RE: [NTSysADM] RE: PowerShell weaknesses

[Michael B. Smith]

First, they ARE parentheses. ☺

Sure, you can programmatically install RSAT. But I don’t recommend it, and it 
takes several minutes. Certainly not an optimal user experience.

As Webster suggest, the proper way to do this is with an LDAP query, and use 
either ADSI or System.DirectoryServices to get it done.

This is a more complex example than you need, but it contains all the key 
pieces:

###
$ldapFilter =   "(&"                                              +
                  "(objectCategory=Person)"                             +
                  "(userAccountControl:1.2.840.113556.1.4.803:=512)"    +
                  "(!userAccountControl:1.2.840.113556.1.4.803:=2)"     +
                  "(!userAccountControl:1.2.840.113556.1.4.803:=65536)" +
                  "(!userAccountControl:1.2.840.113556.1.4.803:=32)"

if( $anr )
{
      ###
      ### using an ANR subquery allows us to reduce the result set from the 
LDAP query
      ###
      $ldapFilter += "(anr=$anr)"
}

$ldapFilter += ")"

###
### build the LDAP search
###

$directorySearcher = New-Object System.DirectoryServices.DirectorySearcher
$directorySearcher.PageSize    = 1000
$directorySearcher.SearchRoot  = $domainRoot
$directorySearcher.SearchScope = "subtree"
$directorySearcher.Filter      = $ldapFilter

###
### load the properties we want
###

$directorySearcher.PropertiesToLoad.Add( "displayName"        ) | Out-Null
$directorySearcher.PropertiesToLoad.Add( "mail"               ) | Out-Null
$directorySearcher.PropertiesToLoad.Add( "pwdLastSet"         ) | Out-Null
$directorySearcher.PropertiesToLoad.Add( "sAMAccountName"     ) | Out-Null
$directorySearcher.PropertiesToLoad.Add( "userAccountControl" ) | Out-Null

if( $domainMode -ge 3 )
{
      ### this attribute is only valid on Windows2008Domain and above
      $directorySearcher.PropertiesToLoad.Add( "msDS-PSOApplied" ) | Out-Null
}

$users = $directorySearcher.FindAll()
foreach( $user in $users )
{
      ….
}

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Webster
Sent: Monday, June 27, 2016 12:10 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: PowerShell weaknesses

Can you get the same info using an LDAP query that MBS can give you the syntax 
for?


Webster

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of James Rankin
Sent: Monday, June 27, 2016 10:58 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] RE: PowerShell weaknesses

Actually might be worth extending this debate slightly…

I’m trying to build Outlook signature files on the fly using AD attributes. So 
I basically need to grab certain AD attributes and set them as variables. This 
is not a problem.

However, as I am doing this at user first logon, I need to query the AD 
attributes in the context of the user. Get-ADUser is the cmdlet I’m using, but 
this is unavailable on my Windows 10 clients unless I install the RSAT. So…

Is there a way to programmatically install the RSAT feature on Windows 10 with 
the AD PowerShell stuff enabled? I’d rather not have to go back and create a 
new image.

I found Enable-WindowsOptionalFeature but don’t seem to be able to crack the 
right syntax for it…

Cheers,



JR

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Charles F Sullivan
Sent: 27 June 2016 16:29
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] RE: PowerShell weaknesses

I was going to suggest:

Get-ADUser -identity jrankin -Properties mail

That will get you the defaults plus Mail.
I mention this because I find it easier to remember, though of course it’s a 
matter of preference.


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of James Rankin
Sent: Monday, June 27, 2016 10:41 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: PowerShell weaknesses

Doh!

Put it in brackets would be the thing I’m missing

(Get-ADUser -filter jrankin -Properties mail).mail

Never mind…. ☺


From: James Rankin
Sent: 27 June 2016 15:39
To: 'ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>' 
<ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>>
Subject: PowerShell weaknesses

How can I used Get-ADUser to query a single attribute for a specific user? If I 
use something like

Get-ADUser -filter jrankin -Properties mail

To query the email address in AD, I don’t just get that attribute returned, I 
get a bunch of default stuff too…

DistinguishedName : CN=James Rankin,OU=Desktop1,OU=Standard Users,OU=User 
Accounts,DC=JRR,DC=test,DC=local
Enabled           : True
GivenName         : James
mail              : ja...@htguk.com<mailto:ja...@htguk.com>
Name              : James Rankin
ObjectClass       : user
ObjectGUID        : 694d15e1-d550-483a-8f21-cb7415f05342
SamAccountName    : jrankin
SID               : S-1-5-21-2950944927-1203068717-1704750700-1114
Surname           : Rankin
UserPrincipalName : jran...@jrr.test.local<mailto:jran...@jrr.test.local>

Am I missing something blatantly obvious here?

Cheers,


James Rankin
EUC Solutions Architect | 07809 668579 | ja...@htguk.com<mailto:ja...@htguk.com>
One Trinity Green, Eldon Street, South Shields, Tyne & Wear, NE33 1SA
Tel: 0191 481 3446