Re: Powershell question - property to determine group vs user, using Quest Get-QADUser

2012-10-05 Thread Michael Leone 
On Fri, Oct 5, 2012 at 2:14 PM, Michael Leone  wrote:
> On Fri, Oct 5, 2012 at 12:15 PM, Steven Peck  wrote:
>> So...
>>
>> $TheUsers = Get-QADGroupMember $GroupName -type 'user'
>> At this moment you have the user objects and their properties so let's try
>
> Yes, but that's not all I want. I *do* want to see any groups that are
> members of $GroupName, but not any disabled users who are members of
> $GroupName ... The above would filter out the group names.

I found the "ClassName" property will help me out. This IF will
include all non-disabled users, and all groups

IF ( ($Employee.ClassName -eq $null) -or (($Employee.AccountIsDisabled
-eq $false) -and ($Employee.ClassName -eq "user")))

Apparently, groups have a null ClassName, and users have a ClassName
of "user". Maybe there's a better way to differentiate, but this seems
to be working.

Thanks for the nudges in the right direction, everyone.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Powershell question - property to determine group vs user, using Quest Get-QADUser

2012-10-05 Thread Michael Leone 
On Fri, Oct 5, 2012 at 12:15 PM, Steven Peck  wrote:
> So...
>
> $TheUsers = Get-QADGroupMember $GroupName -type 'user'
> At this moment you have the user objects and their properties so let's try

Yes, but that's not all I want. I *do* want to see any groups that are
members of $GroupName, but not any disabled users who are members of
$GroupName ... The above would filter out the group names.

Out of the list of all members of $GroupName, I want to list out only
groups (nested groups) and users who are not disabled. The problem
with using an IF statement that looks at the "AccountIsDisabled"
property is that a group name will not have that property, and so the
IF statement fails, and the nested group is not included in the
output.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Powershell question - property to determine group vs user, using Quest Get-QADUser

2012-10-05 Thread Steven Peck 
So...

$TheUsers = Get-QADGroupMember $GroupName -type 'user'
At this moment you have the user objects and their properties so let's try

$TheUsers | Get-Member

Looking at the Properties field there is a "AccountIsDisabled" property..
yay.  Lot's of other properties as well which is nice since you have
already paid the price for lookup.

$TheUsers = Get-QADGroupMember $GroupName -type 'user'
foreach ($user in $TheUsers) { if ($user.AccountIsdisabled -eq $false) {
Write-Output $user.name } }

That should work without the extra Get-QADUser lookup which will speed the
script up.
Steven Peck
http://www.blkmtn.org


On Fri, Oct 5, 2012 at 8:52 AM, Steven Peck  wrote:

>
> This will get only user type objects
> Get-QADGroupMember $GroupName -type 'user'
>
> This will get only user type objects AND users from any nested groups.
> Get-QADGroupMember $GroupName -type 'user' -indirect
>
> So if the rest of your script currently works that should be the only
> change you have to make to that part.
>
> I will point out that your use of the "Select Name" is destroying the
> object data in the pipeline.  It looks like you might be able to avoid that
> extra "$Employee = Get-QADUser $User.Name" user look up call.  I'd have to
> play with it more but I am trying to actually have an answer to a PoSH
> question before MBS gets in with the solution for once so I could be
> wrong.  :)
>
> Steven Peck
> http://www.blkmtn.org
>
>
>
> On Fri, Oct 5, 2012 at 8:36 AM, Michael Leone  wrote:
>
>> I'm confused about something. I am writing a Powershell script, using
>> the Quest AD CMDLETs. I have a list of groups that I need to retrieve
>> the membership list for. But I don't want any group members that are
>> themselves groups (i.e., no nested groups); I only want users. And I
>> am not sure how best to accomplish this. At the moment, my script
>> loops thought my list of groups, and I get the list of names who are
>> members:
>>
>> $TheUsers = Get-QADGroupMember $GroupName | Select Name | Sort -property
>> Name
>>
>> I then loop through the returned user list and output individual user
>> accounts that are not disabled into a spreadsheet.
>>
>> ForEach ($User in $TheUsers)
>> {
>> $Employee = Get-QADUser $User.Name
>> $DisabledUser = $Employee.AccountIsDisabled
>> IF ( $DisabledUser -eq $false )
>> {
>> $Cells.Item($CurrentRow, $CurrentCol) =
>> $GroupCounter
>>
>> (I don't want to make the pipelining too complicated, in case the
>> other guys need to maintain this script in my absence)
>>
>> And so forth. But what I don't know is how to determine that $Employee
>> is a person and not a group. I'm sure it's simple and pretty much
>> staring me in the face, but I'm not seeing it. Groups have no
>> "AccountIsDisabled" property, apparently, so any groups who are
>> members of the group I am searching are not falling through into the
>> section that formats the spreadsheet.
>>
>> SO: when I do a "Get-QADUser ", what property should I be
>> looking at  to determine that "" is actually a group? Then I
>> can modify my IF statement appropriately.
>>
>> Thanks, and sorry for being such a n00b at this ...
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Powershell question - property to determine group vs user, using Quest Get-QADUser

2012-10-05 Thread Rob Bonfiglio 
I think this should work for you:
$TheUsers = Get-QADGroupMember $GroupName | where {$_.type -eq 'user'} |
Select Name | Sort Name

On Fri, Oct 5, 2012 at 11:36 AM, Michael Leone  wrote:

