Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > Powershell Megathread: Verb-Noun Scripting is the future
 
  • Post
  • Reply
Tont
Oct 1, 2004
Fear me, for I am Tont
I'm going to abuse the hell out of this thread in the months too come! Well, not really, I can usually find the help I need by using the resources you listed in the OP. But I'm having a hell of a time figuring this one out.

I need to get a list of all users in a domain that have the 'Log On To...' option defined in Active Directory. And, if possible, get a list of all of the machines each user is allowed to log on to. Then, preferably with a different script, I need to change everyone back to allowing all users to log onto all computers.

I think I'm having such a hard time finding help because when you search for anything with Log On To in the search you get a whole lot of listings for logon scripts and non-relevant logon related information.

Any help would be greatly appreciated.

* # ¿ Apr 1, 2010 17:55
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ Apr 27, 2024 15:04
  • Quote
Tont
Oct 1, 2004
Fear me, for I am Tont

adaz posted:

We don't use logon to around here and as you said searching for it's a bitch. I do what I always do when trying to find a obscure LDAP/AD setting - I set it up on an AD object and bind it to the object in powershell:

code:
$User = [adsi]"LDAP://cn=test,ou=users,ou=blah,dc=local,dc=com"
Then I did a $User | GM to see all the properties that were set on the object... and what is this?

$User.UserWorkstations - that's promising. I check out the MSDN article on it (http://msdn.microsoft.com/en-us/library/ms680868%28v=VS.85%29.aspx) and lo and behold this is exactly what we want. So now all we have to do is create a LDAP search syntax for you. LDAP Search Syntax Is the Best (tm). I usually start here:
http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx

I saved you some time and effort and here is the appropriate code:

code:
$root = [ADSI] "LDAP://your.domain"
$searcher = New-Object System.DirectoryServices.DirectorySearcher $root
$searcher.filter = "(&(objectClass=user)(userworkstations=*))"
$users = $searcher.FindAll()
this will return all the users in your domain who have the userworkstations attribute set. You can then iterate through them and do whatever you need:

code:
for($i=0;$i -lt $users.count;$i++) {
  $User = [adsi]"$($users[$i].path.tostring())" # had to add the ToString part, kept crashing my powershell.weird
  $user.putex("1","userworkstations","0")
  $user.setinfo()
  
}

Thank you so much for this. I didn't get it to work like this, but it gave me all the information I needed to start digging a little more.

A lot of the examples I ended up finding online were using commands like get-qaduser and connect-qadservice. I found out these were from a free snapin by quest. http://www.quest.com/powershell/activeroles-server.aspx Download and run it. Then you need to add it by using the following command.
code:
Add-PSSnapin Quest.ActiveRoles.ADManagement
One of my main problems at first was simply getting powershell to reference the right child domain. Even when I ran powershell on a domain controller in the correct domain it would still only reference the parent. So I had to run this command.
code:
connect-qadservice child.domain.com
Then I started using the get-qaduser command and the userWorkstations properties that you found for me and eventually ended up with this command.
___________________________________________
get-qaduser -dontusedefaultincludedproperties -includedproperties 'UserWorkstations' -objectattributes @{'UserWorkstations'='*'} | format-list Name,userWorkstations
___________________________________________
That gave me a list of all users with the variable I was looking for. The -dontusedefaultincludedproperties was just to save processing time. The -includedproperties 'userWorkstations' command is because the default get-qaduser result list doesn't include userWorkstations. The -objectattributes @{'userWorkstations'='*'} switch makes it only return objects that have something defined in userWorkstations.

From there it was a simple task of assigning a variable to that search result and then piping it into the command to empty the userworkstations object.
___________________________________________
$fixitlist = get-qaduser -DontUseDefaultIncludedProperties -includedproperties 'userWorkstations' -objectattributes @{'UserWorkstations'='*'}
___________________________________________
$fixitlist | set-qaduser -objectattributes @{userworkstations=''}
___________________________________________
That did it for me. It changed all of my special snowflakes back to where I wanted them.

Thank you so much.

edit: my code snippets were breaking tables, so I removed them. Makes it a little harder to read.

Tont fucked around with this message at 00:21 on Apr 3, 2010

* # ¿ Apr 3, 2010 00:16
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > Powershell Megathread: Verb-Noun Scripting is the future