PowerShell

Unable to retrieve full list of AD users with PowerShell

This topic is resolved

Share
Viewing 5 reply threads
  • Author
    Posts
    • #1556835
      IQ
      Participant
      • Topics: 3
      • Replies: 12
      Post count: 2
      Member Points: 476
      Rank: Level 2

      Hi,

      I am using the following Get-ADUser cmdlet to retrieve the list of all AD users and output these to a file but this list is retrieving only 5 or 6 users, even though the number of active AD users is around 10,000. Where could I be going wrong ? Please advise.

      0
    • #1556836
      Leos Marek
      Moderator
      • Topics: 20
      • Replies: 232
      Post count: 250
      Member Points: 14,482
      Rank: Level 4

      Hi,

      you specified -SearchBase to a specific OU named Service accounts. Do you have 10000 service accounts? How many accounts do you see in that OU if you check via ADUC console.

      L

      0
    • #1556854
      Alan Gunn
      Participant
      • Topics: 0
      • Replies: 2
      Member Points: 41
      Rank: Level 1

      Hi!

      You appear to be searching for service accounts with “Passwordneverexpires ” set to false.

      Could it be that your service accounts are all set to not have expiring passwords?

      Try changing the first line to this to see all users with non-expiring passwords.

      0
    • #1556855
      Alan Gunn
      Participant
      • Topics: 0
      • Replies: 2
      Member Points: 41
      Rank: Level 1

      Hi!

      You appear to be searching for service accounts with “Passwordneverexpires ” set to false.

      Could it be that your service accounts are all set to not have expiring passwords?

      Try changing the first line to this to see all users with non-expiring passwords.

      0
    • #1556856
      Paul Fijma
      Participant
      • Topics: 0
      • Replies: 3
      Post count: 3
      Member Points: 153
      Rank: Level 2

      Hi,

      I have no AD to test against, but i would suggest to break it up a little.  if you are testing your script against large environments…  don’t test by  running the script 50 times with small changes. (1. takes too long, 2. it fills some specific AD controller security logs really fast)
      thats why testing should be done agianst a test domain.

      how i would do it is something like:

      with the memory filled you can easily do the following (be aware that filling the memory can be a lot of data… but that also makes my point 😉 ):

      $myusers  <enter>

      and watch the list (over and over without asking the AD over and over.) you can use
      $myusers | GM   <enter>  to find out more about the object.

      a sample i used gets two specific OU’s of users and adds them together in a report…. :

      This script gets a list my support team wanted to call people bla bla bla…
      i’ve no access to a AD at the moment… so testing is a little awkward for me. but i hope that the way i used it might help a little in getting what you want and  this a little helps. if not.. let me know 🙂

      0
      • #1556857
        IQ
        Participant
        • Topics: 3
        • Replies: 12
        Post count: 2
        Member Points: 476
        Rank: Level 2

        Thanks everyone for your suggestions.  Looks like the requirements are changed for what we are trying to do here. I value your suggestions and your time to reply back.

        Let me post what we are trying to do again

        I am using the following script to get a list of all AD users

        Using the users in the ADUSer.csv file (which is obtained  using above code) , we would like to use the following pseudo code,

        Needed some help is building this pesudo code shown above, I am also going through tutorials and material which helps me translate this pesudo code into real code  but since Powershell scripting is new to me, I am finding it a bit diificult. Any help will be highly appreciated.

        0
        • #1556870
          Leos Marek
          Moderator
          • Topics: 20
          • Replies: 232
          Post count: 250
          Member Points: 14,482
          Rank: Level 4

          Not sure I understand the logic there. Why do you need to export the users to the CSV file and then run another script to notify them for the passwords? Isnt it better to do it with a single script? (which David already provided, if you need to change the search logic, just change it).

          1+
        • #1556880
          IQ
          Participant
          • Topics: 3
          • Replies: 12
          Post count: 2
          Member Points: 476
          Rank: Level 2

          Hi Leos,

          We are having some trouble connecting to our mail server, so we would like to first develop this pseudo code and later integrate it with email server

          What is the best way to do this basically put all Accounts with the criteria given in a file and then loop through that file ?

          0
      • #1556869
        Leos Marek
        Moderator
        • Topics: 20
        • Replies: 232
        Post count: 250
        Member Points: 14,482
        Rank: Level 4

        Paul,

        why should such query fill logs of a DC? 🙂

        1+
        avatar
    • #1556875
      Paul Fijma
      Participant
      • Topics: 0
      • Replies: 3
      Post count: 3
      Member Points: 153
      Rank: Level 2

      Hi Leos,

      I had that issue in a  government setting, loooooooong time ago.  (2003 ad controller)
      As far as i know it is based on (a combination of) best practices: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits
      I didn’t configure those machines, just used Delphi to replace the user manager (as it was crap then). During my development i did numerous requests to read. (and find certain accountnames, status etc.) // as i remember : i could relate the (harmless read) actions to the logging that filled up that machine.)

      Now for the practical part:
      I have tried to do requests that fill up a log (on a fresh installed DC with 3 new user accounts), but wasn’t able to. (at least i could not find a log with growing numbers by my requests)  Maybe just because i am doing it on a local DC (not accessing it from a remote machine), maybe i need to configure something more… or it is not logged at all (as your response might suggest) .  If so then the only reason not to do the same requests over and over is then just load based.

      I have kept it as much “safe” in my environments by not testing all querys against all possible records. i prefer no tests on production, running tested code on a small environment for me only shows that the functionality does what it says… in larger environments you might run into weird problems, especially with using powershell and variables (requesting all records from a database (or AD) into a local variable … it takes some time and then the machine you use has suddenly no memory left).

      Need to research it a little more into what is logged and what is not.
      https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4662
      …Active Directory logs this event when a user accesses an AD object. …
      …this is the only event that reports accesses defined for auditing that do not qualify as property changes. …

      • This reply was modified 1 week, 5 days ago by Paul Fijma. Reason: additional note
      • This reply was modified 1 week, 5 days ago by Paul Fijma.
      0
      • #1556909
        Leos Marek
        Moderator
        • Topics: 20
        • Replies: 232
        Post count: 250
        Member Points: 14,482
        Rank: Level 4

        Hi Paul,

        the last link you posted is correct. It is called Audit Directory Service Access option in  GPO. I have not tried yesterday, but withou this audit turned on, a query to AD will do nothing in seclog. I can try later today to turn this on and let you know what happened.

        However, if you alreaydy have this setting on, you already got a ton of logs generated just by normal usage of the environment.

        According to CIS you should not have the “Shutdown server if it cant record the audit message” on. This can lead to DoS attacks. Important logs should be forwarded somewhere and backed up.

        Cheers

        L

        0
Viewing 5 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account