Get all users from specific Organizational Unit in an Active Directory

Ever found yourself in need of collection all users in a specific OU, filter for a given set of properties and export the list to a file? If yes, this script is for you!

$Users = Get-ADUser -SearchBase "OU=Sub-OU,OU=Parent-OU,DC=domain,DC=tld" -Filter * -Properties * | Select-Object SamAccountName,DisplayName,GivenName,Surname,whenCreated,Enabled,accountExpires,lastLogonTimestamp,LockedOut
$OUUsers = @()
$OUUsers += "SamAccountName,DisplayName,GivenName,Surname,whenCreated,Enabled,accountExpires,lastLogonTimestamp,LockedOut"
foreach ($User in $Users) {
    if ($User.accountExpires  -eq "9223372036854775807") {
        $OUUsers += "$($User.SamAccountName),$($User.DisplayName),$($User.GivenName),$($User.Surname),$(($User.whenCreated).ToString('yyyy-MM-ddZhh-mm-ss')),$($User.Enabled),$("Never"),$([datetime]::FromFileTime($User.lastLogonTimestamp).ToString('yyyy-MM-ddZhh-mm-ss')),$($User.LockedOut)"
    if (-not($User.accountExpires  -eq "9223372036854775807")) {
        $OUUsers += "$($User.SamAccountName),$($User.DisplayName),$($User.GivenName),$($User.Surname),$(($User.whenCreated).ToString('yyyy-MM-ddZhh-mm-ss')),$($User.Enabled),$([datetime]::FromFileTime($User.accountExpires).ToString('yyyy-MM-ddZhh-mm-ss')),$([datetime]::FromFileTime($User.lastLogonTimestamp).ToString('yyyy-MM-ddZhh-mm-ss')),$($User.LockedOut)"
$OUUsers | Out-File C:\tmp\OUUser-Report.csv

The script will search in domain.domain.tld\Parent-OU\Sub-OU and will select all users in this sub-OU. Here, it will collect the properties SamAccountName, DisplayName, GivenName, SurName, whenCreated, Enabled, accountExpires, lastLogonTimestamp and LockedOut. These properties will then be exported to the file OUUser-Report.csv which will be stored in C:\tmp.

Corrupted file permissions on Microsoft Windows

From time to time you might find yourself having troubles with file permissions in a Windows environment. This issue will show itself in you not being able to edit, change, move or delete one or multiple files on your computer. This can happen if the ownership settings of the file(s) are corrupted which happen once in a while. To recover the file permissions we are going to use two tools native to Windows; takeown and cacls.

The way to recover the file permissions are to do the following:

  1. Right-click the Start button and press Windows Powershell (Administrator)
  2. Execute the command takeown /f <full path to file> e.g., takeown /f C:\Windows\WindowsUpdate.log
  3. This will transfer ownership from whichever user- or system account to the account executing the command. However, ownership does not necessarily grant access to deleting the file.
  4. To reset this permission set, execute the command cacls <full path to file> /G <Username>:F e.g., cacls C:\Windows\WindowsUpdate.log /G Morten:F
  5. You have now effectively transferred ownership permissions to your account.

To read the full list of operators and parameters for the commands, please refer to the official Microsoft documentation for cacls and takeown.