Tuesday, 31 May 2016

Find AD Users who never logged on using Powershell

We can use the Active Directory powershell cmdlet Get-ADUser to query users from AD. We can find and get a list of AD users who never logged in at least one time by checking the AD attribute value lastlogontimestamp.

The below command lists all users who never logged on.
Get-ADUser -Filter {(lastlogontimestamp -notlike "*")} | Select Name,DistinguishedName
If you want to list only enabled ad users, you can add one more check in the above filter.
Get-ADUser -Filter {(lastlogontimestamp -notlike "*") -and (enabled -eq $true)} | Select Name,DistinguishedName
If you are familiar with LDAP filter you can also find never logged in users by using ldap filter.
Get-ADUser -ldapfilter '(&(!lastlogontimestamp=*)(!useraccountcontrol:1.2.840.113556.1.4.803:=2))' |
 Select Name,DistinguishedName
In most cases, we may want to find AD users who created in last certain days or months and not logged in their system. To achieve this, we need to filter users by created time.

The below powershell command lists all AD users who are created in 30 days before and still not logged in.
$days = 30
$createdtime = (Get-Date).Adddays(-($days))
Get-ADUser -Filter {(lastlogontimestamp -notlike "*") -and (enabled -eq $true) -and (whencreated -lt $createdtime)} | 
Select Name,DistinguishedName

Export Never Logged On AD Users to CSV file:

We can export users into CSV file using Export-CSV cmdlet. The following command export all the never logged in users who are created in 30 days before into CSV file.
$createdtime = (Get-Date).Adddays(-(30))
Get-ADUser -Filter {(lastlogontimestamp -notlike "*") -and (enabled -eq $true) -and (whencreated -lt $createdtime)} | 
Select Name,DistinguishedName |
Export-CSV "C:\\NeverLoggedOnUsers.csv" -NoTypeInformation -Encoding UTF8

Monday, 30 May 2016

Create Distribution Group in Office 365 using Powershell

In this article, I am going write powershell commands to create Distribution Groups and add members to a Distribution Group in Office 365 environment. We can use the Exchange Online powershell cmdlet New-DistributionGroup to create a new distribution list.

Before proceed, first connect Exchange Online Powershell session by using the following commands.
$365Logon = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $365Logon -Authentication Basic -AllowRedirection
Import-PSSession $Session
After connecting Exchange Online service, run the following command to create a Distribution Group.

Syntax:
New-DistributionGroup -Name <DG name> -DisplayName <DG display name> -Alias <Alias>
Example
New-DistributionGroup -Name "DG-Sales" -DisplayName "DG-Sales" -Alias "DG-Sales"

Add members to Distribution List:

We can use the cmdlet Add-DistributionGroupMember to add member to distribution group in office 365.
Add-DistributionGroupMember "DG-Sales" -Member Morgan

Add members to multiple Distribution groups:

$Groups = "DG 01","DG 02","DG 03"
$Groups | ForEach-Object {
Add-DistributionGroupMember -Identity $_ –Member "Morgan" }

Import Distribution Group members from a CSV File:

You can use the below powershell commands to add members to Distribution List by importing members from csv file. Consider the csv file members.csv that includes the column member which holder the member identity in each row of the csv file.
Import-CSV "C:\members.csv" | ForEach-Object {
Add-DistributionGroupMember -Identity "DG-Sales" -Member $_.member
}

Sunday, 15 May 2016

Get sharepoint lists with more than 5000 items using csom

In this article, I am going to write C# code to retrieve sharepoint lists with more than 5000 items using Clinet Object Model (csom). The magic limit 5000 is a default list view threshold in sharepoint online. To find total lists items in a list, we don't need to iterate all items from list, instead we can get it from the property ItemCount in sharepoint client object model's List object.

Get all Lists with ItemCount:

Use the below C# code to get all sharepoint lists with their total item count.
public static void GetAllListsWithItemCount()
{
    string sitrUrl = "https://Tenant.sharepoint.com/sites/contosobeta";
    using (var ctx = new ClientContext(sitrUrl))
    {
        Web site = ctx.Web;
        ctx.Credentials = //Use your credentials
        ctx.Load(site, a => a.Lists.Include(l => l.Title, l => l.ItemCount));
        ctx.ExecuteQuery();

        foreach (var list in site.Lists)
        {
            Console.WriteLine(list.Title+" : "+ list.ItemCount);
        }
    }
}

Get Lists with more than 5000 items:

The above code returns all the lists with itemcount. To get the lists with more than 5000 items, we need to filter lists with the ItemCount property in linq query.
public static void GetListsWithMoreThan5000Items()
{
    string sitrUrl = "https://Tenant.sharepoint.com/sites/contosobeta";
    using (var ctx = new ClientContext(sitrUrl))
    {
        Web site = ctx.Web;
        ctx.Credentials = //Use your credentials
        ctx.Load(site, a => a.Lists.Where(l => l.ItemCount > 5000),
            a => a.Lists.Include(l => l.Title, l => l.ItemCount));
        ctx.ExecuteQuery();

        foreach (var list in site.Lists)
        {
            Console.WriteLine(list.Title + " : " + list.ItemCount);
        }
    }
}

Get Document Libraries with more than 5000 items:

You can also get only document libraries by filtering List object with BaseType property.
public static void GetLibrariesWithMoreThan5000Items()
{
    string sitrUrl = "https://Tenant.sharepoint.com/sites/contosobeta";
    using (var ctx = new ClientContext(sitrUrl))
    {
        Web site = ctx.Web;
        ctx.Credentials = //Use your credentials
        ctx.Load(site, a => a.Lists.Where(l => l.BaseType == BaseType.DocumentLibrary &&
                 l.ItemCount > 10 && !l.Hidden),
        a=>a.Lists.Include(l => l.Title, l => l.ItemCount));
        ctx.ExecuteQuery();

        foreach (var library in site.Lists)
        {
            Console.WriteLine(library.Title + " : " + library.ItemCount);
        }
    }
}

Tuesday, 3 May 2016

How to grant permission for specific attributes in AD

As an Active Directory admin sometimes we may require to allow and deny permission for only specific attributes on AD user object or container (OU) object. In this post, I am going to write steps to assign or remove permissions on Active Directory attributes.

Note: To perform this action, you must be a member of the Domain Admins group, or the Enterprise Admins group in AD, or you must have been delegated the appropriate authority.

Follow the below steps to set permission for individual AD attributes:

  • Open Active Directory Users and Computers console (Start -> Control Panel -> Administrative Tools -> Active Directory Users and Computers). 
  • Click on the View menu, select Advanced Features.
  • Right-click the object (user or ou) for which you want to assign or remove permissions, and then click Properties.
  • On the Security tab, click Advanced to view all the available permissions.
  • Click the button Add, find user or group account whom you want provide access, and click OK.
  • In the "Permission for object name" dialog, go to the "Properties" tab, and select the required properties and desired permissions from the list and save the changes.