A little while ago, I was asked about when a specific user last logged in with their active directory (AD) user account. While looking up that information was easily done, finding out how to look up the information was a mite more challenging. There are a number of ways of achieving it; including command line and Powershell commands. My preferred way of doing it is using the Attribute Editor in Active Directory Users and Computers (ADUC). Here’s how:
Tag: Active Directory
Some time ago, I was asked to provide a list of everyone with access to a specific system. After communicating with the client, it transpired that they were particularly interested in knowing who were the members of a set of Active Directory groups. While this can be done manually, I wanted to try my hand at building a PowerShell-script that returned the information the client was asking for, and which I could reuse at some later point, as such requests pop up with some regularity.
Five years ago, I showed you how to export a list of members of an Active Directory group, using a command line query. One issue I’ve run into using this query, is that I get their user name, not their actual name, which tends to make the resulting list hard to parse. As I had a need to export a relatively large number of group members names as part of a recent ticket, I needed a solution that gave me what I wanted straight out of the box.
Some time ago, I needed to have a list of all Contacts registered in Active Directory. Knowing that there are a lot of them (numbering at least eighty), getting the data manually was not a viable alternative, particularly knowing that the same objective can be achieved through Powershell. I eventually came up with a solution. To make following it logically easier, I’m going to include commentary on each step:
A couple of months ago, a customer sent us a ticket, complaining that a mail group was incomplete. Specifically, his manager was not listed among the recipients. The mail group in question contained all managers, and membership was gained through dedicated active directory (AD) organisational units (OUs), one for the manager of each business unit (BU). I checked the Exchange address book in Outlook, and sure enough; the manager group for his BU was not listed among the recipients.
A month or so ago, I was asked to find a specific attribute (objectGUID, in case you wondered) of a group in Active Directory, for use in some third-party system. Thinking that this would be easily accomplished, I opened my Active Directory Users and Computers-window, and found the group in question. I opened the properties, but found the Attribute Editor tab sorely missing:
Some time ago, I was working on a request to limit access to a folder to members of four AD groups. Following the established practice at my employer, I created the group to grant access to the folder, and the one to control who has access. I made the latter a member of the former, and went to add the members. Two of the AD groups that were to have access were added, no problem. The other two were not. Not only that, I couldn’t even find them when searching for them,
Last week I covered how you can use the
DSQuery command to export members of a given AD Group. This week, on a related note, I will cover how to use the same basic command to export all computer accounts in Active Directoy.
A while back, my boss came to me, asking me if I could get him an export of the users that are members of two groups in Active Directory. For the purposes of this blog post, let’s call them “OfflineUsers” and “Software Access”. As it turns out, this is pretty easy to do. Here’s how:
When working in a corporate environment with Active Directory, you may, from time to time, encounter computers that users cannot log on to, as they receive an error message saying: