Salamander Active Directory – Feature focus – Working with Office 365

As we are seeing more and more schools moving towards Office 365, I thought I’d share what Salamander Active Directory can do for you.

Getting users into Office 365
Salamander AD has always been able to provision your users and groups into your local Active Directory and this doesn’t change with a school using Office 365.

We recommend that you use DirSync to push your users in to Office 365, but we can manage them once they are there.

Licensing
By Leveraging the Office 365 PowerShell command-lets Salamander Active Directory can license your users based around their status in your MIS.

Obviously, it can assign different licenses to students and staff, but it could also assign different licenses or service plans to 6th Form, or to Teaching Staff etc.

Location and other settings
The capabilities of Salamander isnt restricted to Licensing. We regularly set the location for users, and set mailbox settings on mass. If you need something doing to a lot of users in Office 365, Salamander Active Directory can probably do it for you.

Calendars
For customers using Sims, Faciltiy CMIS or iSAMS we can also push your Pupils and Staff timetables into Office 365 mailboxes as we can in a local Exchange environment.

Have a look at my post on Exchange Calendar with Salamander

Already a customer?
As with all the Features for Salamander Active Directory, these are available to any Salamander Active Directory, new or existing.

SalamanderSoft and Office 365
As Authorised Education Resellers for Office 365, we can offer you advice and support whether your looking to move to Office 365 or are already there.

Drop me an email for more information, or just to have a chat: jon@salamandersoft.co.uk

Finding old, inactive users and computers in on-premise Active Directory using Powershell

One of the questions I get asked frequently is “How can I work out how many of my users or computers are inactive or old?”

Well, there are a number of ways to do this, but I’ve found that the easiest and certainly the quickest has been to use PowerShell.

Now, ill say right at the outset, that all I’m doing here is showing you the quickest way I’ve found to get a list of inactive or disabled users, nothing more.

I know there is much, much more that we can do with it, and get really clever with the scripting. I know, I’ve done it, but for the most part, the people who ask me literally want a list of users, nothing more.

So that’s all I’m going to do.

What am I looking for?
Active Directory stores a whole lot more information than you expect inside the objects for users and computers.  A couple of these are useful in determining how long account has been dormant or inactive.

These might include ‘lastLogonTimeStamp’ or looking at the ‘userAccountControl’ to see what their status is. There’s a load more you can look at too, but you don’t need to. You can get the basic details you need from a single command-let.

So, How do I get this information out using PowerShell.

NOTE: The following assumes that you are in PowerShell, have added the Active Directory modules and have relevant AD Permissions.

There are a number of solutions for this, most of them are using the Get-ADUser or Get-ADObject cmdlets. There are many articles around on how to do this, but for the most part, it is much easier to use the cmdlet ‘Search-ADAccount’

Search-ADAccount can be used with a number of switches, but the most common ones are:

-PasswordExpired
-PasswordNeverExpires
-AccountDisabled
-AccountExpired
-AccountInactive

Today, we’ll briefly look at -AccountInactive and -AccountDisabled

Disabled Accounts
We all disable accounts regularly, but remembering which accounts can often be a memory challenge. We can address this simply by using the -AccountDisabled switch.

#Return all ADAccounts which are disabled
Search-ADAccount -AccountDisabled

This will quite simply list all the current AD accounts (users and computers which are disabled)

You can filter this to just Users or Computers using one of the 2 parameters below:

-UsersOnly
-ComputersOnly

You may want to export this data to a csv file that you can use later. This can easily be done with using Export-CSV

#User Search-ADAccount to export a list of all the users which are disabled
Search-ADAccount -AccountDisabled -UsersOnly| Export-Csv "c:\export.csv"

Inactive Accounts
Very similarly to the disabled accounts, it is very straightforward to identify those accounts which are inactive using -AccountInactive

#Return all AD Accounts which are inactive
Search-ADAccount -AccountInactive

You can also filter them using the -UserOnly / -ComputerOnly parameters.

Filtering Inactive Accounts after a certain time
With the -AccountInactive switch you can also quickly find those users that have been inactive for a period of time, such as 90 days, using the -TimeSpan parameter.

Search-ADAccount -AccountInactive -TimeSpan 30

Again, you can export this to a csv or similar using the Export-csv as above.

What’s next
There’s a lot more you can do with this disabled or inactive accounts, and we’ve barely touched on this cmdlet itself.

This may not be the best way for you, but if you just need a really quick overview of your disabled or inactive accounts, then this is probably the quickest and easiest way to get it.

