Solved

Help with Get-ADUser PowerShell Command querying for TsAllowLogon

Posted on 2013-01-29
12
2,460 Views
Last Modified: 2013-01-30
Greetings!

I'm trying to query users from an AD OU specifically looking for attribute TsAllowLogon.  My attempts at running a command in PowerShell have been unsuccessful.  Any help were I'm messing up this command would be greatly appreciated.  Usually it just generates an empty CSV file.

Get-ADUser -ResultSetSize $null -SearchBase $ou -SearchScope SubTree -LdapFilter "(TsAllowLogon=$False)" | Select-Object Name,samAccountName | Export-Csv -NoTypeInformation $("C:\results\" + $name + "TsAllowLogonFalse.csv")

Open in new window

0
Comment
Question by:tonydotigr
  • 5
  • 5
  • 2
12 Comments
 
LVL 39

Expert Comment

by:footech
ID: 38832399
I don't know about the ldapfilter syntax, but this return the right users for me.
Get-ADuser -filter {msTSAllowLogon -eq $true}

Open in new window

0
 
LVL 5

Expert Comment

by:coraxal
ID: 38832499
This will get you users with the msTSAllowLogon not set
Get-ADuser -Properties msTSAllowLogon -Filter { mstsallowlogon -notlike "*" } -SearchBase $ou -SearchScope SubTree -ResultSetSize $null |
Select-Object Name,samAccountName |
Export-Csv -NoTypeInformation $("C:\results\" + $name + "TsAllowLogonFalse.csv")

Open in new window

And this will get you users with the msTSAllowLogon set to $false
Get-ADuser -Properties msTSAllowLogon -Filter { mstsallowlogon -eq $false } -SearchBase $ou -SearchScope SubTree -ResultSetSize $null |
Select-Object Name,samAccountName |
Export-Csv -NoTypeInformation $("C:\results\" + $name + "TsAllowLogonFalse.csv")

Open in new window

Obviously you can combine the filter if you want to get both user types exported
-Filter { mstsallowlogon -notlike "*" -or mstsallowlogon -eq $false }

Open in new window

0
 

Author Comment

by:tonydotigr
ID: 38832507
The command runs, but does not return an results with "$true" or "$false"...
0
 

Author Comment

by:tonydotigr
ID: 38832526
mstsallowlogon -eq $false

Open in new window

does not return results either way (even with true)
mstsallowlogon -notlike "*" 

Open in new window

seems to return all records

Hmmmm
0
 
LVL 39

Expert Comment

by:footech
ID: 38832548
I found the right syntax for the LDAPfilter is
Get-ADUser -ldapfilter "(msTSAllowLogon=FALSE)"
In this case "FALSE" (or "TRUE") is case-sensitive.  So changing your supplied command to
Get-ADUser -ResultSetSize $null -SearchBase $ou -SearchScope SubTree -LdapFilter "(msTsAllowLogon=FALSE)" | Select-Object Name,samAccountName | Export-Csv -NoTypeInformation $("C:\results\" + $name + "TsAllowLogonFalse.csv")

Open in new window

works for me.
0
 
LVL 5

Expert Comment

by:coraxal
ID: 38832551
Can you edit this line
Select-Object Name,samAccountName

to this:

Select-Object Name,samAccountName,msTSAllowLogon

Open in new window

Run the command again, and take a look at the value of msTSAllowLogon. Works for me.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:tonydotigr
ID: 38832707
Footech:
The command you supplies runs but nothing is returned...


Coraxal:
Nothing is return when I look at the msTsAllowLogon parameter.  I'm guessing there should be?
0
 
LVL 39

Expert Comment

by:footech
ID: 38832755
If that's true, then the problem must be with your environment or I'm misunderstanding what you want.  Do any of your users have the attribute set to FALSE?  If the attribute is not set, then accordingly the file should be blank.

What exactly are you trying to check?  Whether the attribute is set to FALSE, whether it is set at all, or what?
0
 

Author Comment

by:tonydotigr
ID: 38832773
Trying to see what users have the option selected (Remote Desktop Service Profile > Deny this user permissions to log on to Remote Desktop Session Host server).  

Results come back blank when set to either TRUE or FALSE.
0
 
LVL 39

Expert Comment

by:footech
ID: 38832977
OK, we're talking about a different attribute here.  From what I recall, that doesn't exist as an actual attribute of a user in AD, but is pulled from some other source.  You can access it through the userParameters attribute which is basically a blob of information that includes the TerminalServicesHomeDirectory and TerminalServicesProfilePath.  I'm not certain how I'd access it using straight PowerShell (I know it involves using the adsi accelerator).  From what I understand, the Quest cmdlets include the functionality to change this ( http://ss64.com/ps/set-qaduser.html ), but I don't use them so I can't give you specific guidance.  If I have time I'll look into the straight PS method.
0
 

Author Comment

by:tonydotigr
ID: 38833056
Thanks footech... really appreciate it!!
0
 
LVL 39

Accepted Solution

by:
footech earned 420 total points
ID: 38833548
This will return all users in an OU that have the box checked for "Deny this user permissions to log on to Remote Desktop Session Host server".  It will output their name and sAMAccountName into a single .CSV.
Import-Module ActiveDirectory
$out = @()
$searchOU = "OU=Users,OU=whatever,DC=domain,DC=com"
(Get-ADuser -filter * -searchbase $searchOU -properties DistinguishedName) | ForEach `
  {
    $userDN = $_ | Select -expandProperty DistinguishedName
    $user = [adsi]"LDAP://$userDN"
    If (($user.psbase.invokeget("AllowLogon")) -eq "0" )
    {
      $Properties = @{
        Name = "$($_.Name)"
        sAMAccountName = "$($_.sAMAccountName)"
      }
      $custom = New-Object PSObject -property $Properties
      $out += $custom
    }
  }
$out | Select Name,sAMAccountName | Export-Csv -NoTypeInformation "C:\results\TsAllowLogonFalse.csv"

Open in new window

0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi all.   The other day I had to change the passwords for a bunch of users on the fly. Because they were so many, I decided to do it in an automated way and I would like to share it with you all.   If you are not doing it directly in a Domain Co…
The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now