Powershell Expired accounts - powershell

i am currently new to Powershell and i am in the process of writing a short script to output a list of users who accounts have expired longer than 30 days i have attempting to use Get-Date).adddays(-12) but i keep receiving invalid parameters when attempting this.
any pointers would be greatly appreciated and i have included the below sample of code i am attempting to get working.
$result =
foreach($OU in $OUS){
Get-ADUser -SearchBase $OU -Filter 'enabled -eq $false' -Properties AccountExpirationDate | Select sAMAccountName, distinguishedName, AccountExpirationDate
}
$result | Export-Csv -path C:\temp\leavers.csv -NoTypeInformation

Related

PS query to retrieve data from old environment via Powershell

I am running the below script with the intention to get all users that are currently enabled, password never expire, password last set and last logon date and it works just fine. I would like to add to the data the group those users/accounts belong to or any other information so i can contact their respective teams/managers to request clean up or decomm.
get-aduser -filter {Enabled -eq $TRUE} -properties passwordlastset, passwordneverexpires, lastlogonDate |
Select-Object Name, passwordlastset, Passwordneverexpires, lastlogonDate, DistinguishedName |
Export-Csv -Path 'C:\Temp\passlastset_enabledusers.csv'
How would i add this to this query. As it is works great but thought to avoid manual labor :)
Any advise? Thank you.
I personally like adding all of my properties to an array beforehand. Helps when you want to expand onto it in the future. As for the members groups, you need to create you own expression or else when you export to a csv it'll just say [Microsoft.ActiveDirectory.Management.ADPropertyValueCollection]. Also added the users manager as one of the properties it selects.
$properties = #(
"passwordlastset",
"passwordneverexpires",
"lastlogonDate",
"memberof"
)
Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $true} -properties $properties |
Select-Object Name, passwordlastset, Passwordneverexpires, lastlogonDate, DistinguishedName, Manager, #{Name='MemberOf';Expression={$_.MemberOf -join ';'}} |
Export-Csv -Path 'C:\Temp\passlastset_enabledusers.csv' -NoTypeInformation

Get all groups of AD users with filter - Powershell

I'm trying to get all groups that start with the following string from a user "DIR-*". With the following command I get all the groups of the user.
Get-ADUser -Identity $username -Properties memberof | Select-Object -ExpandProperty memberof
I then tried to filter with this, but that doesn't work because the list remains empty.
Get-ADUser -Identity $username -Properties memberof | Select-Object -ExpandProperty memberof | Where-Object {$_.CN -like "DIR-*"}
Unfortunately, I am still a complete beginner when it comes to Powershell, but I need the command promptly.
I thank you for any help.

Powershell: finding by mail all accounts that are managed by one person

Can you help me with this oneliner? I've tried a different syntax, but to no avail. I want to find all user accounts that have one specific manager and the manager needs to be specified by mail.
Get-ADUser -Filter {manager -eq ((Get-ADUser -Filter {mail -eq "name#company.com"}).DistinguishedName)} -Properties AccountExpirationDate | select samaccountname, AccountExpirationDate
Adam.
There might be more elegant ways of solving this but the following should work.
Edit after you added more info.
I assume you want all the "service accounts" under that manager and not that the manager itself is assumed to be a service account?
Get-ADUser -Filter "manager -eq '$($(Get-ADUser -Filter 'mail -eq "name#company.com"').DistinguishedName)' -and extensionAttribute8 -eq 'service account'" -Properties AccountExpirationDate | select SamAccountName, AccountExpirationDate
Furthermore - mklement0 has an excellent answer with quite extensive information on the Filter-parameter and how it ought to be used, despite the ActiveDirectory module allowing for a different approach.
This one should work :
Get-ADUser -Filter "manager -eq `"$((Get-ADUser -Filter `"mail -eq 'name#company.com'`").DistinguishedName)`"" -Properties AccountExpirationDate | select samaccountname, AccountExpirationDate
I prefer double quotes for Filter parameter. The equal test need to be passed as a string. So, you need to escape the double quote inside the main filter.
Both answers works, I am sorry but I need to change a desired commend:
as i changed your commands they look like
Get-ADUser -Filter "manager -eq `"$((Get-ADUser -Filter `"mail -eq 'name#company.com'` -and extensionattribut8 -eq "service account"").DistinguishedName)`"" -Properties AccountExpirationDate | select samaccountname, AccountExpirationDate
Get-ADUser -Filter "manager -eq '$($(Get-ADUser -Filter 'mail -eq "name#company.com" -and extensionattribut8 -eq "service account"").DistinguishedName')" -Properties AccountExpirationDate | select SamAccountName, AccountExpirationDate
and it doesn't work. Get i get more of your help? Changed: 2 conditions is the filter.

exporting AD users displayName for selected groups only - powershell

I am new to powershell so please excuse me if the answer is quite simple. I am trying to get user list sorted by selected AD groups and export that to table or csv at least. Due to the fact that:
Get-ADGroupMember -Identity "TestGroupName"
... gives me only user IDs for my AD, I used below:
Get-ADGroupMember -Identity "TestGroupName" | Get-ADObject -Properties displayName
This works perfectly but I do not want to type manually each group there so I decided to first export groups that I need which are beginning with "Test":
Get-ADGroup -Filter "name -like 'Test*'" |Select-Object Name | Export-csv -path \Groups.csv
Now I want to use information from Groups.csv to list all user displayName for groups listed in Groups.csv so I tried something like that:
Import-Csv -Path .\Groups.csv | Get-ADGroupMember ForEach($Name in $Groups) | Get-ADObject -Properties displayName | Export-csv -path \UsersByGroups.csv
unfortunately it does not work properly maybe because I still do not get exactly how to use ForEach
Can someone with more experience have a look and help?
Thanks!
Maciej
Just pipe the groups output by Get-ADGroup -Filter ... directly to Get-ADGroupMember:
Get-ADGroup -Filter "name -like 'Test*'" |Get-ADGroupMember |Get-ADObject -Properties displayName

How to retrieve only enabled users from the Active Directory

I'm trying to retrieve only enabled users in the AD. When I run this code line it returns the error. I tried using a filter as well to filter only enabled users for the requested info but it returns ALL users from every domain instead of just the single id.
Get-ADUser : A positional parameter cannot be found that accepts argument 'enabled -eq 'true''.
This is my code that is throwing the error.
Get-ADGroupMember -Identity 'Animal Shop A' | Get-ADUser -Filter '*' | Get-ADUser Where "enabled -eq 'true'" | Get-ADUser -Properties ('Mail')
This one returns ALL users from every domain
Get-ADGroupMember -Identity 'Animal Shop A' | Get-ADUser -Filter "enabled -eq'true'" | Get-ADUser -Properties ('Mail')
Is my syntax wrong on both of them? If I just want to return values from say "Animal shop A" and then "Animal Shop B"
.. or a little bit shorter this way:
Get-ADUser -Filter 'enabled -eq $true' -Properties mail |
Select-Object -Property Name,samaccountname,mail
Besides this I would recommend to use a -SearchBase. That's less stressful for the AD. ;-)
Get-ADUser -Filter * -Properties mail | Where { $_.Enabled -eq $True} | Select Name,samaccountname,mail
That will get all enabled users in your target domain that are enabled and display the name, username, and mail properties
Important to know for both commands:
You must work with an elevated powershell process.
Otherwise the result may not be complete.
get-aduser -filter 'enabled -eq "true"' -ResultSetSize $Null
simply try below commands in powershell as administrator permission.
As a guide, the first part will filter users, second part filtered enabled users and last part will give you export of results.
Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like “false”} | Export-Csv -Path C:\eport.csv -Encoding ascii -NoTypeInformation
hope to be useful for you.