Active Directory Advanced Mode

As a domain or enterprise administrator, you’d like to think that opening Active Directory users and computers (ADUC) will give you all the access you could ever need.

Well, you’d be wrong. Some of the features you may need are hidden away in ‘Advanced Features’

These include:

  • Access to the ‘object’, ‘security’ and ‘Attribute Editor’ tabs
  • The revealing of some hidden containers (including Lost and Found and System)

Enabling ‘Advanced Features’
The Advanced Features option is easy to find, as its a check box under ‘view’

ad-advancedMode

Do I need it?
The answer here is possibly, but once you’ve used it, you’ll want it on everywhere you look. The features i use the most in Active Directory are the Attribute Editor and the Object tab.

Here’s why:

Object Tab
The object tab is great for looking at when a user was created/modified or using the ‘Prevent object from Accidental deletion’ check box.ad-objectTab

Attribute Editor
As someone who works with Active Directory every day, I use the Attribute Editor more than most. Firstly, its great for finding out what attributes are really called, and what’s really in them.

I also use it extensively to store data that I need in Active Directory, but I don’t want to put in a field that anyone can see.

ad-attributeEditor

Working with Active Directory in Powershell – Finding and exporting user information

Most of us work primarily with Active Directory Users and Computers, and for the most part this works fine. Sometimes though, its easier to do the things we need to do with PowerShell.

In this post, ill cover the basics of using PowerShell with Active Directory to get user information.

Connecting to Active Directory
If you are working on a Server with an Active Directory Role (Domain Controller etc.) you will already have all the tools you need. You can either open the Active Directory Module for PowerShell from start.

Or you can open PowerShell and add the Active Directory Module

Import-Module Active Directory

If you are working on a machine which is not a Server with an AD role, you will need to be on a machine which is a member of the domain you want to query and has the ‘Remote Server Administration Tools’ or ‘RSAT’ installed.

For more information on installing RSAT, see this post on TechNet

Once you have RSAT installed, ensure you have the Active Directory Module for PowerShell installed.

RSAT

 

Testing the Connection to Active Directory.
Once you have PowerShell open, you can check that you can communicate Active Directory easily using the command

Get-ADDomain

This will simply connect to Active Directory and output some basic details above the domain.

4-domain

The Get-ADUser Commandlet
The only cmdlet we’ll use here is ‘Get-ADUser’

As with every PowerShell CommandLet you can use the Get-Help to get detailed information on the parameters you can use.

Get-Help Get-ADUser

You can also use -Examples to get some sample code

Get-Help Get-ADUser -Examples

Finding Users
Firstly, we can use the Get-ADUser cmdlet to retrieve all the users in the Domain:

Get-ADUser -Filter *

This will retrieve every user in Active Directory and output this as list.

However, this isn’t very useful, as it most likely won’t contain the attributes you need.

By default, only a small set of attributes are retrieved. You can specify the attributes to be retrieved using:

-Properties *

This will add every property for a user, but you can then us the ‘select’ option to display only the attributes you want.

| select <attributeName>, <attributeName2>
Get-ADUser -Filter * -Properties * | select sAMAccountName, givenName, surname

You can select as many attributes as you want, but if you add more than 4, the way the information is displayed will change from a tabular format to a 1 line per attribute.

PowershellADUser

Exporting the retrieved information
your probably querying active directory in order to do something with the information, and for that you may want the data exported into a usable format. You can export to a csv file by adding

| Export-Csv "C:\pathtoexportto\filename.csv" -noType
Get-ADUser -Filter * | select sAMAccountName, givenName, surname


Filtering which OU’s to query
So far we have only queried the full domain. To choose where the base of the query should be, you can add the Property -SearchBase

-SearchBase "OU=nameofou,DC=domain,DC=local"
Get-ADUser -Filter * -SearchBase "OU=Staff,OU=Users,OU=Salamander-Sims,DC=salamandertest,DC=co,DC=uk" | select sAMAccountName


Find a specific user
If you want to select a user specifically you can specify the parameter -Identity followed by the account name

Get-ADUser -Identity myusername


Adding filters based on attributes

You can also filter users using their attributes with the Filter Parameter

Get-ADUser -Filter {givenName -eq "Ben"
Get-ADUser -Filter {(givenName -eq "John") -and (sn -eq "Smith")}

You can also use the -like parameter when filtering. Here we query any user where they have an email address.

Get-ADUser -Filter {mail -like "*"}