Basically it is a very simple script, but I will quickly go through it. Of course you need to define the UNC path to the file share or folder. Then you will loop through all the existing directories with a Foreach. At each folder you will get the permissions with Get-ACL. Then you need another Foreach to get through all the granted permissions which are inherited or directly set. Then you will add each line to your report and finally export it as a CSV file for further processing. That’s it!

$FolderPath = dir -Directory -Path "\\fileserver\fileshare"
$Report = @()
Foreach ($Folder in $FolderPath) {
$Acl = Get-Acl -Path $Folder.FullName
foreach ($Access in $acl.Access)
{
$Properties = [ordered]@{'FolderName'=$Folder.FullName;'AD
Group or
User'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}
$Report += New-Object -TypeName PSObject -Property $Properties
}
}
$Report | Export-Csv -path "C:\scripts\FolderPermissions.csv"

You can extend this script by sending the report as email message directly via PowerShell, look here. You can also create a scheduled task / cronjob for this script to Generate ACL Report FileShare periodically.

The post Generate ACL Report of File Share with PowerShell to CSV appeared first on HackBuddies.

This can be fulfilled easily by using a very short but effective PowerShell Inactive Computers script. Simply define the Organizational Unit (OU) you want to use as a SearchBase, specfiy the days of inactivity and that’s it!
The script will automatically subtract the amount of inactive days from the current date/time and will search the defined OU with the Get-ADComputer command. It will use the attribute LastLogonTimeStamp which you can also check in the Attribute Editor of the GUI.

$TargetOU = "OU=<SubUnit>,OU=<MainUnit>,DC=<domainName>,DC=com"
$DaysInactive = 90
$time = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -SearchBase $TargetOU -Filter {LastLogonTimeStamp -lt $time} | Select-Object Name

Of course you could improve this simple PowerShell Inactive Computers script by adapting the output to a CSV file. Or by selecting more attributes. I would recommend you to create a scheduled task for the script and extend it by sending a HTML email/report, so you do not forget to clean up your inactive clients.

You can check out all options of the Get-ADComputer command at Microsoft Docs

The post Get Inactive Computers In Active Directory From Specific Organizational Unit With PowerShell appeared first on HackBuddies.

Feel free to adapt the script or write some interesting ideas how to extend it in the comments 🙂

# Define date, output file and OU
$DateTime = Get-Date -f "yyyy-MM-dd_hh-mm" 
$OutputFile = "C:\scripts\" + $DateTime + "-ADGroupsAndMembers.csv"
$TargetOU = "OU=<SubUnit>,OU=<MainUnit>,DC=<domainName>,DC=com"

# Check OU and set filter for Global Security Groups
$Groups = Get-ADGroup -SearchBase $TargetOU -filter {GroupCategory -eq "Security" -and GroupScope -ne "DomainLocal"}

$Table = @()

$Record = @{
"Group Name" = ""
"Name" = ""
"Username" = ""
}

Foreach ($Group in $Groups) {
    $Arrayofmembers = Get-ADGroupMember -identity $Group -recursive | Select-Object name,samaccountname
        foreach ($Member in $Arrayofmembers) {
            $Record."Group Name" = $Group
            $Record."Name" = $Member.name
            $Record."UserName" = $Member.samaccountname
            $objRecord = New-Object PSObject -property $Record
            $Table += $objrecord
     }
}

$Table | Sort-Object Name | Export-Csv $OutputFile -NoTypeInformation -Encoding UTF8

The post Export Active Directory Groups and their Members from a specific Organizational Unit as CSV with PowerShell appeared first on HackBuddies.

# Specify path to the text file with the computer account names.
$computers = Get-Content \\PathToScript\ComputersToDelete.txt

# Specify path to the OU where computers will be moved.
$TargetOU = "OU=Users,OU=<SubUnit>,OU=<MainUnit>,DC=<domainName>,DC=com"

# Move Computers to the new OU
ForEach($computer in $computers){
    Get-ADComputer $computer | Move-ADObject -TargetPath $TargetOU
}

The post Move Computers From .TXT File To Different OU In Active Directory With PowerShell appeared first on HackBuddies.

An inquiry, which occurs very often in daily business: “What permissions does a specific user have?” What about sending a HTML Email with AD User Groups to the requestor?
In most cases the Active Directory groups represent file access, system access and many more. So, exporting these groups would be a good way. Due to the fact that I did not want to start up my PowerShell for a CSV export which is then manually sent to the user every time, the following idea came up:

What about writing a PowerShell script, which just asks for the username and the email address of the superior who wants to see and check the permissions? After feeding the script with these two inputs, the Active Directory groups are queried and automatically sent to the superior in a HTML-formatted email. Very simple and time-saving!
After that I had the idea to extend the script with the “Description” field of the Active Directory groups. Thus, not just the group name but also the corresponding description gets exported and sent.

