Tag Archives: active directory

Using my Citrix Edgesight Powershell module with Active directory OU’s.

I received a request on twitter late last night and it was an interesting one. The person in question wanted to use my current edgesight module to import users from active directory into the static Citrix Edgesight groups, but instead of group membership in Active Directory, they wanted to use Active Directory Organisational Units.

All the information on how to use the module is included in the previous post, so I wont re-invent the wheel. Have a read of the previous post for any caveats or pre-emptive misunderstandings.

Below are two code snippets to use OU membership with either the Quest or Microsoft cmdlets for active directory, just modify the OU Path below, I’ve tried to include a long example to ensure there’s no confusion.

 Quest Active directory Snap-in:

[sourcecode language="Powershell"]
#Quest Active directory module
import-module "C:citrix.edgesight.cmdlets.psm1"
add-pssnapin Quest.ActiveRoles.ADManagement
$ADOU=’domain.domain.com/Country/Users/advanced/Helpdesk’
$esgroupid=20

#clear the group before import
clear-esgroupmembers -groupid $esgroupid

#get users from group, then import them into edgesight
foreach ($user in get-QADUser -SearchRoot $ADOU -SizeLimit 0){
$prid = get-ESUserPrid $user.logonname
if ($prid -NE $null){
Add-ESGroupMember -groupid $ESgroupid -prid $prid
}
}#end For
[/sourcecode]

Microsoft Active directory module:

 

[sourcecode language="Powershell"]
#Microsoft active directory module
import-module "C:citrix.edgesight.cmdlets.psm1"
import-module activedirectory
$ADOU="OU=helpdesk,OU=advanced,OU=Users,OU=Country,DC=domain,DC=domain,DC=com"
$esgroupid=20

#clear the group before import
clear-esgroupmembers -groupid $esgroupid

#get users from group, then import them into edgesight
foreach ($user in get-ADUser -filter * -searchbase $ADOU){
$prid = get-ESUserPrid $user.samaccountname
if ($prid -NE $null){
Add-ESGroupMember -groupid $ESgroupid -prid $prid
}
}#end For
[/sourcecode]

Move objects in active directory which have been inactive for x days.

This is just a quick script I was asked for assistance with recently. The person in question wanted to move all computers and users to defined ou’s when they were inactive for 90 days.

The script is fairly self explanatory but quite scary if you get it wrong, for that reason I’ve included the -whatif parameter to show you what will happen if you overzealously just copy and paste the code. Once you are happy it works, remove the whatif parameters.

This script relies on the powershell module for active directory, you can see if its installed as below:

I’m also aware this code is quite inefficient by searching twice, but it was the cleanest appearance I could muster to ensure the end user understands what is happening.

[sourcecode language="Powershell"]

#Load the required Snapins
if (!(import-module "activedirectory" -ea 0)) {
Write-Host "Loading active directory module." -ForegroundColor Yellow
import-module "activedirectory" -ea Stop
}#endif

#users
foreach ($user in search-adaccount -UsersOnly -AccountInactive -TimeSpan 90.00:00:00){
move-adobject -identity $user.DistinguishedName -targetpath "OU=Old Users,DC=some,DC=domain,dc=net" -whatif
}

#computers
foreach ($computer in search-adaccount -Computersonly -AccountInactive -TimeSpan 90.00:00:00){
move-adobject -identity $computer.DistinguishedName -targetpath "OU=Old Computers,DC=some,DC=domain,dc=net" -whatif
}
[/sourcecode]

Importing Users to Citrix Edgesight User Groups from Active Directory.

I’ve blogged about Edgesight reporting previously, but in this case I needed to populate Edgesight groups from active directory and keep them up to date. This functionality is (rather strangely) not available in Edgesight and for this reason I decided to create a Powershell module to allow for automation of user group population from active directory.

Edgesight doesn’t seem to have any API’s or command line interfaces to hook into. For this reason my scripts are based on connecting to the Edgesight database and retrieving the information with SQL statements. This presented a really fun challenge for me as I’m an SQL novice. I learned quite a bit in a short period of time by writing this powershell module.

With the following module you can run scheduled tasks to connect to your edgesight database and add / amend your user groups with ease.

