This script creates a new ad user based on the following:
Script to Get Lockedout events from the security eventlog from the PDC
|
1 2 |
$DomainController = Get-ADDomainController -Service PrimaryDC -Discover Get-WinEvent -ComputerName $DomainController -FilterHashtable @{logname='security';ID=4740} |
To Copy the users from a ADgroup to another ADgroup or duplicate the contents of a group, us the commandlet Add-ADGroupMember.
You cannot pipe the contents of Get-ADGroupMember to this commandlet as it does not accept pipeline imput. You can check this in the help of the command.
|
1 2 3 4 5 6 7 8 9 |
PS C:\> get-help Add-ADGroupMember -Parameter members .... You cannot pass objects through the pipeline to this parameter. Required? true Position? 2 Default value Accept pipeline input? false Accept wildcard characters? false |
For this to work correctly you must place the content in a variable with Get-ADGroupMember and use this in Add-ADGroupMember.
These two command are:
|
1 2 3 |
PS C:\>$members = Get-ADGroupMember "SourceGroupName" PS C:\> foreach ($i in $members){Add-ADGroupMember -Identity "DestinationGroupName -Members $i} |
On the internet I found a nice looking script for creating a useraccount in the AD.
I have not tested this script so use at your own risk.
To view which user or group has access to a folder structure you must check this per folder.
Fortunately powershell has (ofcourse) the option to recursive check a folder structure and display the result in a nice textfile. The oneliner for this is:
|
1 |
Get-ChildItem -Recurse | where-object {($_.PsIsContainer)} | get-acl | format-list path,accesstostring > c:\permissions.txt |
You can use the get-acl command to display the effective permissions on a folder. This commandlet does not have the option to recursive go trough the entire folderstructure. Get-Childitem has this option and when you pipe it trough get-acl you get the list you want.
The where-object {($_.PsIsContainer)} is used to only display folders and not files.
Here are the commands for a workflow to create a new AD group and add a user to the group.
Nothing fancy but saves you the time to find the command next time.. 🙂
|
1 2 3 |
New-ADGroup -GroupCategory Security -GroupScope Global -Name "Name of the group" -PassThru -path "OU=Security Groups,OU=Groups,OU=company,DC=company,DC=nl" Add-ADGroupMember -Identity "Name of the group" -members UserToAdd get-aduser UserToCheck -Properties memberof |
If you want to get a list of all the AD groups a user is member of you can use
|
1 |
Get-ADUser <username> -Properties memberof |
This will give you a overview of the groups the user is a member of. It is however not easy to read. To get a list use Get-ADPrincipalGroupMembership. This will give you a list with one groupname per line.
|
1 |
Get-ADPrincipalGroupMembership <username> | select name |
Result:
|
1 2 3 4 5 |
name ---- Domain Users Administrators Domain Admins |
To view the hierarchical structure:
|
1 |
(get-aduser <username> -properties memberof).memberof |
result:
|
1 2 |
CN=Domain Admins,CN=Users,DC=metterwoon,DC=nl CN=Administrators,CN=Builtin,DC=metterwoon,DC=nl |
Note that the last result does not display the domain users
The lastlogon time is kept on every domain controller in the AD. So, if you want to find out what the last logon time and dat of u user is, you have to check all the domain controllers.
When you check all the properties of a user using:
|
1 |
Get-ADUser avanboerum -Properties * |
You get a lot of information. The most important are:
lastLogon : 130709985039216673
LastLogonDate : 12-3-2015 09:08:56
lastLogonTimestamp : 130706213360820511
The LastLogonDate is the one that is kept on the domain controller and is not replicated to other domain controllers.
The LastLogonTimestamp is the one you need. This is however a format we cannot read but we can convert it to a normal readable value.
First we need to put this into a variable so we can extract the value later.
|
1 |
$lastltime = Get-ADUser avanboerum -properties lastlogontimestamp |Select-Object lastlogontimestamp |
Next we use the [datetime]::FromFileTime. This converts the unreadable number to a normal format. We do this while using only the value of the variable.
|
1 |
[datetime]::FromFileTime(($lastltime.lastlogontimestamp)) |
And voila, the correct format is displayed
donderdag 12 maart 2015 09:08:56
A neat script to choose the users OU in the AD, select the user and lets you choose what to do. Reset a password or unlock the users account.
The script uses the out-gridview with -passtru command to ask for your input.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
#define where the users are located in the AD $OUsearchbase = 'OU=Users,DC=company,DC=nl','OU=Users2,DC=company,DC=nl','OU=Users3,DC=company,DC=nl' #Select the right OU and User $user = Get-ADUser -Filter * -Properties LockedOut -SearchBase ( $OUsearchbase | Out-GridView -PassThru -Title "Select the location of the user" ) | Select-Object name,samaccountname,LockedOut,enabled | Out-GridView -PassThru -Title "Select the user" #Prompt for what action you would like to take $title = "Choose Action" $message = "What do you want to do to the user?" $ResetPassword = New-Object System.Management.Automation.Host.ChoiceDescription "Reset Password", ` "Reset the users password" $UnlockAccount = New-Object System.Management.Automation.Host.ChoiceDescription "Unlock account", ` "Unlock a locked user account" $options = [System.Management.Automation.Host.ChoiceDescription[]]($ResetPassword, $UnlockAccount) $result = $host.ui.PromptForChoice($title, $message, $options, 0) #take an action based on the selection switch ($result) { 0 {Set-ADAccountPassword -Identity $user.samaccountname -NewPassword (Read-Host -AsSecureString "Enter new password")} 1 {Unlock-ADAccount -Identity $user.samaccountname} } |
Get to the Microsoft Virtual Academy and follow the course: “Using PowerShell for Active Directory” with Jason Helmick and Ashley McGlone (GoateePFE)
The blog of this session and the session itself are online available.
Great blog with lots of code on Powershell and active directory.
Some topics that are being addressed are:
Friday-give-away: You can find locked-out accounts on AD with Powershell in one realy simple line:
|
1 |
Search-ADAccount -LockedOut |
Use this script to automate and send an email to the HR department with a HTML file of the users in the AD.
You can specify different blocks of users based on the company name (internal and external users like contractors) and users with special rights like administrators of helpdesk staff.
Schedule this powershell script on a domain controller or a management workstation.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 |
$a = "<style>" $a = $a + "BODY{background-color:white;}" $a = $a + "TABLE{border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}" $a = $a + "TH{border-width: 1px;padding: 2px;border-style: solid;border-color: black;background-color:lightblue}" $a = $a + "TD{border-width: 1px;padding: 2px;border-style: solid;border-color: black;}" $a = $a + "</style>" $Properties = @( 'DisplayName', 'SamAccountName', 'Department', 'Title', 'Enabled', 'Company', 'LastLogonDate' ) $displayProperties = @( 'DisplayName', 'Department', 'Title', 'Company', 'LastLogonDate' ) #set viriables $ADSearchBase = "dc=Company,dc=nl" $fullCompanyname = "Company ltd" $datum = get-date $outputfilename = "c:\scripts\NetwerkAccounts.html" $SpecialRights1 = "CN=Special users and groups,DC=Company,DC=nl" $DomainAdminsgroup = "CN=Domain Admins,CN=Users,DC=Company,DC=nl" $Reportsfolder = "\\filserver\share\Check-$(get-date -f yyyy-MM)" $RecepientMail = "HR@company.nl" $Sendermail = "IT@company.nl" $SMTPServer = "mailserver.company.nl" $Subjectmail = "Monthly userlist of active networkaccounts" $Mailbody = "Hello HR,<br /> <br /> Make your persionalised message to HR. <br /> Regards, The IT department" # Get an overview of all enabled users from this company (regarding to the Company field in the AD) Get-ADUser -filter * -SearchBase "$ADSearchBase" -Properties $Properties | select $properties | Sort-Object department | where {$_.Title -ne $null -and $_.enabled -eq "true" -and $_.Company -eq "$fullCompanyname"} | Select-object $displayproperties | ConvertTo-HTML -head $a -Body "<H2> $fullCompanyname employees with logon per $datum</H2> " | Out-File $outputfilename # Get an overview of all enabled users from outside this company (Company field in the AD is different from the Company name) Get-ADUser -filter * -SearchBase "$ADSearchBase -Properties $Properties | select $properties | Sort-Object company | where {$_.Title -ne $null -and $_.enabled -eq "true" -and $_.Company -ne "$fullCompanyname" -and $_.Company -ne $null} | Select-object $displayproperties | ConvertTo-HTML -head $a -Body "<H2> Contractors per $datum</H2> " | Out-File $outputfilename -Append # Get an overview of all enabled users from this company, member of a specific group. Get-AdUser -f {Memberof -eq $SpecialRights1} -Properties $Properties | select $properties | where {$_.enabled -eq "true" -and $_.Company -ne $null} | Select-object $displayproperties | ConvertTo-HTML -head $a -Body "<H2> Special users per $datum</H2> " | Out-File $outputfilename -Append # Get an overview of all enabled users from this company, member of the domain admins group. Get-AdUser -f {Memberof -eq "$DomainAdminsgroup"} -Properties $Properties | select $properties | where {$_.enabled -eq "true" -and $_.Company -ne $null} | Select-object $displayproperties | ConvertTo-HTML -head $a -Body "<H2> Users with Admin Rights per $datum</H2> " | Out-File $outputfilename -Append # outputs the results mkdir $Reportsfolder Copy-Item $outputfilename $Reportsfolder Send-MailMessage -To "<$RecepientMail> " -Attachments $outputfilename -From "<$Sendermail>" -BodyAsHtml -SmtpServer "$SMTPServer" -Subject "$Subjectmail" -Body "$Mailbody" " |
(updated version as a function. Some error handling will follow later)
Powershell Function for cleaning up an AD user and exchange account. This can be used for example when a user leaves the company.
The information, files and mail from the user is placed in an archive folder on the network. After this has been done the user is cleaned from the network.
use as: .Archive-MWUser.ps1 -Mwusername avanboerum
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 |
function Archive-MWUser { <# .Synopsis Clean up an user from Active directory and Exchange .DESCRIPTION Script to process the users documents and email. Archives them to a location on the network and disables the users network account. .PARAMETER MWUsername Login name from the company user that will be archived. .EXAMPLE Archive-MWUser -MWUserName avanboerum #> [CmdletBinding()] Param( [Parameter( Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True, HelpMessage='What username would you like to target?')] $MWUsername ) Begin { $archivefolder = "\\TARGETSERVER\Archief`$\$MWUsername" $sourcehomefolder = "\\SOURCESERVER\h`$\users\$MWUsername" $sourceprofilefolder = "\\SOURCESERVER\h`$\profiles\$MWUsername.v2" $DisabledOU = "OU=Disabled Users,OU=Company,DC=company,DC=NL" $ExchSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://CASSERVER/PowerShell/ -Authentication Kerberos Import-PSSession $ExchSession } Process { #Test if Users Archive folder already exists $folderexists = Test-Path $archivefolder if ($folderexists -eq $true) {Read-Host "Folder $folder is already present. Press any key to continue or ctrl-c to quit"} else {New-Item $archivefolder -ItemType directory} #Saves user information Get-ADUser $MWUsername -Properties memberof | Select-Object -ExpandProperty memberof | Out-File $archivefolder\memberships.txt Get-ADUser $MWUsername -Properties * | Out-File $archivefolder\UserFullInfo.txt #Archive users Exchange mailbox and archive New-MailboxExportRequest -Mailbox $MWUsername -FilePath "$archivefolder\$MWUsername.pst" ;while ((Get-MailboxExportRequest -mailbox $MWUsername | ? {$_.Status -eq “Queued” -or $_.Status -eq “InProgress”})) { sleep 15 } New-MailboxExportRequest -Mailbox $MWUsername -FilePath "$archivefolder\$MWUsername-archive.pst" -isarchive ;while ((Get-MailboxExportRequest -mailbox $MWUsername | ? {$_.Status -eq “Queued” -or $_.Status -eq “InProgress”})) { sleep 15 } Disable-Mailbox -Identity $MWUsername -Confirm #Move homefolder to archive location $folderexists = Test-Path $archivefolder\home if ($folderexists -eq $true) {Write-Host "Folder $archivefolder\home is present"} else {New-Item $archivefolder\home -ItemType directory} Move-Item $sourcehomefolder -Destination $archivefolder\home -Force #Move profilefolder to archive location $folderexists = Test-Path $archivefolder\profile if ($folderexists -eq $true) {Write-Host 'Folder $archivefolder\profile is present'} else {New-Item $archivefolder\profile -ItemType directory} Move-Item $sourceprofilefolder -Destination $archivefolder\profile -Force #Cleanup group membership. Disables the users account for logon. Disable-ADAccount -Identity $MWUsername -Confirm Get-ADUser $MWUsername | Move-ADObject -TargetPath $DisabledOU #tricky command, must test before use..... get-adgroup -Filter * | Remove-ADGroupMember -Members $mwusername } } |
Recently I found a nice script from Matt Schmit. This script give you the choice to reset a users password, unlock a account and has some nice error checking and a good structure.
Powershell unlock and reset AD account
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 |
<# Author: Matt Schmitt Date: 12/4/12 Version: 2.0 From: USA Email: ithink2020@gmail.com Website: http://about.me/schmittmatt Twitter: @MatthewASchmitt Description A tool checking for Locked Accounts in AD, checking if a user is locked out, unlocking the user's account and for resetting a user's password. UPDATED 12/11/12 Added some Error Handling Check if server is available. If not, skip sever and do not try to exicute code on it. Changed the way I handled the $servers array. This is so I can remove a server if it is unavailable. Check if supplied user is in AD. If not, Ask the admin to re-enter username Added Comment blocks for each section. UPDATED 12/10/12 Added the use of functions to clean up repeated code. Cleaned up Password reset code to use a foreach that looks at the $servers array. Added some needed Comments UPDATED 12/4/12 Cleaned up Checking LockedOut Status code - replaced with foreach statement that looks at $Servers array Cleaned up Unlock code - replaced with foreach statement that looks at $Servers array Cleaned up Get pwdlastset date - rewrote to use the method I was using for other lookups for AD properties. #> #Imports Active Directory Module Import-Module -ModuleInfo ActiveDirectory Write-Host -object "" Write-Host -object "PowerShell AD Password Tool" Write-Host -object "" Write-Host -object "This tool displays the Exparation Date of a user's Password and thier Lockedout" Write-Host -object "Status. It will then allow you to unlock and/or reset the password." Write-Host -object "" Write-Host -object "" ########################### ## FUNCTIONS ## ########################### ################################# ### unlockAndCheck function ### ################################# #This fuction unlocks defined user account on the DCs defined in the $servers array, then checks the #local DC to make sure it did get unlocked. function unlockAndCheck { foreach ($server in $servers) { Try { Write-Host -object "Unlocking account on $server" Unlock-ADAccount -Identity $user -server $server }catch{ } } #Get Lockedout status and set it to $Lock $Lock = (Get-ADUser -Filter {samAccountName -eq $user } -Properties * | Select-Object -expand lockedout) Write-Host -object "" #Depending on Status, tell user if the account is locked or not. switch ($Lock) { "False" { Write-Host -object "$user is unlocked." } "True" { Write-Host -Object "$user is LOCKED Out." } } } ############################ ### resetPass function ### ############################ #This function resets the password for the defined user on the DCs define in the $server array. function resetPass { $newpass = (Read-Host -AsSecureString "Enter user's New Password") foreach ($server in $servers) { Write-Host -Object "Resetting Password on $server" Set-ADAccountPassword -Server $server -Identity $user -NewPassword $newpass } Write-Host -Object "" Write-Host -Object "Password for $user has been reset." Write-Host -Object "" } ########################### ## End FUNCTIONS ## ########################### ########################### ## Define DCs to use ## ########################### <# For our company we have several DCs across the globe. Since the DCs at each site update each other farely quickly, I'm only going to define one DC per site. This will save time in checking the lockedOUt status, unlocking the user and resetting the password. ---> IMPORTANT: Update $servers array list as DCs change!!! #> #Creating Empty $servers Array $servers = New-Object System.Collections.ArrayList #Creating Empty $unavailable Array $unavailable = New-Object System.Collections.ArrayList #Assign Domain Controllers to $servers Array $servers.add("DC01.your.domain.com") | out-null $servers.add("DC02.your.domain.com") | out-null # NOTE: can can add more, just add them idividually like I did above. ################################################## ## Check for Any Locked User Accounts in AD ## ################################################## #Counts how many locked account there are on the local DC and sets it to $count $count = Search-ADAccount –LockedOut | where { $_.Name -ne "Administrator" -and $_.Name -ne "Guest" } | Measure-Object | Select-Object -expand Count #If there are locked accounts (other than Administrator and Guest), then this will display who is locked out. If ( $count -gt 0 ) { Write-Host "Current Locked Out Accounts on your LOCAL Domain Controller:" Search-ADAccount –LockedOut | where { $_.Name -ne "Administrator" -and $_.Name -ne "Guest" } | Select-Object Name, @{Expression={$_.SamAccountName};Label="Username"},@{Expression={$_.physicalDeliveryOfficeName};Label="Office Location"},@{Expression={$_.TelephoneNumber};Label="Phone Number"},@{Expression={$_.LastLogonDate};Label="Last Logon Date"} | Format-Table -AutoSize }else{ # Write-Host "There are no locked out accounts on your local Domain Controller." } Write-Host -Object "" ###################################### ## Ask for Username and Validate ## ###################################### #Asks for the username $user = Read-Host "Enter username of the employee you would like to check or [ Ctrl+c ] to exit" [int]$Checker1 = 0 # ERROR CHECKING Do { # Try to retrieve info for given user, catch error if unalbe to retrieve Try { # Attempt to retrieve info about user and suppress output Get-ADUser -Identity $user | Out-Null # If successful, set Checker to 1 to exi do loop. $Checker1 = 1 }catch{ # If Attempt to retrieve info fails, run code in this catch block #Username entered was not found. Have user try again. cls Write-Host -Object "" Write-Host -Object "" Write-Host -Object "Username not found! - Please try again." -BackgroundColor Red -ForegroundColor White Write-Host -Object "" $user = Read-Host "Enter username of the employee you would like to check or [ Ctrl+c ] to exit" } # If Checker1 is equal to zero, then redo Do loop. }While ($Checker1 -eq 0) ############################################################# ## Get and display user's Display Name and Phone Number ## ############################################################# #Once a valid user is entered, proceed with remaining code cls Write-Host -object "" Write-Host "" # Gets Display name of entered user $Name = (Get-ADUser -Filter {samAccountName -eq $user } -Properties * | Select-Object -expand DisplayName) # Gets Phone number of entered user $phone = (Get-ADUser -Filter {samAccountName -eq $user } -Properties * | Select-Object -expand telephoneNumber) # Displays the Display Name and Phone number of user - I use this to verify I have the correct user and # to have the phone number available, if I need to contact the user. Write-Host -Object "$Name's phone number is: $phone" Write-Host -Object "" Write-Host -Object "" #################################### ## Get and Check Password Age ## #################################### # Get today's date [datetime]$today = (get-date) #Get pwdlastset date from AD and set it to $passdate2 $passdate2 = [datetime]::fromfiletime((Get-ADUser -Filter {samAccountName -eq $user } -Properties * | Select-Object -expand pwdlastset)) #calculate Password age in days $PwdAge = ($today - $passdate2).Days #check if password is over 90 days old If ($PwdAge -gt 90){ # If password is over 90 days old, let admin know it is expired and show password age Write-Host -Object "Password for $user is EXPIRED!" Write-Host -Object "Password for $user is $PwdAge days old." }else{ # If password is under 90, just display age Write-Host -Object "Password for $user is $PwdAge days old." } Write-Host -Object "" Write-Host -Object "" ######################################################## ## user Lockedout status on each available server ## ######################################################## #Get Check server availablity, then check user Lockedout status on each available server foreach ($object in $servers) { # ERROR CHECKING Try{ # Check to see if server is available via a ping ping $object -n 1 | Out-Null # If server is available, complete code: switch (Get-ADUser -server $object -Filter {samAccountName -eq $user } -Properties * | Select-Object -expand lockedout) { "False" {"$object `t `t Not Locked"} "True" {"$object `t `t LOCKED"} } }catch{ # If server is not available, alert admin that it will be skipped. Write-host -Object "$object `t `t NOT Found - Skipping" -ForegroundColor white -BackgroundColor red # Add unavailible server to $unavailible array $unavailable.add($object) | out-null } } ################################ ## $servers Array Cleanup ## ################################ <# For each server that is unavailible, remove from $servers array The reason for this is so the unlockAndCheck & the resetPass function do not try to exicute thier code on the servers that are not available. A little bit of error handling. #> foreach ($server in $unavailable){ $servers.Remove($server) } ############################################## ## Ask Admin what they would like to do ## ############################################## Write-Host -Object "" Write-Host -Object "" $option = Read-Host "Would you like to (1) Unlock user, (2) Reset user's password, ` (3) Unlock and reset user's password or (4) Exit?" ################################ ## Carryout Selected Task ## ################################ cls [int]$checker2 = 0 While ($checker2 -eq 0) { switch ($option){ "1" { #Call unlockAndCheck Function unlockAndCheck Write-Host -Object "" Write-Host -Object "Press any key to Exit." $checker2 += 5 $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") } "2" { #call resetPass function resetPass Write-Host -Object "" Write-Host -Object "Press any key to Exit." $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") $checker2 += 5 } "3" { #call resetPass function resetPass #Call unlockAndCheck Function unlockAndCheck Write-Host -Object "" Write-Host -Object "Press any key to Exit." $checker2 += 5 $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") } "4" { #exit code $checker2 += 5 } default { Write-Host -Object "" Write-Host -Object "" Write-Host -Object "You have entered an incorrect number." -BackgroundColor Red -ForegroundColor White Write-Host -Object "" $option = Read-Host "Would you like to (1) Unlock user, (2) Reset user's password, (3) Unlock and reset user's password or (4) Exit?" } } } |
When you want to manually logoff disconnected users from a Remote Desktop server, you can first query the server for those disconnected sessions and then logoff those sessions.
Logoff disconnected users on RDS server with powershell:
|
1 2 3 4 5 |
$FQDNOfBroker = "Broker001.company.nl" Import-Module RemoteDesktop $selected = Get-RDUserSession -ConnectionBroker $FQDNOfBroker | Select-Object sessionId,hostserver, username,sessionstate |Out-GridView -PassThru -Title "Select the user to logoff" Invoke-RDUserLogoff -HostServer $selected.HostServer -UnifiedSessionID $selected.SessionId -Force |
Or if the list is to long you can query the disconnected sessions:
|
1 2 3 4 5 |
$FQDNOfBroker = "Broker001.company.nl" Import-Module RemoteDesktop $selected = Get-RDUserSession -ConnectionBroker $FQDNOfBroker | where Sessionstate -eq 'STATE_DISCONNECTED' | Select-Object sessionId,hostserver, username,sessionstate |Out-GridView -PassThru -Title "Select the user to logoff" Invoke-RDUserLogoff -HostServer $selected.HostServer -UnifiedSessionID $selected.SessionId -Force |
This script queries the RDS broken for sessions and displays a nice (gridview) form. In this form you can select a user to logoff.
