tonydotigr
asked on
Help with Get-ADUser PowerShell Command querying for TsAllowLogon
Greetings!
I'm trying to query users from an AD OU specifically looking for attribute TsAllowLogon. My attempts at running a command in PowerShell have been unsuccessful. Any help were I'm messing up this command would be greatly appreciated. Usually it just generates an empty CSV file.
I'm trying to query users from an AD OU specifically looking for attribute TsAllowLogon. My attempts at running a command in PowerShell have been unsuccessful. Any help were I'm messing up this command would be greatly appreciated. Usually it just generates an empty CSV file.
Get-ADUser -ResultSetSize $null -SearchBase $ou -SearchScope SubTree -LdapFilter "(TsAllowLogon=$False)" | Select-Object Name,samAccountName | Export-Csv -NoTypeInformation $("C:\results\" + $name + "TsAllowLogonFalse.csv")
This will get you users with the msTSAllowLogon not set
Get-ADuser -Properties msTSAllowLogon -Filter { mstsallowlogon -notlike "*" } -SearchBase $ou -SearchScope SubTree -ResultSetSize $null |
Select-Object Name,samAccountName |
Export-Csv -NoTypeInformation $("C:\results\" + $name + "TsAllowLogonFalse.csv")
And this will get you users with the msTSAllowLogon set to $falseGet-ADuser -Properties msTSAllowLogon -Filter { mstsallowlogon -eq $false } -SearchBase $ou -SearchScope SubTree -ResultSetSize $null |
Select-Object Name,samAccountName |
Export-Csv -NoTypeInformation $("C:\results\" + $name + "TsAllowLogonFalse.csv")
Obviously you can combine the filter if you want to get both user types exported-Filter { mstsallowlogon -notlike "*" -or mstsallowlogon -eq $false }
ASKER
The command runs, but does not return an results with "$true" or "$false"...
ASKER
mstsallowlogon -eq $false
does not return results either way (even with true)mstsallowlogon -notlike "*"
seems to return all recordsHmmmm
I found the right syntax for the LDAPfilter is
Get-ADUser -ldapfilter "(msTSAllowLogon=FALSE)"
In this case "FALSE" (or "TRUE") is case-sensitive. So changing your supplied command to
Get-ADUser -ldapfilter "(msTSAllowLogon=FALSE)"
In this case "FALSE" (or "TRUE") is case-sensitive. So changing your supplied command to
Get-ADUser -ResultSetSize $null -SearchBase $ou -SearchScope SubTree -LdapFilter "(msTsAllowLogon=FALSE)" | Select-Object Name,samAccountName | Export-Csv -NoTypeInformation $("C:\results\" + $name + "TsAllowLogonFalse.csv")
works for me.
Can you edit this line
Select-Object Name,samAccountName
to this:
Select-Object Name,samAccountName,msTSAllowLogon
Run the command again, and take a look at the value of msTSAllowLogon. Works for me.
ASKER
Footech:
The command you supplies runs but nothing is returned...
Coraxal:
Nothing is return when I look at the msTsAllowLogon parameter. I'm guessing there should be?
The command you supplies runs but nothing is returned...
Coraxal:
Nothing is return when I look at the msTsAllowLogon parameter. I'm guessing there should be?
If that's true, then the problem must be with your environment or I'm misunderstanding what you want. Do any of your users have the attribute set to FALSE? If the attribute is not set, then accordingly the file should be blank.
What exactly are you trying to check? Whether the attribute is set to FALSE, whether it is set at all, or what?
What exactly are you trying to check? Whether the attribute is set to FALSE, whether it is set at all, or what?
ASKER
Trying to see what users have the option selected (Remote Desktop Service Profile > Deny this user permissions to log on to Remote Desktop Session Host server).
Results come back blank when set to either TRUE or FALSE.
Results come back blank when set to either TRUE or FALSE.
OK, we're talking about a different attribute here. From what I recall, that doesn't exist as an actual attribute of a user in AD, but is pulled from some other source. You can access it through the userParameters attribute which is basically a blob of information that includes the TerminalServicesHomeDirect ory and TerminalServicesProfilePat h. I'm not certain how I'd access it using straight PowerShell (I know it involves using the adsi accelerator). From what I understand, the Quest cmdlets include the functionality to change this ( http://ss64.com/ps/set-qaduser.html ), but I don't use them so I can't give you specific guidance. If I have time I'll look into the straight PS method.
ASKER
Thanks footech... really appreciate it!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Open in new window