I needed to get a list of operating systems ‘in-use‘ in my active directory this week. bear in mind this will pull information from all enables computer accounts in AD, so if you are ‘not good‘ at tidying out old machines and servers you might get a lot of garbage in your output!
Update Jan 2023: Feel free to use this Bulk-Create-AD-Users-Script (Just remeber to change the domain details in the “Global Variables’ Sections to give you 10o0 users, with sensible names addreeses etc.
Having a test network, is great for both learning, and testing. I’ve got some major migrations coming up in the next few months, so I’m in the process of running up some new test servers. I usually run a quick .vbs file like this;
[box]
Set objRootDSE = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://cn=Users," & _
objRootDSE.Get("defaultNamingContext"))
For i = 1 To 1000
Set objLeaf = objContainer.Create("User", "cn=UserNo" & i)
objLeaf.Put "sAMAccountName", "UserNo" & i
objLeaf.SetInfo
Next
WScript.Echo "1000 Users created."
[/box]
Save that as createusers.vbs and run it on your domain controller and it will churn out 1000 users (named UserNo1 – UserNo1000). They will be disabled, with no passwords, but that can be rectified with a few mouse clicks.
But I want something a little more realistic, so I found a random name generator, and decided to have a script to create 1000 users that were a little more ‘lifelike’.
Solution
1. Download this zip file, and extract it to your desktop. To run the script you will need to set your Execution Policy with the following command;
[box]
Set-ExecutionPolicy Unrestricted[/box]
2. You will need to change a couple of lines in the newusers.ps1 file open it with notepad and change the domain details to match yours;
I had to do this a few weeks ago, so I documented it. I had a list of usernames in a CSV file and I needed to bulk-add them to a security group.
Bulk Add Group Users Solution
Firstly you will need the usernames (sAMAccountNames) in .csv format like so, (Note: As a header Im using User-Name.) I’ve saved the file to C:\Temp on my server.
I needed to work out how to bulk disable some domain users from a .CSV file this week, so I thought I’d write it up.
Disable Domain Users in Bulk from CSV
Well firstly, you need to have your users in a CSV file. For the live job I just exported all the SamAccountNames to a CSV, but here for testing I just loaded a few in manually;
WARNING: Do not do this, if you are carrying out a Hybrid migration to Office 365!
I’ve been doing an On-Prem to Office 365 migration recently. It was a little unusual because the ‘on-prem’ Exchange was not in the clients domain. So rather than migrate all the mail to their domain, and them migrate it to Office 365 we chose to use a third party migration solution ODME (Quest On Demand Migration for Exchange).
So using their tool I could migrate the ‘DATA’ and then the plan is to use the Quest CPUU (Client Profile Update Utility) to repoint all the clients Outlook profiles to Office 365.
Thats fine but how to keep the mail ‘up to date’ in both locations while they are being migrated. I thought (incorrectly) that the Quest ODME would do this, but forwarding from on-prem Exchange deployments is not supported.
This is what I wanted to do;
Then I could migrate everyone, then move the mail flow to Office 365, by simply changing the DNS (MX) Records.
Solution
I’ve covered forwarding of mail before in this previous article (you might want to have a read though that one fist).
*Note: I’m using the ‘onmicrosoft.com‘ tennant email as it is already publicly routable, and lets me still have my live mail feed pointed to the on-prem Exchange.
Now assuming you have all your on-prem usernames and their Office 365 email address sin a CSV file like so,
And you have saved the CSV file as C:\Temp\Office-365-Users.csv, use the following script.
I do this a lot, (usually prior to big migrations), most organisations have no mechanism for removing old users and computers from Active Directory, some don’t even disable the accounts.
Note: This will output the users to a csv file, and requires you to have a C:\Temp directory.
Find Users Who Have Not Logged On In ‘x‘ Days
I’m going to use the value of 90 days (remember some staff might be on long term sick/maternity so check with HR!) Execute the following three commands;
I had to do this today and realised, it’s been so long since I did it last, I’d forgotten how to do it. Before we go forward, please be clear, I’m talking about MAIL CONTACTS, these are Active Directory Objects that have an Email address, but DO NOT have a mailbox in your Exchange Organisation, and DO NOT have an Active Directory User. I point this out because you can have MAIL USERS that have an Active Directory User Object and have an External Email address (i.e. a Gmail or Hotmail address) associated with the MAIL USER object.
Traditionally mail contacts are used for listing outside mail addresses in your global address list, (like mail users do) but are also used to forward mail to as well.
Solution
I was exporting from Exchange 2010, from the EMC run the following command;
You can see my exported CSV list in, DisplayName, Name, PrimarySmtpAddress format. You will need to do some work with it in Excel to get it in > Name, Firstname, Lastname, ExternalEmailAddress format.
Once you have you CSV file ready, import it into the Target Exchange Server with the following command;
1. Make sure the user you will be performing the migration as, is in the right security groups, (Organizational Management and Recipient Management).
2. On the Legacy Exchange server download the PF-Migration-Scripts-v2 Then extract them to the servers C: drive.
3. Launch the Exchange Management Shell > Change to the script directory > Then create a folder name to folder size mapping file by running the Export-PublicFolderStatistics.ps1 script, supply the name of the file you want to create. (Here I use PublicFoldersStats.csv). Then supply the name of the server, (the legacy one, with the source public folders on it).
[box]
cd c:\Scripts
./Export-PublicFolderStatistics.ps1 PublicFoldersStats.csvMail-Server
[/box]
4. Create a Public Folder to Mailbox mapping file, by running the PublicFolderToMailboxMapGenerator.ps1 script, supply it with the maximum mailbox size (in bytes) Note: The Maximum size is 25GB. You will also need to supply the import file you created in step 3 (PublicFoldersStats.csv). Finally supply the name of the output file you wish to generate i.e. Folder2Mailbox.csv.
[box]
./PublicFolderToMailboxMapGenerator.ps1
[/box]
5. Open the last CSV file you created (Folder2Mailbox.csv) and take note of the TargetMailbox name. By default the first one is called Mailbox1, I’m changing it to Public-Folder-Mailbox and saving the change. Note: You may get more than one! If so take note of them all, or rename them accordingly.
6. Now copy the ‘Scripts’ Directory from your legacy 2010 Exchange server, to the new 2013 / 2016 Server.
7. Whilst still on the new Exchange 2013 / 2016 Server, you need to open a command shell, navigate to the scripts directory and then run the Create-PublicFolderMailboxesForMigration.ps1 script. Reply ‘A’ to run all the scripts, then supply the name of the mapping csv you created above, (Folder2Mailbox.csv). Supply the estimated concurrent users to this mailbox, and enter ‘Y’ to proceed. Now the public folder mailbox will be created.
(Note: Public folders are now in a Mailbox, NOT their own Mailbox database, as in older versions of Exchange).
[box]
cd c:\Scripts
./Create-PublicFolderMailboxesForMigration.ps1
[/box]
8. Next we need to create a ‘batch task’ much the same as when we migrate multiple mailboxes. This first command creates the task, and the second one sets it running. (Change the values in red to match your own).
Update: 05/08/16: Make sure you have a ‘mailbox database’ mounted on the source Exchange server before proceeding, or you may see the following problem.
It might say Queued for quite a while, don’t worry!
Check Public Folder Migration Progress Option 2 From EAC
Open the Exchange Admin Center website and logon. Navigate to recipients > Migration > View Details
10. If you were looking at the progress you will see its stops just before 100%, this is because you need to “Lock” the source public folder and let the migration complete. WARNING this will involve downtime, so warn your users, or do this next step out of hours.
To MAKE SURE you are ready, check either the progress report like so;
Or, re-run the progress command above and look for 95% completion and ‘Automatically suspending job’
DOWNTIME FROM THIS POINT ONWARDS
11. Go to the legacy Exchange 2010 server and ‘lock’ the source public folders for migration, and restart the service.
12. Now access to the legacy Public Folder Database is shut down, but before replication to the new Public Folder Mailbox can be completed you need to return to the new Exchange 2013 / 2016 server and run the following commands;
This can take a little time, I would wait least a couple of hours before proceeding (depending on your network topology, if you have a slow network or the Exchange 2010 server is on another network segment it may take longer).
Now to check the migration worked with a test user, and (provide everything is OK, unlock the Public Folders.
Log on as that user, (Outlook 2010 SP3 or Later.) Make sure the public folders are correct, you can expand them, the permissions are correct and you can create and delete entries.
It’s All Gone Wrong!
Don’t panic! You can remove the migration request with the following command;
Note: As per feedback (from Tobias Gebler) Test mail flow to your public folders, you may need to manually “Mail Enable” them before they function properly, In some cases you need to disable then re-enable them before they work properly.
14. Remember in Outlook Web App 2013 / 2016, public folders are not visible until you add them!
Note: If, (post Migration to Exchange 2016). Your users cannot access the public folders, see the following article.
“I seem to get a lot of spam”, and “I get a lot more spam than I used to” are right up there with “My computer is running slow”. It’s a problem that, eats up users time and fills your mail stores with junk, and time/disk space costs money.
SEM is tiny! In a world where a graphics driver is now over 100MB the entire install suite is less than 11MB. This is going into my test network so testing its ability to limit spam is NOT the point of this exercise, I’m looking at the ease of installation, configuration, and administration.
SEM Pre-Requisites
1. Exchange 2000, 2003, 2007, 2010, or 2013.
2. Windows Server 2000, 2003, 2003 R2, 2008, 2008 R2, or 2012.
3. .Net framework version 2.0 (SP1).
4. MDAC (Microsoft Data Access Components) version 2.7.
5. Internet Information Services.
Solution
Before You Start
1. If you have already installed the Microsoft Anti Spam agents you might want to remove them, (not that you have to). If you don’t know you can run the following command;
[box]
Get-TransportAgent[/box]
If you just have the four below then you DO NOT have the extra agents installed.
2. If yours looks like the one below, then YOU DO have them installed.
3. As stated you don’t have to remove them but if you want to simply execute the following two commands;
[box]
cd "Program FilesMicrosoftExchange ServerV15Scripts"
./Uninstall-AmtispamAgents.ps1
[/box]
4. Answer each question, then run;
[box]
services.msc[/box]
5. Restart the Microsoft Exchange Transport service.
7. The installer is pretty straight forward > Next > Accept the EULA > Next > Enter your details > Next > Accept or change the install location > Next.
8. The product will install.
9. At this point it’s downloading definitions form the internet, and it will take a while.
10. When complete it needs to setup a user that the services will run under. Just supply a password > Next.
Note: This user (by default) is added to the local administrators group, and the Exchange Organization Management group.
11. Finish.
12. The management console installs on TCP port 5000, so if you need to access it through a firewall you will need to open that port.
13. Toolbars Tab: From here, I’ll jump straight to the configuration section, this drops you straight onto the Plugins tab. From here you can change the logo that will be displayed with the toolbar (this is NOT visible with Outlook 2013). You can also change the URL it points to and adding rights to users.
14. Toolbar Tab > Outlook Toolbar: On a client running Outlook > Download Outlook Toolbar > Run the installer.
Note: The installer is a .exe file, I would have preferred a .msi file, so I could deploy this out (on mass), to domain clients via GPO.
17. Now when you launch Outlook you can see the plugin loading.
18. You will now have an extra toolbar with the following options.
BE AWARE: You install the OWA toolbar ONCE on the Exchange CAS server.
19. Toolbars > Outlook Web Application: Install OWA toolbar.
20. Yes.
21. Now when your clients access OWA, you have the toolbar.
22. Latest news: Essentially this is just an RSS feed from the manufacturer to keep you abreast of software updates etc. If you have some RSS aggregation software you can add this same feed.
23. Mailbox Tab > Mailboxes: Here it will list all the mailboxes, by default the ‘Default policy’ will be applied and virus filtering will NOT be enabled (this is an add on license). you can also access statistics for this particular mailbox, and view quarantined emails. The User filter settings are for applying an exception for this one mailbox (I’ll cover this later). If you can’t locate a particular user there is also a search function.
24. Mailbox Tab > Usergroups: Usergroups are used to apply policies, any new group requires you to maintain membership manually. But if your Active Directory is well designed, you can select your SPAMfighter groups based on your OU structure.
SEM – SPAMfighter – Configuring and Working with Policies
This is pretty intuitive, and the default policy comes preconfigured and already applied, though with all filtering systems it will probably take you a little while to get it streamlined to your requirements. The policies section has four main tabs;
Filter Settings: What tools you are going to use to look for spam. Accept Actions: What it will do if it finds nothing. Block Actions: What it will do if it finds something. User Filter settings: Exceptions to the filters for one or more users. Mailboxes: Puts you straight back to the mailbox section you saw earlier.
25. Out of the box there are five filters enabled.
26. But there are four further filters that you can add to the policies.
SPAMfighter – Filters
27. VIRUSfighter Antivirus Filter for SPAMfighter Exchange Module: Remember this is an ‘Add on’ so it would only apply to mailboxes that have this enabled. It’s on its most conservative setting, and will replace the infected email with safe content.
28. SPAMfighter Sender Filter > Whitelist:Simply add either a particular email address you want to allow or add in an entire domain.
29. If your lists get a little unwieldy you can import or export them, and chose weather to overwrite them or append the imported list to your existing list.
30. And where there is a Whitelist there is a Blacklist, it’s configured exactly the same.
31. Automatic Whitelist: This is a brilliant feature! It dynamically adds the addresses our users send to to the Whitelist, and maintains the cache for 10 days (which you can alter). I’m surprised this is disabled by default.
Note: This will be enabled by default in the next release.
32. SPAMfighter Content Filter > Whitelist phrases: Gives you the power to automatically Whitelist emails based on a phrase they contain i.e. Your corporate email disclaimer or default signature.
33. SPAMfighter Content Filter > Blacklist phrases: As the warning says be careful with this section, this is the sort of thing that is handy for blocking “We attempted to deliver your parcel but were unable to” emails that urge you to click an attached zip file full of infected spyware nastiness.
34. SPAMfighter Content Filter > Whitelist Attachments: Here you can upload an attachments (like your company logo from your email signatures) and the system will whitelist and allow through emails containing them.
35. SPAMfighter Content Filter > Blacklist Attachments: Thankfully this is disabled by default, the list of file extensions is quite long, and contains some commonly used file extensions, You will need to do some planning and testing with this one if you want to enable it.
36. SPAMfighter Community Filter: This will filter mail based on mails that have already been blocked by other SPAMfighter users, it uses a scoring/weighting system. You simply set a threshold the higher you set it the more mail will be stopped, this will require some fine tuning.
37. SPAMfighter Language Filter:This is enabled by default, but no languages are selected (which is sensible). If you are never expecting any emails in Chinese you can block them here.
SPAMfighter Filters that you can Manually Add to the Policy.
38. SPAMfighter IP-address Filter: Pretty much does what it says on the tin! Though blocking spammers by IP address is a little hard to manage, and it’s pretty easy to spoof an IP address anyway, which is probably when this is not on the default policy.
39. SPAMfighter Sender Policy Framework Filter: Personally I think you would be crazy to turn this on! If you don’t know what an SPF record is then read the following article.
40. SPAMfighter DNSBL Filter: A DNSBL is a dynamic DNS list of known spammers, if you are familiar with RBL block lists this is similar.
41. SPAMfighter Combined Spam Score Filter: All the other filters check the mail and give it a score, if the score is higher than a certain threshold this this filter will aggregate all those scores and block the mail.
SPAMfighter – Policies > Accept Actions
42. If the mail makes it through all the filters, then this section decides what happens with it.
43. And that is adding information to the mail header that says the mail was scanned and accepted.
SPAMfighter – Policies > Block Actions
44. If the mail gets blocked by any of the filters, this section decides how that is handled.
Note: You can add other actions from the drop-down list below if this does not do what you require.
45. Just as for the accept policy action, this modifies the email header, though this one says the mail was blocked.
46. SPAMfighter Move To Folder Policy Action > Mailboxes : The second default policy action takes that filtered email and places it within a folder called SPAMfighter within the users mailbox.
Note: You can redirect that mail to another mailbox if that is your preference.
47. The system for Public Folders (if you use them) is identical.
48. Contacts: As is says contacts do not have a mailbox, but you can redirect filters contact mail to a specific mailbox should you wish.
49. User Filter Settings: This section can create an exception for one particular user, it simply creates another policy that you can apply to that user.
50. You can create new policies and apply then to particular users or usergroups, and make the system as granular as you like.
51. Statistics: On my test network I didn’t have any throughput on which to pull some meaningful statistics.
52. Statistics > Notifications: You can have daily/weekly/monthly reports emailed to you.
53. If you decide to purchase, the licenses are priced per mailbox. Prices start at £14.50 each (or £29.00 with the Antivirus) And go down to £2.45 (or £4.90 with Antivirus) depending on the amount you buy. They are available for 1, 2, and 3 year periods. For an up to date price list go here.
Related Articles, References, Credits, or External Links
File > Save As > Save the file as Users-Last-Logon.ps1 > Change the file type to ‘All Files’ >Save it in C:WindowsSystem32.
2. Open PowerShell, and execute the following commands;
[box]
cd c:WindowsSystem32
./Users-Last-Logon.ps1
[/box]
3. Navigate to c:WindowsSystem32 and locate the Users-Last-Logon.csv file.
4. Open the file in Excel, and you can sort the ‘Last Logon’ column, to get the users in the correct order.
Update 24/05/13
Email form reader ‘Simon’
I read your article “PowerShell – List All Domain Users and Their Last Logon Time” and it helped me out a lot. Thank your very much for this.
May i suggest to add a filter option on the script, in order to get more results. Currently the script limits the result to 1000. In my Environment there are more users than that.
I added $objstalesearcher.PageSize=4000 to the script, and i got all the users from my bomain.
Again, thank you very much for the script you provided. saved me tons of time !
Related Articles, References, Credits, or External Links