Enumerating user memberships is a common task to perform. Unlike other scripting languages, with Powershell it’s a one-line action.
First download/install Quest AD Tools, and add them:
I use a semicolon to combine two Powershell commands:
$sUser = get-qaduser -samaccountname <username>; $sUser.MemberOf
Get samaccountname (logonname) from fullnames:
Get-Content c:\users.txt | get-qaduser | select displayName,sAMAccountName | export-csv c:\output.csv –noType
Users.txt is contains users’ full name.
First download and install ActiveRoles Management Shell for Active Directory.
get-qadgroupmember “group name”
Bring in some formatting by using the ‘select’ parameter:
get-qadgroupmember “group name” | select logonname, displayname
When an Active Directory account locks out often, the credentials are probably saved on a computer somewhere in the environment. This post is about how to trace the machine name, so you can update or delete those credentials and solve the lockouts.
First download Account Lockout and Management Tools from Microsoft.
Start LockoutStatus.exe, File –> Select Target, give in the username who has locked out issues.
LockoutStatus enumerates the domain controllers:
Right click the DC where the user was locked out, and Open Event Viewer:
Filter on: Event source (security), Category (Account Management), User (NT Authority\System) and Time (get it from LockoutStatus.exe).
.. and you got the computer name where the account was locked out from:
You got the machine name!