $_.Name }

  # Get all groups from the Global Catalog (accounts for Universal)
  $GCGroups = Get-QADGroup -LdapFilter "(member=$($_.DN))" -SearchBase "DC=RootDomain,DC=com" -Connection $GC | %{ $_.Name }

  $Groups = $DomainGroups + $GCGroups | Select-Object -Unique

  # Find unique group names and combine into a string
  $Groups = [String]::Join(";", $Groups)

  "$($_.Mail);$Groups"
} > "GroupMembership.txt"

Open in new window

0
bsharathAuthor Commented:
Chris where should this line come into
-SearchBase "DC=RootDomain,DC=com"
Just the root domain Dc path right
0
Chris DentPowerShell DeveloperCommented:

Yep.

Just the root domain components, not the server name. It's selecting from the Global Catalog server you provide, you just need to tell it that it must use the forest root as the search base.

Chris
0
bsharathAuthor Commented:
I get this
Get-QADGroup : A parameter cannot be found that matches parameter name 'SearchBase'.
At line:6 char:69
+ $GCGroups = Get-QADGroup -LdapFilter "(member=$($_.DN))" -SearchBase <<<<  "DC=group,DC=co,DC=uk" -Connection $G
C | %{ $_.Name }
    + CategoryInfo          : InvalidArgument: (:) [Get-QADGroup], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Quest.ActiveRoles.ArsPowerShellSnapIn.Powershell.Cmdlets.GetGroup

the below is the edditted code i have
$GC = Connect-QADService "ina.dev.group.co.uk" -UseGlobalCatalog
Get-QADObject -SearchRoot "OU=Migrated-19-04-2010,DC=Dev,DC=Group,DC=co,DC=uk" `
-LdapFilter "(&(objectCategory=person)(mail=*)(memberOf=*))" -IncludedProperties mail | %{
# Get all groups from the current domain (accounts for Domain Local and Global)
$DomainGroups = Get-QADGroup -LdapFilter "(member=$($_.DN))" | %{ $_.Name }
# Get all groups from the Global Catalog (accounts for Universal)
$GCGroups = Get-QADGroup -LdapFilter "(member=$($_.DN))" -SearchBase "DC=isoftgroup,DC=co,DC=uk" -Connection $GC | %{ $_.Name }
$Groups = $DomainGroups + $GCGroups | Select-Object -Unique
# Find unique group names and combine into a string
$Groups = [String]::Join(";", $Groups)
"$($_.Mail);$Groups"
} > "GroupMembership.txt"

Open in new window

0
Chris DentPowerShell DeveloperCommented:

SearchRoot instead of SearchBase. Sorry.

Chris
0
bsharathAuthor Commented:
Thanks a lot Chris works perfect
Any help on the other posts... :-)
0
Chris DentPowerShell DeveloperCommented:

Thanks goodness for that ;)

Chris
0
bsharathAuthor Commented:
Back to you again for this code that updates. For some specific Child Domain it does not update into the group
Can we search all Doamins no matter which out of the 4 ?

$RootDomain = Connect-QADService "group.co.uk" -Credential $(Get-Credential)
$ChildDomain = Connect-QADService "dev.group.co.uk" -Credential $(Get-Credential)
Get-Content "GroupMembership.txt" | %{
$Data = $_.Split(";")

$Object = Get-QADObject -LdapFilter "(mail=$($Data[0]))" -Connection $ChildDomain

for ($i = 1; $i -lt $Data.Count; $i++)
{
Add-QADGroupMember $Data[$i] -Member $($Object.DN) -Connection $RootDomain } }

Open in new window

0
Chris DentPowerShell DeveloperCommented:

You mean when the group is in a child domain?

Chris
0
bsharathAuthor Commented:
Yes one of the child Domain
>Root
>>Child1
>> Child2
>>Child3
in Child2 the group is available but the script fails to add into it
I get this
Add-QADGroupMember : Cannot resolve directory object for the given identity: 'Sice - iIPP'.
0
Chris DentPowerShell DeveloperCommented:

We're only looking for Groups in the Root Domain, that's where you said they were :-p

This modification is far more difficult, you want the script to figure out which connection it should use and which domain the group is in.

Chris
0
bsharathAuthor Commented:
Ya i remember now
But when i was reviewing i saw that the groups are in different Domains and containers as well.
the same way the other script got the groups from all Domains. Can this script be changed to add the contacts to any group any where
0
Chris DentPowerShell DeveloperCommented:
Not easily, it has to figure out where the group is, then bind to that group using the connection for the groups domain. Only after that has been done can it make changes to the groups membership.

It's not a change I can implement tonight.

Chris
0
bsharathAuthor Commented:
Ok Chris...I shall post a new Q.. please have a look tommorow. Will post the new Q link here
Thanks GN
0
bsharathAuthor Commented:
Chris posted a related post. Please have a look...
http://www.experts-exchange.com/Programming/Languages/Q_25966218.html
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Programming Languages-Other

From novice to tech pro — start learning today.