Powered by Ed Buford and Coffee

Category: Active Directory

Finding AD Groups with PowerShell

How to List AD Groups by type using PowerShell

The AD group type is a bit of a mystery to me. I’m not sure why Microsoft has chosen to make thing they way they have and I have to keep reminding myself they have been building Active Directory a lot longer than they have been building PowerShell.
Today one of my team asked me to see if I could pull Domain Local groups out of AD using PowerShell. I was sure this was going to be as easy as it sounds. Turns out it isn’t straight forward.

Since there isn’t a Get-ADGroupType PowerShell command I went looking at the Attributes and here’s what I found:


Even more confusing when you Open that Attribute you get something even more interesting:



So I started searching around MSDN and I came up with this chart:

Group Type                                                 Value
Global distribution group                        2
Domain local distribution group           4
Universal distribution group                  8
Global security group                               -2147483646
Domain local security group                  -2147483644
Universal security group                         -2147483640

Now that I have the value I’m looking for I can pull it out of AD:
In order to do that I need to log into Domain Controller or a Domain computer with RSAT loaded.  Then I can import the ActiveDirectory module:

Import-module ActiveDirectory

Then I can get the Group Type by using the command below

Get-ADGroup -Filter * -Properties GroupType | where {$_.GroupType -eq “-2147483644”} | FL name

If I want to change the Group Type that I’m searching for then I just change the number from the list above make sure to include the Negative on the ones that have it listed.

[sourcecode language='powershell' ]
Get-ADGroup -Filter * -Properties GroupType | where {$_.GroupType -eq "-2147483644"} | FL name


Office 365 has wrong email address Part 2

In the post:  Office 365 has wrong email address Part 1 I covered the issue of not being able to set the Email Address of a user who is being managed by Active Directory On-Prem. If you  doesn’t have a Hybrid Exchange server to set email attributes you will need to do that manually.  If any of this confuses you please jump back to Part 1 and make sure you get

what’s happening.

There are a number of scenarios of what you’re going to see when you dig into the ProxyAddresses attribute of a user. You may see an X.500 record, you may see something like the UPN that you don’t want to have. For my test domain it would like like this highlighted address:


You can see by the way it is being formatted the address is the users UPN (User Principle Name) as it includes the full domain suffix:
Now I really don’t want to get too deep into the UPN but if you find you need it to get going you can leave a comment and I’ll try to answer it for you.

Getting back to the issue at hand how to change Primary Email Address of the a bunch of users at one time.  Leaving behind UPN and Domain Suffixes I’m just going to Add Primary Email addresses and figure the rest out later. In order to do that for my users I built a CSV file that has two columns The SAM Account Name and the Email Address I want my users to have.  I called this file HerosProxyAddress.csv and placed it in a folder called source on the C:\ drive.  Here’s a screen shot of what my CSV file looks like,


Using these two columns I am able to create a quick PowerShell script to add the email address of each of the users.

Import-module ActiveDirectory $Users = Import-Csv -Path "C:\source\HerosProxyAddress.csv" foreach ($User in $Users) { $ProxyAddress = "SMTP:" + $user.'EmailAddress' Set-ADUser -identity $User.'sAMAccountName' -Add @{ProxyAddresses = $ProxyAddress} }

Copy this code into Notepad and save it with a .ps1 extension.  I saved mine as ChangeProxyAddress.ps1

Now on the domain controller I opened PowerShell as the Administrator and navigate to the place where I saved my PowerShell script.  Then  type:  .\ChangeProxyAddress.ps1

Before you try this on a lot of users I’d encourage you to test this on a couple of test users to make certain it works correctly for you.

Once you change the user attributes in Active Directory you’ll need to go to your DirSync server and load the DirSync PowerShell module. Now run the Start-OnlineCoexistenceSync with the –FullSync to make sure you get the attributes pushed out to the Cloud.

There is a lot more to talk about on this topic and there are a couple other ways we could tackle this script and at least one more script to write to Solve adding one user at a time.
So be on the lookout for Part 3.


Office 365 has wrong email address Part 1

Lately this has come up a couple of times and I haven’t had too much time to set down and figure it out so today I thought I’d take the time to document the issues and a way to fix it.

When you set up DirSync from Active Directory to Office 365 without a hybrid Exchange server you’re faced with a problem: How do you set the Email address of the users?

When you use DirSync you can’t set the Office 365 email address out in the Cloud because it is being managed from Active DIrectory. If you don’t have a Hybrid Exchange configuration you don’t have any place to set the Email Address so when you go to Office 365 the email address will look like this:
So the question is how do I get rid of the part of the email address.

In order to answer the question above we have to understand that the problem comes from Active Directory not Office 365.  Since we’re using DirSync to send the Active Directory Attributes to Office 365 we need to have the Primary SMTP address set in AD. To Set the Primary SMTP address for a user in AD you need to edit ProxyAddresses Atrribute for the user AND you need to make sure the Primary Email address has the prefix of SMTP:
Just like you see it below.


Now you can go about manually adding this address to each user in Active Directory but if you have a lot of users you’ll probably start hating life pretty quickly. So in Part 2 we’ll look at some code to Automate this process.


Moving FSMO Roles with PowerShell

If you’ve ever had to move FSMO roles in Active Directory to another server you know it’s not as straight forward as it could should be (At least until I found PowerShell).

Open the Active Directory Module for Windows PowerShell or open PoweShell on a machine with RSAT installed and Import-Module ActiveDirectory


Part of the FSMO roles are Domain and part are Forest so you’ll need to use 2 commands to get the roles.
To get the Domain role holders:

Get-ADDomain | select PDCEmulator,RIDMaster,InfrastructureMaster

To get the Forest role holders:

Get-ADForest | select SchemaMaster,DomainNamingMaster

Moving roles only requires one command. Change the Target-DC to the name Domain Controller you’re moving the FSMO role(s) to.

There are 5 FSMO roles include the ones you want to move.

Move-ADDirectoryServerOperationMasterRole -Identity "Target-DC" -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator