I have a server with its own local Groups. These groups hold AD users. I use them to apply permissions for the user in a web app. I need to generate a list of all the users in the group.
This is the script I'm trying to use:
dsquery group -samid "MyGroup" | dsget group "MyGroup" -members >c:\List.txt
I've tried many generations of this code and all I get are errors. At least this one creates a text file before it errors (with nothing in it).
So what am I doing wrong (I confess I'm new to this command line tool).
EDIT: the error I'm getting is "dsget failed:Value for 'Target object for this command' has incorrect format."
Thanks in advance.
I too am a newbie.
But I beleive you want is:
dsquery group -name "MyGroup" | dsget group -members > c:\List.txt
Where you replace "MyGroup" with the name of the group you are looking for. If looking for multiple groups which begin the same way, surround MyGroup with asterisks instead of quotation marks.
Related
What would be the syntax for LDAP for the below scenario:
Where sAMAccountName = GRA-* without $. I want the records which are highlighted in green.
This is my current LADP Filter for your reference:
(&(objectClass=user)sAMAccountName=GRA-*))
Anyone, Please help with the correct syntax.
Your filter can work, but you're missing a ( in front of sAMAccountName:
(&(objectClass=user)(sAMAccountName=GRA-*))
But you may be able to do better. If those ones that end in $ are computer objects (which always have sAMAccountNames that end in $, but also have an objectClass of user), then you can make sure you only get user objects by including (objectCategory=person):
(&(objectClass=user)(objectCategory=person)(sAMAccountName=GRA-*))
If, for whatever reason, those $ objects are actually user accounts, then you can exclude them with (!sAMAccountName=*$):
(&(objectClass=user)(objectCategory=person)(sAMAccountName=GRA-*)(!sAMAccountName=*$))
This is my first foray into AWS CONFIG and I'm use the advanced query editor to first generate a full list of resources used by the account and I wanted to group by a certain field
SELECT
accountId,
resouceId,
resouceType,
arn,
awsRegion
GROUP BY
resourceType
but the error I'm getting is
"when a GROUP BY clause is present, selected fields(accountId,
resouceId, resouceType, arn, awsRegion) must appear in the GROUP BY
field list"
I read this to mean, you need to put in all these fields in the group by which does not make sense to me at all, but I tried it anyway. The it said theres a limit of 3 groups.
Am I missing something? The example query on their docs page doesnt seem so different other than having a conditional where clause.
Sample Data output without the "group by":
1- account#1, resourceId#1, AWS::KMS::KEY, arn:aws:kms:us-east-2:unique_id_data, us-east-2
2- account#1, resourceId#2, AWS::CodeBuild::Project, arn:aws:codebuild:us-east-2:unique_id_data, us-east-2
3- account#1, resourceId#3, AWS::KMS::KEY, arn:aws:kms:us-east-2:unique_id_data, us-east-2
4- account#1, resourceId#4, AWS::IAM::POLICY, arn:aws:IAM:unique_id_data, us-east-2
etc etc
But when I try and group the records by AWS::KMS::KEY or another grouping, it provides no output and just gives me the error.
We have some security groups that are mail enabled. Because of that , I need a query within ADUC that will give me a list of all my mail-enabled security groups and distribution mail groups.
I am able to getting distribution mail groups LDAP query like below.
(&(&(&(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))))
Wrapped for legibility (put it back in a single line for use in Active Directory Users and Computers):
(&
(objectClass=group)
(|
(&
(groupType:1.2.840.113556.1.4.803:=2147483648)
(mail=*)
)
(!
(groupType:1.2.840.113556.1.4.803:=2147483648)
)
)
)
In English:
The objectClass is "group", AND
the groupType is "security" AND mail is set, OR
the groupType is NOT "security".
But I assume something simple like the following would also work - after all, you are looking for groups that have an email address. The group type is completely irrelevant.
(&
(objectClass=group)
(mail=*)
)
I need to make a query for a dataset provided by a public project. I created my own project and added their dataset to my project. There is a table named: domain_public. When I make query to this table I get this error:
Query Failed
Error: Not found: Dataset my-project-name:domain_public was not found in location US
Job ID: my-project-name:US.bquijob_xxxx
I am from non-US country. What is the issue and how to fix it please?
EDIT 1:
I change the processing location to asia-northeast1 (I am based in Singapore) but the same error:
Error: Not found: Dataset censys-my-projectname:domain_public was not found in location asia-northeast1
Here is a view of my project and the public project censys-io:
Please advise.
EDIT 2:
The query I used to type is based on censys tutorial is:
#standardsql
SELECT domain, alexa_rank
FROM domain_public.current
WHERE p443.https.tls.cipher_suite = 'some_cipher_suite_goes_here';
When I changed the FROM clause to:
FROM `censys-io.domain_public.current`
And the last line to:
WHERE p443.https.tls.cipher_suite.name = 'some_cipher_suite_goes_here';
It worked. Shall I understand that I should always include the projectname.dataset.table (if I'm using the correct terms) and point the typo the Censys? Or is this special case to this project for some reason?
BigQuery can't find your data
How to fix it
Make sure your FROM location contains 3 parts
A project (e.g. bigquery-public-data)
A database (e.g. hacker_news)
A table (e.g. stories)
Like so
`bigquery-public-data.hacker_news.stories`
*note the backticks
Examples
Wrong
SELECT *
FROM `stories`
Wrong
SELECT *
FROM `hacker_news.stories`
Correct
SELECT *
FROM `bigquery-public-data.hacker_news.stories`
In Web UI - click Show Options button and than select your location for "Processing Location"!
Specify the location in which the query will execute. Queries that run in a specific location may only reference data in that location. For data in US/EU, you may choose Unspecified to run the query in the location where the data resides. For data in other locations, you must specify the query location explicitly.
Update
As it stated above - Queries that run in a specific location may only reference data in that location
Assuming that censys-io.domain_public dataset has its data in US - you need to specify US for Processing Location
The problem turned out to be due to wrong table name in the FROM clause.
The right FROM clause should be:
FROM `censys-io.domain_public.current`
While I was typing:
FROM domain_public.current
So the project name is required in the FROM and `` are required because of - in the project name.
Make sure your FROM location contains 3 parts as #stevec mentioned
A project (e.g. bigquery-public-data)
A database (e.g. hacker_news)
A table (e.g. stories)
But in my case, I was using the LegacySql within the Google script editor, so in that case you need to state that to false, for example:
var projectId = 'xxxxxxx';
var request = {
query: 'select * from project.database.table',
useLegacySql: false
};
var queryResults = BigQuery.Jobs.query(request, projectId);
check exact case [upper or lower] and spelling of table or view name.
copy it from table definition and your problem will be solved.
i was using FPL009_Year_Categorization instead of FPL009_Year_categorization
using c as C and getting the error "not found in location asia-south1"
I copied with exact case and problem is resolved.
On your Big Query console, go to the Data Explorer on the left pane, click the small three dots, then select query option from the list. This step confirms you choose the correct project and dataset. Then you can edit the query on the query pane on the right.
may be dataset name changed in create dataset option. it should be US or default location
enter image description here
I've been asked to pull a report containing User's name, username, enabled/disabled, and the last login time from our Windows server 2008 domain. I'm using the script below and it's working, but the problem is it's pulling built-in security accounts and some system accounts, and I need just users. Does anyone know if this filtering is possible? The script I'm using is below. Thanks in advance!
$ADUserParams=#{
'Server' = 'servername.domain.local'
'Searchbase' = 'DC=domain,DC=local'
'Searchscope'= 'Subtree'
'Filter' = '*'
'Properties' = '*'
}
$SelectParams=#{
'Property' = 'CN', 'SAMAccountname', 'DisplayName', 'enabled', 'lastlogondate',
}
get-aduser #ADUserParams | select-object #SelectParams | export-csv "c:\temp\users.csv"
At the very least you'll want to modify your filter to something like:
'(&(|(objectclass=person)(objectclass=inetorgperson))(!(objectclass=computer)))'.
That will still leave Administrator, Guest and and domain/realm trusts you've got, but otherwise it's pretty clean.
'(&(sAMAccountType=805306368)(!(isCriticalSystemObject=TRUE)))' is even cleaner, and may be exactly what you need. This uses sAMAccountType, but I pulled from existing AD users rather than build that value from scratch.
Also there is no Enabled attribute. The closest you can get is userAccountControl. lastLogonDate is actually lastLogonTimestamp.
part of your requirements for the report are to show all users in AD, this would include system and built-in accounts. That being said, ff you can exclude the OUs or containers that contain the built-in/system accounts you don't want in the report that would be easiest. It looks like your trying to audit the whole AD DS and should use exclusions otherwise only include the OU that contains the User Accounts as long as it is only possible to not have User accounts anywhere else.
It really depends on what you can use to separate your built-ins and system accounts.
The easiest way would be to add a SearchBase to your $ADUserParams:
$ADUserParams=#{
'Server' = 'servername.domain.local'
...
'SearchBase' = 'OU=Lemmings,DC=contoso,DC=com'
}
If there's one OU that you need to filter out, try adding a Where-Object:
get-aduser #ADUserParams | ?{$_.DistinguishedName -notlike '*ou=Beancounters,*'} | select-object #SelectParams | export-csv c:\temp\users.csv"
The ?{ } bit is an alias for the Where-Object command. $_ represents the objects passed along the pipe.
This is all assuming that these accounts are cleanly separated by OU, however. I know this isn't true in my environment.
You might have to play around for a while before finding something that will separate your users cleanly. It might help to store your initial query as a variable, $users = Get-ADUser #ADUserParams, and see what you can pick apart:
$users | ?{$_.SomeProperty -eq 'SomeValue'}
Try running $users[0] to get an idea of what properties there might be to help you filter through these users. If you need to wrap your head around things like -eq and -like, take a look here.
If all the accounts you're wanting to filter contain a character like $, you could filter the output like so:
$users | ?{$_.SamAccountName -notlike "*$*"}