First, some caveats, warnings and limitations of Edgesight you should be aware of:

  • My SQL statements have been tested fully internally and work flawlessly, that being said Always backup your database before you attempt to use these modules.
  • Each Edgesight group has a unique GUID assigned when it is created, for this reason you must manually create the Edgesight groups before attempting to import users.
  • Each user has a unique identifier in Edgesight called a PRID, if Edgesight has not seen a user before, the PRID will not exist. As such, you cannot import a user who has not logged into the environment before.

Continue reading

List Members (and email addresses) of an Active Directory group.

Recently i was asked to list a: all members of an active directory group, and b: pull their primary email address, leaving me with an end report of username and primary email address.

I used dsget to pull the user information from the group, below is the command i used:

dsget group “cn=Groupname,ou=DLs,ou=Exchange Recipients,dc=ie,dc=domain,dc=company,dc=com” -members >> 1.txt

the above command enumerates the “groupname” group in an ou called dls, in an ou called exchange recipients in the domain ie.domain.company.com. if your ou or domain structure is different trim out (or add) what you need.  The -members at the end of the file will dump only the usernames in FQDN format.

Once the script is run check the current directory for a textfile called 1.txt.  This text file will contain the usernames you need in FQDN format like below:

“CN=Tom Thumb (IE),ou=Dublin,dc=ie,dc=domain,dc=company,dc=com”
“CN=Mike Hunt (IE),ou=Dublin,dc=ie,dc=domain,dc=company,dc=com”

In order to get the email address’es i decided not to try and read from the file, instead i just ran the same command again and piped the results to another dsget query.

dsget group “cn=Groupname,ou=DLs,ou=Exchange Recipients,dc=ie,dc=domain,dc=company,dc=com” -members | dsget user -email >> 2.txt

The above will pull the results we saw in 1.txt, but instead it passes it straight into another query (dsget user -email) and sends those results to a text file. 2.txt should contain the users primary email address:

tom.thumb@company.com
mike.hunt@company.ie

Now simply copy the contents on both text files into neighboring columns in excel and you have your report :)

Update: 13/08/2012

An old friend of mine Rob reminded me that this post existed and wondered how to do it with powershell. Luckily This is much, much easier to do with Windows Powershell!

On a server with the active directory module for powershell installed (normally a domain controller), run the following commands: (replace the group name with your own one).

 

[sourcecode language="PowerShell"]

#######Change the below values#######
$groupname = "My Group Name"
$exportfile = c:tempreport.csv
#####################################

if (!(get-module -ListAvailable | where {$_.name -eq "ActiveDirectory1"} -ea 0)){
write-warning "The ActiveDirectory PowerShell module is Not Installed!"
break}
else{
write-host "Importing Active directory module";import-module activedirectory -ea 0
Get-ADGroupmember $groupname | %{get-aduser $_.samaccountname -properties cn,samaccountname,emailaddress | select cn,samaccountname,emailaddress | export-csv -notypeinformation $exportfile}
}
[/sourcecode]

how do i create custom .adm / group policy files?

 

Update: With thanks to some great help and troubleshooting from Steven we have resolved the line 46 “Categor” error. In order for the adm to parse the ending y in this file an additional two blank lines or “carriage returns” are necessary at the base of the adm file. The download file has been updated, Thanks again Steven.

A .adm file, is a group policy file that specifies policies outside of Microsoft’s default options. Basically they are policies you can put in place that Microsoft in their infinite wisdom forgot to put in before launch.

I had a situation recently where we have external users coming into our network, and using our CAG’s to access the the citrix environment. Once in there they needed access to an internal webpage that we published with internet explorer. The problem therein lied that these users could browse the local lan for resources with the address bar and many other wonderful utilities Microsoft put into internet explorer but failed to lock down efficiently.

All i really cared about (and for the interest of this post) was locking down the address bar in Internet Explorer 6.1. Nowhere could i find an option to do this, and i was getting nowhere fast. Searching internet explorer did bring back a few “helpful” articles on technet that i just couldnt understand, and i did find a piece of software that used to do it for free, until microsoft bought the company, stole its code for server 2008 and stopped people using or downloading the application. nice one microsoft…

I have attached the policy settings and ADM files for reference on how to lock down internet explorer 6 completely, hopefully i will save somebody else 7 hours of their time.

Continue reading