nested groups
I have the following .ps1 that does what I want for user members but does not read users in a nested group, can you help me please?
import-module activedirectory
Get-ADGroupMember -identity "CGI VPN Password Policy" | Set-ADUser -PasswordNeverExpires:$FALSE
Get-ADGroupMember -identity "CGI VPN Password Policy" | Set-ADUser -CannotChangePassword:$FALSE
February 18th, 2015 7:33am
Try using -Recursive.
You can also set multiple attributes at one time by using -Replace.
Set-ADUser -Replace @{PasswordNeverExpires=$false;CannotChangePassword=$false}
-
Marked as answer by
jamicon
20 hours 14 minutes ago
February 18th, 2015 8:26am
or where do I insert -Recursive?
and thanks for the tip
like this?
import-module activedirectory
Get-ADGroupMember -identity "CGI VPN Password Policy" -Recursive | Set-ADUser -Replace @{PasswordNeverExpires=$false;CannotChangePassword=$false}
-
Edited by
jamicon
21 hours 11 minutes ago
February 18th, 2015 9:06am
Correct. Hopefully that will give you what you want.
-
Marked as answer by
jamicon
19 hours 21 minutes ago
February 18th, 2015 9:45am
Hi,
Try it like this:
Get-ADGroupMember -Identity 'CGI VPN Password Policy' -Recursive |
Set-ADUser -CannotChangePassword:$false -PasswordNeverExpires:$false -WhatIf
Remove the -WhatIf to actually make the change.
February 18th, 2015 9:48am
I've used this example in one of my scripts to return all the nested groups. This may help.
Get-ADGroupMember -Identity <GroupName> | Where-Object {($_.objectClass) -eq "group"} | Get-ADGroupMember -Recursive | Select-Object -Unique
-
Edited by
tommymaynard
20 hours 26 minutes ago
-
Marked as answer by
jamicon
20 hours 18 minutes ago
-
Unmarked as answer by
jamicon
20 hours 16 minutes ago
-
Marked as answer by
jamicon
19 hours 21 minutes ago
February 18th, 2015 9:48am
Correct. Hopefully that will give you what you want.
Just a heads up:
Set-ADUser : The specified directory service attribute or value does not exist
Parameter name: CannotChangePassword
February 18th, 2015 9:48am
thanks everyone!!
February 18th, 2015 10:16am
just some feedback.
When I ran my original with -recursive the cannotcnahgepassword works but when I tried it with the @ suggested script it errored and did not work on cannotchangepassword.
how weird is that.
February 18th, 2015 10:23am
just some feedback.
When I ran my original with -recursive the cannotcnahgepassword works but when I tried it with the @ suggested script it errored and did not work on cannotchangepassword.
how weird is that.
When you use -replace you have to give it the proper name of the AD attribute, in the case of "cannot change password" the attribute (actually named useraccountcontrol) cannot be modified directly (for this flag at least) as it is a permission
on the user object. I usually like using -replace but it's not a great choice in this instance.
-
Marked as answer by
jamicon
19 hours 21 minutes ago
February 18th, 2015 11:02am
Try using -Recursive.
You can also set multiple attributes at one time by using -Replace.
Set-ADUser -Replace @{PasswordNeverExpires=$false;CannotChangePassword=$false}
-
Marked as answer by
jamicon
Wednesday, February 18, 2015 3:16 PM
February 18th, 2015 4:22pm
Try using -Recursive.
You can also set multiple attributes at one time by using -Replace.
Set-ADUser -Replace @{PasswordNeverExpires=$false;CannotChangePassword=$false}
-
Marked as answer by
jamicon
Wednesday, February 18, 2015 3:16 PM
February 18th, 2015 4:22pm
or where do I insert -Recursive?
and thanks for the tip
like this?
import-module activedirectory
Get-ADGroupMember -identity "CGI VPN Password Policy" -Recursive | Set-ADUser -Replace @{PasswordNeverExpires=$false;CannotChangePassword=$false}
-
Edited by
jamicon
Wednesday, February 18, 2015 2:19 PM
February 18th, 2015 5:02pm
or where do I insert -Recursive?
and thanks for the tip
like this?
import-module activedirectory
Get-ADGroupMember -identity "CGI VPN Password Policy" -Recursive | Set-ADUser -Replace @{PasswordNeverExpires=$false;CannotChangePassword=$false}
-
Edited by
jamicon
Wednesday, February 18, 2015 2:19 PM
February 18th, 2015 5:02pm
Correct. Hopefully that will give you what you want.
-
Marked as answer by
jamicon
Wednesday, February 18, 2015 4:09 PM
February 18th, 2015 5:41pm
Correct. Hopefully that will give you what you want.
-
Marked as answer by
jamicon
Wednesday, February 18, 2015 4:09 PM
February 18th, 2015 5:41pm
I've used this example in one of my scripts to return all the nested groups. This may help.
Get-ADGroupMember -Identity <GroupName> | Where-Object {($_.objectClass) -eq "group"} | Get-ADGroupMember -Recursive | Select-Object -Unique
-
Edited by
tommymaynard
Wednesday, February 18, 2015 3:04 PM
-
Marked as answer by
jamicon
Wednesday, February 18, 2015 3:12 PM
-
Unmarked as answer by
jamicon
Wednesday, February 18, 2015 3:14 PM
-
Marked as answer by
jamicon
Wednesday, February 18, 2015 4:09 PM
February 18th, 2015 5:44pm
I've used this example in one of my scripts to return all the nested groups. This may help.
Get-ADGroupMember -Identity <GroupName> | Where-Object {($_.objectClass) -eq "group"} | Get-ADGroupMember -Recursive | Select-Object -Unique
-
Edited by
tommymaynard
Wednesday, February 18, 2015 3:04 PM
-
Marked as answer by
jamicon
Wednesday, February 18, 2015 3:12 PM
-
Unmarked as answer by
jamicon
Wednesday, February 18, 2015 3:14 PM
-
Marked as answer by
jamicon
Wednesday, February 18, 2015 4:09 PM
February 18th, 2015 5:44pm
just some feedback.
When I ran my original with -recursive the cannotcnahgepassword works but when I tried it with the @ suggested script it errored and did not work on cannotchangepassword.
how weird is that.
When you use -replace you have to give it the proper name of the AD attribute, in the case of "cannot change password" the attribute (actually named useraccountcontrol) cannot be modified directly (for this flag at least) as it is a permission
on the user object. I usually like using -replace but it's not a great choice in this instance.
-
Marked as answer by
jamicon
Wednesday, February 18, 2015 4:08 PM
February 18th, 2015 6:58pm
just some feedback.
When I ran my original with -recursive the cannotcnahgepassword works but when I tried it with the @ suggested script it errored and did not work on cannotchangepassword.
how weird is that.
When you use -replace you have to give it the proper name of the AD attribute, in the case of "cannot change password" the attribute (actually named useraccountcontrol) cannot be modified directly (for this flag at least) as it is a permission
on the user object. I usually like using -replace but it's not a great choice in this instance.
-
Marked as answer by
jamicon
Wednesday, February 18, 2015 4:08 PM
February 18th, 2015 6:58pm