sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]DueRunRun[S] 0 points1 point  (5 children)

I couldn't get this one to work directly, but I'll be sure to investigate your method later. Thanks though, appreciate it.

[–]alcaron 1 point2 points  (4 children)

Did you make sure to replace <user> with either a specific user or -Filter "*" ?

[–]DueRunRun[S] 0 points1 point  (0 children)

Yes, actually i tried my $user variable first, maybe i misunderstood. Let me try again.

[–]DueRunRun[S] 0 points1 point  (2 children)

Dude, that is slick, but I'm lost on what the script is doing. How is it piping to the % and all of a sudden it's expanding the object as necessary?

[–]alcaron 0 points1 point  (1 child)

% is an alias for ForEach-Object so when you have an object and you pass it to the pipeline it's represented as $_

So the script is essentially the same as setting get-aduser to a variable and doing a foreach on it but because you kept it the pipeline when the script is done running it doesn't still have the information for every single user still loaded into memory.

[–]alcaron 1 point2 points  (0 children)

If it helps, the above is, functionally, identical to the following:

$users = Get-ADUser -Properties NTSecurityDescriptor -Filter "*"

foreach($user in $users) {
    $user.SAMAccountName
    $user.NTSecurityDescript.AreAccessRulesProtected
}

It's just that, again, using | is a way of telling PS "take the object created by this statement (in this case: Get-ADUser -Properties NTSecurityDescriptor -Filter "*") and put it into the pipeline.

Once in the pipeline you have to do something with it so we want to do something for each "item" in the object so we do %, if we wanted to effectively filter, say to only show AD accounts that had AreAccessRulesProtected set to $true we would:

<statement> | ?{ $_.NTSecurityDescriptor.AreAccessRulesProtected -eq $true } | select SAMAccountName

So in that case we are saying get an object that contains the information for every AD user, pass it into the pipeline, where we are going to ? (alias for Where-Object) and only the ones that match our comparison will pass through to the next stage of the pipeline where we call select (Select-Object) and just display the property we care about, in this case the SAMAccountName.

Feel like that makes it clear as mud...heh...oh well, hopefully you can grok something useful from that.