locked
attributes from distribution groups RRS feed

  • Question

  • Hello.

    I was given  the task of verifying ad users' extentionattribute value. Each user is part of a group based on their region.  

    the first thing that comes to mind is to use get-adgroup then pipe that to a get-adgroupmember then select the object the property "extentionattribute1" to get the value. 

    I have two issues: 

    1) all of the domains are NOT reachable even when I use the -ignoredefaultlocation but when I use "get-distributiongroup"

    the groups in each domain region are accessible  However, I can't pull the extentionattribute. The distribution groups have customattributes instead. Trying to think of a good way to interrelate these from a coding perspective.

    2) I have to check all of the region groups. So I have a text file in the c: drive and using get-content to put the groups

    into an array ($groups for example). I then pipe that into a get-adgroupmembers that I in turn put into another array called $users1.  For some reason when i put that in a foreach loop: foreach($user in $users1) I get a cannot find object error.


    admin

    Tuesday, May 8, 2012 4:36 AM

Answers

  • With Get-ADUser it is straight forward - just specify your GC Server and port 3268, like this:

    Get-ADUser -Filter {name -eq 'Dummy1'} -Properties extensionattribute1 -Server 'MyGCServer:3268'


    A quick test on how this works is to query for a non-GC attribute, such as AccountExpires:

    Get-ADUser -Filter {name -eq 'Dummy1'} -Properties AccountExpires -Server 'MyGCServer:3268'

    The above won't give you the attribute value, the following does:

    Get-ADUser -Filter {name -eq 'Dummy1'} -Properties AccountExpires -Server 'MyGCServer:389'
    

    Of course in this case the server and the port 389 are optional, since they are the default.

    What you want to achieve will probably be something like this:

    $attributes = 'extensionattribute1','extensionattribute2',....
    
    $select_attributes = @{Property=$attributes+'name'}
    
    Get-ADGroupMember 'MyGroup' | Get-ADUser -Properties $attributes -Server 'MyGCServer:3268' | Select @select_attributes


    • Proposed as answer by Richard MuellerMVP Wednesday, May 9, 2012 10:28 PM
    • Marked as answer by IamMred Saturday, May 12, 2012 12:49 AM
    Tuesday, May 8, 2012 8:04 PM

All replies

  • Hello.

    I was given  the task of verifying ad users' extentionattribute value. Each user is part of a group based on their region.  

    the first thing that comes to mind is to use get-adgroup then pipe that to a get-adgroupmember then select the object the property "extentionattribute1" to get the value. 

    I have two issues: 

    1) all of the domains are NOT reachable even when I use the -ignoredefaultlocation but when I use "get-distributiongroup"

    the groups in each domain region are accessible  However, I can't pull the extentionattribute. The distribution groups have customattributes instead. Trying to think of a good way to interrelate these from a coding perspective.

    2) I have to check all of the region groups. So I have a text file in the c: drive and using get-content to put the groups

    into an array ($groups for example). I then pipe that into a get-adgroupmembers that I in turn put into another array called $users1.  For some reason when i put that in a foreach loop: foreach($user in $users1) I get a cannot find object error.


    admin

    Rethink this and ask your questio again.

    The members of a group are not complete objects.  A group doe not reflect the attirbutes of its users.

    Try this to see how it works.

    get-adgroup 'domain users' |Get-adgroupmember

    Then do this:

    get-adgroup 'domain users' |Get-adgroupmember|get-aduser -Properties *

    Look at the difference in the number of properties.


    ¯\_(ツ)_/¯

    Tuesday, May 8, 2012 4:50 AM
  • Just some additional points.

    • Seems like you're working in a multi-domain environment.  Querying an entire forest is a bit trickier than doing a single domain.  Make sure you're querying the global catalog for the desired result.  Normally you should also double check if the attributes are replicated to the GC, in this case not necessary because the extension attributes are replicated by Exchange default.

    • Use port 3268 to query the GC.

    • Yes extensionattributes in AD = CustomAttributes in Exchange.  You have to use the right names for the two sets of cmdlets (AD vs Exchange).



    Tuesday, May 8, 2012 5:31 AM
  • Hi Joe,

    Can you give me an example using gc? 


    admin

    Tuesday, May 8, 2012 4:52 PM
  • With Get-ADUser it is straight forward - just specify your GC Server and port 3268, like this:

    Get-ADUser -Filter {name -eq 'Dummy1'} -Properties extensionattribute1 -Server 'MyGCServer:3268'


    A quick test on how this works is to query for a non-GC attribute, such as AccountExpires:

    Get-ADUser -Filter {name -eq 'Dummy1'} -Properties AccountExpires -Server 'MyGCServer:3268'

    The above won't give you the attribute value, the following does:

    Get-ADUser -Filter {name -eq 'Dummy1'} -Properties AccountExpires -Server 'MyGCServer:389'
    

    Of course in this case the server and the port 389 are optional, since they are the default.

    What you want to achieve will probably be something like this:

    $attributes = 'extensionattribute1','extensionattribute2',....
    
    $select_attributes = @{Property=$attributes+'name'}
    
    Get-ADGroupMember 'MyGroup' | Get-ADUser -Properties $attributes -Server 'MyGCServer:3268' | Select @select_attributes


    • Proposed as answer by Richard MuellerMVP Wednesday, May 9, 2012 10:28 PM
    • Marked as answer by IamMred Saturday, May 12, 2012 12:49 AM
    Tuesday, May 8, 2012 8:04 PM
  • Ok guys this is what I did and it worked out pretty good. Thank you for all of your input, it helped me greatly.

    foreach ($adgamgrps in $adgroupsams) {
    $groupmem1 += (Get-adgroup $adgamgrps | Get-adgroupmember | Get-ADUser -Properties * |  ft -Auto samaccountname, extensionattribute2,@{Label="Special groups";Expression={$adgamgrps}})
    }
    $groupmem1

    #where $adgroupsams is a variable containing all of the group names extracted from a list in a text file AND $groupmem1 is an array containing all of the group members pulled from all of the retention groups.

    Now I need to be able to put this in an sql database table. this is another challenge all together. Do any of you fine gentlemen give me a resource and a guide on how I can do this? 

     


    admin

    Tuesday, May 15, 2012 2:51 PM
  • #! SQLServer can read and load from Active Directory directly.
    #2 Dump to CSV and use sql loader to upload.
    #3 Use SQLPS to execute scritp and SQL support to upload.


    ¯\_(ツ)_/¯

    Tuesday, May 15, 2012 3:07 PM
  • Good job but I'm a bit surprised that you said your code worked in your multi-domain environment.  Your code doesn't seem to use Global Catalog and either you're running the code once in each domain or something I did not follow......

    Anyway, for the data upload, I use System.Data.Datatable with System.Data.SQLClient.SqlDataAdapter, it's a bit of work but pays off if you need a permanent process for this.  If it's only a one time thing then just do what Jrv said or any way you want.

    If you have zero experience in this, here are some readings for starter:

    Using Powershell To Access SQL Data
    SQL Integration in Your Powershell Scripts
    Sample Code to Get OLEDB Data

    Anyway this should be in a new thread.

    Good Luck


    Tuesday, May 15, 2012 8:31 PM