> I'm confused about something. I am writing a Powershell script, using
> the Quest AD CMDLETs. I have a list of groups that I need to retrieve
> the membership list for. But I don't want any group members that are
> themselves groups (i.e., no nested groups); I only want users. And I
> am not sure how best to accomplish this. At the moment, my script
> loops thought my list of groups, and I get the list of names who are
> members:
>
> $TheUsers = Get-QADGroupMember $GroupName | Select Name | Sort -property
> Name
>
> I then loop through the returned user list and output individual user
> accounts that are not disabled into a spreadsheet.
>
> ForEach ($User in $TheUsers)
> {
> $Employee = Get-QADUser $User.Name
> $DisabledUser = $Employee.AccountIsDisabled
> IF ( $DisabledUser -eq $false )
> {
> $Cells.Item($CurrentRow, $CurrentCol) =
> $GroupCounter
>
> (I don't want to make the pipelining too complicated, in case the
> other guys need to maintain this script in my absence)
>
> And so forth. But what I don't know is how to determine that $Employee
> is a person and not a group. I'm sure it's simple and pretty much
> staring me in the face, but I'm not seeing it. Groups have no
> "AccountIsDisabled" property, apparently, so any groups who are
> members of the group I am searching are not falling through into the
> section that formats the spreadsheet.
>
> SO: when I do a "Get-QADUser ", what property should I be
> looking at  to determine that "" is actually a group? Then I
> can modify my IF statement appropriately.
>
> Thanks, and sorry for being such a n00b at this ...
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Powershell question - property to determine group vs user, using Quest Get-QADUser

2012-10-05 Thread Steven Peck 
This will get only user type objects
Get-QADGroupMember $GroupName -type 'user'

This will get only user type objects AND users from any nested groups.
Get-QADGroupMember $GroupName -type 'user' -indirect

So if the rest of your script currently works that should be the only
change you have to make to that part.

I will point out that your use of the "Select Name" is destroying the
object data in the pipeline.  It looks like you might be able to avoid that
extra "$Employee = Get-QADUser $User.Name" user look up call.  I'd have to
play with it more but I am trying to actually have an answer to a PoSH
question before MBS gets in with the solution for once so I could be
wrong.  :)

Steven Peck
http://www.blkmtn.org



On Fri, Oct 5, 2012 at 8:36 AM, Michael Leone  wrote:

> I'm confused about something. I am writing a Powershell script, using
> the Quest AD CMDLETs. I have a list of groups that I need to retrieve
> the membership list for. But I don't want any group members that are
> themselves groups (i.e., no nested groups); I only want users. And I
> am not sure how best to accomplish this. At the moment, my script
> loops thought my list of groups, and I get the list of names who are
> members:
>
> $TheUsers = Get-QADGroupMember $GroupName | Select Name | Sort -property
> Name
>
> I then loop through the returned user list and output individual user
> accounts that are not disabled into a spreadsheet.
>
> ForEach ($User in $TheUsers)
> {
> $Employee = Get-QADUser $User.Name
> $DisabledUser = $Employee.AccountIsDisabled
> IF ( $DisabledUser -eq $false )
> {
> $Cells.Item($CurrentRow, $CurrentCol) =
> $GroupCounter
>
> (I don't want to make the pipelining too complicated, in case the
> other guys need to maintain this script in my absence)
>
> And so forth. But what I don't know is how to determine that $Employee
> is a person and not a group. I'm sure it's simple and pretty much
> staring me in the face, but I'm not seeing it. Groups have no
> "AccountIsDisabled" property, apparently, so any groups who are
> members of the group I am searching are not falling through into the
> section that formats the spreadsheet.
>
> SO: when I do a "Get-QADUser ", what property should I be
> looking at  to determine that "" is actually a group? Then I
> can modify my IF statement appropriately.
>
> Thanks, and sorry for being such a n00b at this ...
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Powershell question - property to determine group vs user, using Quest Get-QADUser

2012-10-05 Thread Michael Leone 
I'm confused about something. I am writing a Powershell script, using
the Quest AD CMDLETs. I have a list of groups that I need to retrieve
the membership list for. But I don't want any group members that are
themselves groups (i.e., no nested groups); I only want users. And I
am not sure how best to accomplish this. At the moment, my script
loops thought my list of groups, and I get the list of names who are
members:

$TheUsers = Get-QADGroupMember $GroupName | Select Name | Sort -property Name

I then loop through the returned user list and output individual user
accounts that are not disabled into a spreadsheet.

ForEach ($User in $TheUsers)
{
$Employee = Get-QADUser $User.Name
$DisabledUser = $Employee.AccountIsDisabled
IF ( $DisabledUser -eq $false )
{
$Cells.Item($CurrentRow, $CurrentCol) = $GroupCounter

(I don't want to make the pipelining too complicated, in case the
other guys need to maintain this script in my absence)

And so forth. But what I don't know is how to determine that $Employee
is a person and not a group. I'm sure it's simple and pretty much
staring me in the face, but I'm not seeing it. Groups have no
"AccountIsDisabled" property, apparently, so any groups who are
members of the group I am searching are not falling through into the
section that formats the spreadsheet.

SO: when I do a "Get-QADUser ", what property should I be
looking at  to determine that "" is actually a group? Then I
can modify my IF statement appropriately.

Thanks, and sorry for being such a n00b at this ...

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin