user

Get Inactive Users Report for the past 60 days in a multi domain environment

I had a request recently to provide an inactive user report for the past 60 days. Basically, find out which accounts have not logged in for the past 60 days so action can be taken against them.

The request was for a multi domain forest which queries every domain controller and gets the latest lastlogon value by comparing value from each. I wrote a script and wanted to share as other might find it handy too.

<#
.SYNOPSIS
  Get the last logon report of users that have not logged for the past XX (Default 60) days from multiple domain controllers.
.DESCRIPTION
  Get details of users that have not logged on or are inactive for the past 60 days across the domain and get the latest value from multiple domain controllers
.INPUTS
  None. Script captures Forest and Domain details when run in the environment. 
.OUTPUTS
  Generated output CSV file will be in the created in the same path from where the script was executed.
.NOTES
  Version:        2.0
  Author:         Mohammed Wasay
  Email:          hello@mowasay.com
  Web:            www.mowasay.com
  Creation Date:  02/14/2020
.EXAMPLE
  Get-LastLogonReport.ps1 
#>

#Get Logged on user details
$cuser = $env:USERDOMAIN + "\" + $env:USERNAME
Write-Host -ForegroundColor Gray "Running script as: $cuser authenticated on $env:LOGONSERVER"

#Get the Forest Domain
$forest = (Get-ADForest).RootDomain

#Get all the Domains in the Forest
$domains = (Get-ADForest).Domains

#Time format for report naming
$timer = (Get-Date -Format MM-dd-yyyy)

Write-Host -ForegroundColor Magenta "Your Forest is: $forest"

#Loop through each domain
foreach ($domain in $domains) {
  Write-Host -ForegroundColor Yellow "Working on Domain: $domain"

  #Get all the domain controllers in the domain
  $dcs = Get-ADDomainController -Filter * -Server $domain

  #Storing all the users in an array for comparison later
  $users = @()

  foreach ($dc in $dcs.Hostname) {
    Write-Host -ForegroundColor Cyan "Working on Domain Controller: $dc"
 
    #Days Inactive - Modify the value to the number of days (1,30,45,60,90,120)
    $DaysInactive = "60"
    $time = (Get-Date).Adddays( - ($DaysInactive))

    #Get all AD Users with lastLogonTimestamp less than our time
    $users += Get-ADUser -Filter { lastlogondate -le $time } -Properties * -Server $dc | `
      Select-Object Enabled, `
    @{Name = "Domain"; Expression = { $domain } }, `
      samAccountName, `
      displayName, `
      lastlogondate, `
      lastlogon, `
    @{Name = 'DC'; Expression = { $dc } }, `
      whenCreated, `
      description, `
      distinguishedName, `
      department, `
      company, `
      office 
  }
  Write-Host -ForegroundColor Yellow "Sorting for most recent lastlogons"
   
  #Get the last logon from each server for every filtered user and used the last entry available
  $LatestLogOn = @()
  $users | Group-Object -Property samAccountName | ForEach-Object { 
          
    $LatestLogOn += ($_.Group | Sort-Object -Property lastlogon -Descending)[0] 
              
    $users.Clear() 
  }
  
  #Export the results to a single file per forest/multidomain
  $LatestLogOn | Select-Object Enabled, `
    Domain, `
    samAccountName, `
    displayName, `
  @{Name = 'lastlogondatetime'; Expression = { [datetime]::FromFileTime($_.lastlogon) -replace '12/31/1600 7:00:00 PM', 'Never' -replace '1/1/1601 12:00:00 AM', 'Never' } }, `
    lastlogon, `
    DC, `
    whenCreated, `
    description, `
    distinguishedName, `
    department, `
    company, `
    office `
  | Sort-Object lastlogondatetime -Descending | Export-Csv ./$forest-InactiveUserReport-$timer.csv -NoTypeInformation -Append

  #Uncomment below if exported results need to be multiple files seperated per domain
  #Export the results to a seperate file per domain
  <#
  $LatestLogOn | Select-Object Enabled, `
    Domain, `
    samAccountName, `
    displayName, `
  @{Name = 'lastlogondatetime'; Expression = { [datetime]::FromFileTime($_.lastlogon) -replace '12/31/1600 7:00:00 PM', 'Never' -replace '1/1/1601 12:00:00 AM', 'Never' } }, `
    lastlogon, `
    DC, `
    whenCreated, `
    description, `
    distinguishedName, `
    department, `
    company, `
    office `
  | Sort-Object lastlogondatetime -Descending | Export-Csv ./$domain-InactiveUserReport-$timer.csv -NoTypeInformation -Append
  #>
    
  Write-Host -ForegroundColor Green "Report for $domain generated!"
}
Write-Host -ForegroundColor Green "------======= Done! =======------"

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

.SYNOPSIS

Get the last logon report of users that have not logged for the past XX (Default 60) days from multiple domain controllers.

.DESCRIPTION

Get details of users that have not logged on or are inactive for the past 60 days across the domain and get the latest value from multiple domain controllers

.INPUTS

None. Script captures Forest and Domain details when run in the environment.

.OUTPUTS

Generated output CSV file will be in the created in the same path from where the script was executed.

.NOTES

Version: 2.0

Author: Mohammed Wasay

Email: [email protected]

Web: www.mowasay.com

Creation Date: 02/14/2020

.EXAMPLE

Get-LastLogonReport.ps1

#Get Logged on user details

$cuser = $env:USERDOMAIN + "\" + $env:USERNAME

Write-Host -ForegroundColor Gray "Running script as: $cuser authenticated on $env:LOGONSERVER"

#Get the Forest Domain

$forest = (Get-ADForest).RootDomain

#Get all the Domains in the Forest

$domains = (Get-ADForest).Domains

#Time format for report naming

$timer = (Get-Date -Format MM-dd-yyyy)

Write-Host -ForegroundColor Magenta "Your Forest is: $forest"

#Loop through each domain

foreach ($domain in $domains) {

Write-Host -ForegroundColor Yellow "Working on Domain: $domain"

#Get all the domain controllers in the domain

$dcs = Get-ADDomainController -Filter * -Server $domain

#Storing all the users in an array for comparison later

$users = @()

foreach ($dc in $dcs.Hostname) {

Write-Host -ForegroundColor Cyan "Working on Domain Controller: $dc"

#Days Inactive - Modify the value to the number of days (1,30,45,60,90,120)

$DaysInactive = "60"

$time = (Get-Date).Adddays( - ($DaysInactive))

#Get all AD Users with lastLogonTimestamp less than our time

$users += Get-ADUser -Filter { lastlogondate -le $time } -Properties * -Server $dc | `

Select-Object Enabled, `

@{Name = "Domain"; Expression = { $domain } }, `

samAccountName, `

displayName, `

lastlogondate, `

lastlogon, `

@{Name = 'DC'; Expression = { $dc } }, `

whenCreated, `

description, `

distinguishedName, `

department, `

company, `

office

}

Write-Host -ForegroundColor Yellow "Sorting for most recent lastlogons"

#Get the last logon from each server for every filtered user and used the last entry available

$LatestLogOn = @()

$users | Group-Object -Property samAccountName | ForEach-Object {

$LatestLogOn += ($_.Group | Sort-Object -Property lastlogon -Descending)[0]

$users.Clear()

}

#Export the results to a single file per forest/multidomain

$LatestLogOn | Select-Object Enabled, `

Domain, `

samAccountName, `

displayName, `

@{Name = 'lastlogondatetime'; Expression = { [datetime]::FromFileTime($_.lastlogon) -replace '12/31/1600 7:00:00 PM', 'Never' -replace '1/1/1601 12:00:00 AM', 'Never' } }, `

lastlogon, `

DC, `

whenCreated, `

description, `

distinguishedName, `

department, `

company, `

office `

| Sort-Object lastlogondatetime -Descending | Export-Csv ./$forest-InactiveUserReport-$timer.csv -NoTypeInformation -Append

#Uncomment below if exported results need to be multiple files seperated per domain

#Export the results to a seperate file per domain

$LatestLogOn | Select-Object Enabled, `

Domain, `

samAccountName, `

displayName, `

@{Name = 'lastlogondatetime'; Expression = { [datetime]::FromFileTime($_.lastlogon) -replace '12/31/1600 7:00:00 PM', 'Never' -replace '1/1/1601 12:00:00 AM', 'Never' } }, `

lastlogon, `

DC, `

whenCreated, `

description, `

distinguishedName, `

department, `

company, `

office `

| Sort-Object lastlogondatetime -Descending | Export-Csv ./$domain-InactiveUserReport-$timer.csv -NoTypeInformation -Append

Write-Host -ForegroundColor Green "Report for $domain generated!"

}

Write-Host -ForegroundColor Green "------======= Done! =======------"

Provisioning a New Office 365 User and Mailbox from Exchange Hybrid via PowerShell

Posted on September 18, 2017 by mo wasay Office 365 PowerShell

Working with many Office365 clients, I receive queries on how to go about provisioning users and mailboxes for an Exchange hybrid deployment.

To begin with, let’s assume a couple things.

We have a Windows 2012 R2 member server with Azure AD Connect (AAD Connect) version 1.1.105.00 (or newer) and the Azure AD Module for PowerShell installed; and
We have an Exchange 2013 CU11 (or newer) server configured for hybrid with an active O365 tenant.

Now that we’ve established a baseline, there are a couple of options to perform the task of provisioning an AD user, creating a mailbox, and assigning an Office 365 license.

The first option would be to create an AD user, create an on premise mailbox, migrate the mailbox to Office 365, and assign a license; or
The second option would be to create an AD user, create a remote (or Office 365) mailbox, and assign a license.

In this post, I will cover the second option simply because it includes fewer steps and attempts to avoid confusion around where the mailbox should be created.

Do not create an AD user and then go to the Office 365 portal to create a new user and associated mailbox. This method will not properly create a synchronized O365 user and mailbox.

STEP 1: CREATE USER & MAILBOX

From the Exchange server, first create the AD user with remote mailbox using one command via Exchange Management Shell (EMS or Exchange PowerShell)…

New-RemoteMailbox -UserPrincipalName "usertest@domain.com" -Alias "UserTest" -Name "UserTest" -FirstName "User" -LastName "Test" -DisplayName "User Test" -OnPremisesOrganizationalUnit "Office 365 Users" -Password (ConvertTo-SecureString "EnterPasswordHere" -AsPlainText -Force) -ResetPasswordOnNextLogon $true

New-RemoteMailbox -UserPrincipalName "[email protected]" -Alias "UserTest" -Name "UserTest" -FirstName "User" -LastName "Test" -DisplayName "User Test" -OnPremisesOrganizationalUnit "Office 365 Users" -Password (ConvertTo-SecureString "EnterPasswordHere" -AsPlainText -Force) -ResetPasswordOnNextLogon $true

In the command above, I created the AD user in an OU named “Office 365 Users”, set the password to “EnterPasswordHere”, and will require the user to change their password at next logon. However, I did not assign an SMTP address or remote routing address assuming that the email address policies are configured to be applied as new mailboxes are created.

STEP 2: SYNCHRONIZE USER

Once the AD user and mailbox are created, the AD object must to be synchronized to O365 in order to add the user with associated mailbox in the tenant. With the new version of AAD Connect, the scheduled sync time occurs every 30 minutes. In my case, I’m not that patient and will manually force a sync to O365.

From the server with AAD Connect installed, via an elevated PowerShell console, run the following command to perform the sync to O365…

Start-ADSyncSyncCycle -PolicyType Delta

1	Start-ADSyncSyncCycle -PolicyType Delta

This task will synchronize all changes made to AD since the user and mailbox were created.

STEP 3: ASSIGN LICENSE

In the final step, I assign an O365 license to the newly created and synchronized user. The following commands can be run from any machine that has both Microsoft Online Services Sign-in Assistant for IT Professionals RTW and Windows Azure Active Directory Module for Windows PowerShell installed. In my case, they are installed on each server, as well as my admin workstation.

Connect to O365 via PowerShell from an elevated PowerShell console; or using Azure AD Module for PowerShell console.

Confirm the new user does not have an O365 license assigned.

#Connect to Office365
Import-Module MSOnline
Connect-MsolService
$O365Cred = Get-Credential
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
Import-PSSession $O365Session

Get-MsolUser -UnlicensedUsersOnly

#Connect to Office365

Import-Module MSOnline

Connect-MsolService

$O365Cred = Get-Credential

$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection

Import-PSSession $O365Session

Get-MsolUser -UnlicensedUsersOnly

This command returns unlicensed O365 users in which the “isLicensed” parameter is “False”.

The next command returns the “AccountSkuId“, or subscription license(s), of my tenant that I will use to assign to the new user.

Get-MsolAccountSku

1	Get-MsolAccountSku

The AccountSkuId will look something similar to “tenantname:ENTERPRISEPACK“; where “ENTERPRISEPACK” represents my Office 365 Enterprise E3 subscription. Other subscriptions will have different representations.

Before I can assign any licenses to my new user, the user must be assigned a location (or country code). Since I’m am located in the United States, I use “US” as the two letter country code for the user, using this command…

Set-MsolUser -UserPrincipalName usertest@domain.com -UsageLocation US

1	Set-MsolUser -UserPrincipalName usertest@domain.com -UsageLocation US

Now that I’ve set a location for the new user, I can assign a license from my associated O365 subscription, using this command…

Set-MsolUserLicense -UserPrincipalName usertest@domain.com -AddLicenses tenantname:ENTERPRISEPACK

1	Set-MsolUserLicense -UserPrincipalName usertest@domain.com -AddLicenses tenantname:ENTERPRISEPACK

Finally, the user can access their assigned mailbox in Exchange Online.

Adding a security group to the Local Administrator Group in AD

Posted on June 6, 2017 by mo wasay Windows

Having a local administrator of your workstations can come in handy. Sometimes you might need to logon locally to troubleshoot or rejoin a computer to your domain. You can create a group policy that creates a local admin users and sets the local password.

Admins make a common mistake when they want to add a security group the Local Administrator group for a particular set of machines or domain wide. The mistake they make is creating a restricted access group vs. just adding to the existing Administrators Group. The result it that it wipes out any existing Local Administrator permissions or memberships.

This can be accomplished with a Simple GPO.

I will cover both methods for clarification. First I will cover the correct way to add. The Second Method is how to add a restricted group.

Correct Way

CREATE THE SECURITY GROUP

Open Active Directory Users and Computers
Select your Security Group OU
Right Click and select New > Group
Give the Group a name, I used “AUTOMATION”

CREATE THE GPO

Launch Group Policy Management Console.
Right click the OU that you want the GPO to apply to.
Select “Create a GPO…”
This will Launch Group Policy Editor.
Navigate to: Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups
Right Click in the blank area and select New > Local Group > Administrators (Built-in)
Action: Update (This is the most important part).
Add the needed security group. I have added my AUTOMATION Security Group.
Click Apply.
Click OK.
Apply the GPO to the root of the domain OR the appropriate OU.

Incorrect Way (This is how you would create a Restricted Access Group)

Reason this is incorrect: This will wipe out any existing memberships of the Local Administrator Group.

If you want certain members to be local administrators of computers, you can do it through Group Policy. The idea here is to create a Local Admin security group and then a GPO that adds that security group to the local Administrators group of the computer.

CREATE THE SECURITY GROUP

Open Active Directory Users and Computers
Select your Security Group OU
Right Click and select New > Group
Give the Group a name, I used “SG – Local Admins”

CREATE THE GPO

Open Group Policy Management Console.
Right click the OU that contains the systems you want to set the local admin on
Select “Create a GPO in this domain, and Link it here…”
Name the GPO. I used “Set Local Administrators”
Right Click the GPO and select Edit.
Set the following:
1. Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
2. Right Click and select “Add Group…”
3. Select browse and add the Administrators group
4. Select OK
5. Double click Administrators
6. Select Add for “Members of this group:”
7. Browse and find your security group. I added “SG – Local Admins”

That should be it. Now you can set which users of the domain are local administrators of their computers.

Set password never to expire for users in a particular domain (Bulk mode)

Posted on January 3, 2017 by mo wasay Office 365

Let me start by saying that I don’t recommend doing this at all.

Password Never Expires is bad security practice, but there are situations that might require it.

I had a similar request on how this could be done.

Setting it for multiple users:

#Connect of Office365
Import-Module MSOnline
$O365Cred = Get-Credential
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
Import-PSSession $O365Session
Connect-MsolService –Credential $O365Cred 

#Get a List of user that belong to the second domain
$SDusers = Get-MsolUser -All -DomainName "yourseconddomain.com"

#Setting the password never to expire
ForEach($SDuser in $SDusers)
{
    Set-MsolUser -UserPrincipalName $SDuser -PasswordNeverExpires $true
}

#Connect of Office365

Import-Module MSOnline

$O365Cred = Get-Credential

$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection

Import-PSSession $O365Session

Connect-MsolService –Credential $O365Cred

#Get a List of user that belong to the second domain

$SDusers = Get-MsolUser -All -DomainName "yourseconddomain.com"

#Setting the password never to expire

ForEach($SDuser in $SDusers)

{

Set-MsolUser -UserPrincipalName $SDuser -PasswordNeverExpires $true

}

Setting it for a single user:

Get-MSOLUser -UserPrincipalName user@domain.com | Select PasswordNeverExpires

1	Get-MSOLUser -UserPrincipalName user@domain.com \| Select PasswordNeverExpires

Convert resource mailbox to a user mailbox

Posted on November 3, 2016 by mo wasay Office 365

Based on my audit for a client I found that a user mailbox was at sometime converted to a resource mailbox. There is no convert button/ link to switch it back. I still don’t know how, or why this would have happened.

Anyways, for someone who may come across this weird issue, here is the fix for it.

Set-Mailbox user@domain.com -Type Regular

1	Set-Mailbox user@domain.com -Type Regular

This will convert it from a shared mailbox, or a resource mailbox to a user mailbox.

Cannot migrate user from Exchange 2010 to Exchange Online

Posted on August 19, 2015 by mo wasay Office 365

So I came across this error while migrating some accounts from On-Premise Exchange 2010 Server to Exchange Online.

Error: The subscription for the migration user [email protected] couldn’t be loaded. The following error was encountered: A subscription wasn’t found for this user.

In short, there is an address conflict between the user properties of the exchange server and the synced object on Office365. Lets go back to the basics to get this fixed.

Environment: Exchange 2010 in Hybrid Mode with Exchange Online. Migrating accounts using a staged migration approach. The problematic user in Exchange Online is properly licensed.

Setup for Staged Migration.

Exchange Online: Stop the problematic migration batch and delete it
Exchange 2010: Even though the user account may show that it is a Remote mailbox or just a User Mailbox. Right click and hit Disable. (This will remove the exchange properties for the user.)

Exchange 2010: Search your Exchange database and find the user’s on-premise mailbox. This is easier if you have just 1 or 2 databases. In an enterprise environment this may be a task by itself. Open EMS and type the following:

PowerShell

Get-MailboxStatistics -Database <your exchange database name>

1

Get-MailboxStatistics -Database <your exchange database name>

If the result set it too long, you may want to save the contents to a file.

PowerShell

Get-MailboxStatistics -Database yourexchangedatabase > C:\my_exchange_users.txt

1

Get-MailboxStatistics -Database yourexchangedatabase > C:\my_exchange_users.txt

Open the file and search for the user you disabled in step 2

Now you need to delete the problematic user in Exchange Online. Open up PowerShell ISE and type the following:

Import-Module MSOnline
$O365Cred = Get-Credential
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
Import-PSSession $O365Session
Connect-MsolService –Credential $O365Cred

Import-Module MSOnline

$O365Cred = Get-Credential

$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection

Import-PSSession $O365Session

Connect-MsolService –Credential $O365Cred

After supplying the Global Admin credentials and successfully logging in, do the following:

Remove-MsolUser -UserPrincipalName user@domain.com
Remove-MsolUser -UserPrincipalName user@domain.com -RemoveFromRecycleBin

1 2	Remove-MsolUser -UserPrincipalName user@domain.com Remove-MsolUser -UserPrincipalName user@domain.com -RemoveFromRecycleBin

Now the object is not in Exchange 2010 and Exchange Online
Attach the user back to Exchange 2010. Open up EMS and type the following:

PowerShell

Connect-Mailbox -Identity "John Doe" -Database "YourExchangeDatabase" -User "John Doe"

1

Connect-Mailbox -Identity "John Doe" -Database "YourExchangeDatabase" -User "John Doe"
The mailbox should show up in Exchange 2010. Make sure that the SMTP address includes: [email protected] address.
In a few minutes DirSync will sync the object back to Exchange Online (This depends on your DirSync time interval)
When the user shows up – make sure you assign the user a license in Exchange Online.
Start a new migration batch for the user.
Migration will go through as expected.

user

Get Inactive Users Report for the past 60 days in a multi domain environment

Provisioning a New Office 365 User and Mailbox from Exchange Hybrid via PowerShell

STEP 1: CREATE USER & MAILBOX

STEP 2: SYNCHRONIZE USER

STEP 3: ASSIGN LICENSE

Set password never to expire for users in a particular domain (Bulk mode)

Setting it for multiple users:

Setting it for a single user:

Convert resource mailbox to a user mailbox

Cannot migrate user from Exchange 2010 to Exchange Online

Categories

Archives

Meta

user

STEP 1: CREATE USER & MAILBOX

STEP 2: SYNCHRONIZE USER

STEP 3: ASSIGN LICENSE

Correct Way

CREATE THE SECURITY GROUP

CREATE THE GPO

Incorrect Way (This is how you would create a Restricted Access Group)

CREATE THE SECURITY GROUP

CREATE THE GPO

Setting it for multiple users:

Setting it for a single user:

Categories

Archives

Tags

Meta