PowerShell Script

$UserName = (Read-Host "Username")
$EmailSuperior = (Read-Host "Email address of superior")

$style = "<style>BODY{font-family: Arial; font-size: 10pt;}"
$style = $style + "TABLE{border: 1px solid black; border-collapse: collapse;}"
$style = $style + "TH{border: 1px solid black; background: #dddddd; padding: 5px; }"
$style = $style + "TD{border: 1px solid black; padding: 5px; }"
$style = $style + "</style>"

# Get group memberships from reference user, sort them alphabetically and export to TXT file
# Define parameters for mailing and send mail to IT-responsible person to review permissions
$Permissions = Get-ADPrincipalGroupMembership -Identity $UserName| Get-ADGroup -Properties * | Select name, description | Sort-Object -Property name | ConvertTo-Html -Head $style
$SmtpServer = 'smtp.yourdomain.com'
$SmtpPort = 587
$FromSender = 'admin@yourdomain.com'
$Subject = 'User permission check: ' + $UserName

# Email Body Set Here, Note You can use HTML, including Images.
$Body ="
Hello,<br>
<br>
The permissions of user <B>$UserName</B> are set as below. Please check and review them.<br>
<hr>
<br>
<B>Permissions:</B><br>
$Permissions
<br>
"

Send-MailMessage -SmtpServer $SmtpServer -Port $SmtpPort -From $FromSender -To $EmailSuperior -Bcc $FromSender -Subject $Subject -Encoding "UTF8" -Body $Body -BodyAsHtml

This script will generate the following email message. Please note that I removed the original permissions and username and replaced it with placeholders 🙂

So that’s how you are sending HTML Email with AD User Groups. Please check up details regarding the Send-MailMessage command directly at Microsoft Docs

Let me know your thoughts in the comment section. Of course you can use this HTML email part in other scripts too, for example to send inactive computer list to the responsible person like here

Output of the Script

Hello,

The permissions of user <USERNAME> are set as below. Please check and review them.

Permissions:

The post Sending HTML Email with AD User Groups appeared first on HackBuddies.

Recently I wanted to connect to a machine with my admin user but then I realized that this user had been locked out in Active Directory. The counter for bad passwords is relatively high and gets resetted frequently, like every 15 minutes. So what could cause this issue? There must be some wrong configuration. I started to investigate. Analyze User Lockout AD

Imagine a setup with multiple Domain Controllers. Firstly, you have to find out which DC causes the lockout. Microsoft offers an amazing toolbox called “Account Lockout and Management Tools”. They are available at the following URL:
https://www.microsoft.com/en-us/download/details.aspx?id=18465

LockoutStatus.exe

Simply start the LockoutStatus.exe with a Domain Admin or at least with sufficient permissions and enter the target admin user who had been locked out. The tool will determine all Domain Controllers and show you a list of “Last Bad Password”, “Bad Password Counter” , “Last Password Change Date” and so on. Now you should know the involved Domain Controller.

Check Event Log on DC to analyze User Lockout AD

Secondly, you will connect via Remote Desktop Connection (RDP) to the mentioned Domain Controller and start the Event Viewer there. Navigate to System -> Security:

Now filter the current log for the event ID: 4625

After that you should be able to see the corresponding log entries. Search for the affected user to get the right entry. The important part here is the Caller Machine Name. This name will tell you the server which is causing the bad logins. Another crucial detail is the value of the logon type. With this value you can localize the cause. The possible values are listed here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

Finally, it should be relatively easy to solve. The possible sources of the bad logins are for example:

• Scheduled tasks
• Services
• Stored credentials
• File share access
• …

Thus, you can check now the local client of the user in order to find the root cause, for example in Credential Manager and delete the stored credentials, re-map the network drive or adapt the scheduled task. Analyze User Lockout AD

The post Analyze why an user gets locked out in Active Directory appeared first on HackBuddies.

By default all users are allowed to use Outlook Web Access, also called OWA. It is possible to disable access to OWA and the users can still access their mailbox via email clients like Outlook or Thunderbird.

Manually checking the status or disabling it can be very time-consuming. So we will simply use the Exchange Management Shell to do so.

If you want to see all users where Outlook Web Access is disabled, use this command:

Get-CASMailbox -ResultSize Unlimited | where{$_.OWAEnabled -like "False"}

Of course it is also possible to enable it with nearly the same command, but with the Set-CASMailbox command like that:

Get-CASMailbox -ResultSize Unlimited | where{$_.OWAEnabled -like "False"} | Set-CASMailbox -OWAEnabled $true

Filtering for one specific user works with the “Identity” parameter:

Set-CasMailbox -Identity "Test User" -OWAEnabled $false


Another convenient and very useful way to use this command is by filtering for an organizational unit (OU).

$NAFinance = Get-Mailbox -OrganizationalUnit "OU=myBranch,OU=myCountry,DC=mydomain,DC=com" -Filter {RecipientTypeDetails -eq 'UserMailbox'} -ResultSize Unlimited; $NAFinance | foreach  {Set-CasMailbox  $_.Identity -OWAEnabled $false}

The post Find users where Outlook Web Access (OWA) is disabled with Exchange Management Shell appeared first on HackBuddies.

Imagine you need to inform an user about something which had already been automated in a PowerShell script. You do not want to start a manual task (e.g. sending an email) every time the script is executed. Especially if you need it multiple times per day. So I decided to extend the script with the email-sending function. Just a few lines of code are necessary and you can adapt it to your needs. Mail Subject and Mail Body can be modified and even attachments can be added. Sending Email with PowerShell

To show you the possibilities, the following script reads the assigned groups of an Active Directory user and exports them to a .txt file. Then, the email data gets specified and afterwards the email will be sent to the recipient.

$Permissions = Get-ADPrincipalGroupMembership -Identity $Username | Select name | Sort-Object name | Out-File -FilePath C:\temp\AssignedGroups.txt
$SmtpServer = 'myServer.myDomain.com'
$SmtpPort = 587
$FromSender = 'mySender@myDomain.com'
$Recipient = 'myRecipient@myDomain.com'
$Subject = 'Assigned groups from : ' + $UserName
$PermissionsFilePath = "C:\temp\AssignedGroups.txt"
$Body = Get-Content -Path $PermissionsFilePath | Out-String 
Send-MailMessage -SmtpServer $SmtpServer -Port $SmtpPort -From $FromSender -To $Recipient -Subject $Subject -Body $Body -Attachments $PermissionsFilePath

I would definitely recommend you to check out the Microsoft Docs about the Send-MailMessage command in order to properly adapt it to your needs and requirements. You can also combine that script with other ones. For example, you can export Active Directory Groups and their members from a specific organizational unit as CSV and send an automated email message within a scheduled task – there are no limitations.
Sending Email with PowerShell

The post Sending an email within a PowerShell script appeared first on HackBuddies.

It will happen again and again. Your customers or colleagues will ask you to export specific user data from Active Directory. The easiest way to do this is with the command “Get-ADUser”. Simply select the specific objects like DisplayName, Username,.. and export the result to a CSV file with the specified encoding and delimiter.

Import-Module ActiveDirectory
Get-ADUser -Filter * -properties * | select-object DisplayName,sAMAccountName,telephoneNumber,mobile,mail,Department,Description | export-csv c:\temp\UserDataExport.csv -Encoding utf8 -notype -Delimiter ";"

Most of the time not all users are necessary, so there are more options to filter of course.

Export only specific Organizational Unit (OU)

You can filter for an Organizational Unit by using the -SearchBase option:

Import-Module ActiveDirectory
Get-ADUser -SearchBase "OU=Users,OU=<SubUnit>,OU=<MainUnit>,DC=<domainName>,DC=com" -Filter * -properties * | select-object DisplayName,sAMAccountName,telephoneNumber,mobile,mail,Department,Description | export-csv c:\temp\UserDataExport.csv -Encoding utf8 -notype -Delimiter ";"

Export group members

Another useful command is to export the members of a security group:

Import-Module ActiveDirectory
Get-ADGroupMember -Identity '<GroupName>' | Select-Object name, samaccountname | export-csv c:\temp\exportGroupMembers.csv -Encoding utf8 -NoType -Delimiter ";"

The post Export user data from Active Directory appeared first on HackBuddies.

Last time I had the situation that an employee switched from one department to another, thus all security groups need to get updated. If this is the case, you can simply copy the Active Directory groups from another user of the new department.
Although this is just a very simple one-liner, it is still a very useful command and can save a lot of time.

Import-Module ActiveDirectory
Get-ADUser -Identity <copyFromUser> -Properties memberof | Select-Object -ExpandProperty memberof | Add-ADGroupMember -Members <updateThisUser>

The post Copy Active Directory groups from one user to another appeared first on HackBuddies.