Trying to make a PS script that finds and deletes expired accounts in specific OUs
I've created this script, and it gets the users that is expired in the 4 OUs, so far so good, but I cant get my head around how to make it delete the users.
$OUs=
"OU=1,OU=Users,DC=Test,DC=local",
"OU=2,OU=Users,DC=Test,DC=local",
"OU=3,OU=Users,DC=Test,DC=local",
"OU=4,OU=Users,DC=Test,DC=local"
Foreach($OU in $OUs){
Search-ADAccount -AccountExpired -Searchbase $OU | Select-Object Name
}
Anybody that got a solution for this? :)
This works on my machine
Foreach($OU in $OUs){
Search-ADAccount -AccountExpired -Searchbase $OU | Remove-ADObject -Confirm:$false
}
Related
I’m looking for a powershell exchange script to remove Full access permissions of all disabled users on all shared mailboxes in a specific OU.
This is what I got so far
Remove-MailboxPermission -Identity Sharedmailbox -AccessRights Fullaccess -InheritanceType all -user DisabledUser -Confirm:$false | where {$_.UseraccountControl -like "*accountdisabled*"}
Its seems to work but I’m not sure about the last piece of het script if it will check for “accountdisabled”
Then I created a variable so it will check only one specific OU
$ou = Get-ADUser -SearchBase "OU=Functional Mailboxes,OU=Generalaccounts,DC=DOMAIN,DC=COM" -Filter * foreach ($user in $ou)
Remove-MailboxPermission -Identity "$ou" -AccessRights Fullaccess -InheritanceType all -Confirm:$false | where {$_.UseraccountControl -like "*accountdisabled*"}
The script is checking the right OU but I'm still looking for the last part where it will automatically remove full access permissions of the disabled users ONLY.
Can someone show me the way?
Instead of trying to screen for disabled users after removing the mailbox permissions (which is what your Remove-MailboxPermission ... | Where-Object ... appears to be intended to do - except that the way you wrote it, it's only checking for disabled state after removing the permissions), try selecting for the disabled accounts first, then passing only the disabled accounts to Remove-MailboxPermission:
Get-ADUser -SearchBase ... -filter {Enabled -eq $false} | Remove-Mailbox ...
(replacing ... with the appropriate SearchBase or parameters for Remove-Mailbox, using $_ for the identity of the ADUser whose mailbox permissions you're removing.)
So I have looked everywhere online, including here and something that should work, doesn't and I am out of ideas. I want to add all AD Objects from one OU to a specific security group. This is what I have (and from reading online, should work):
$ADObjects = "OU.Containing.AD.Objects"
$AddGroup = "DN.of.group.adding.objects.to"
Get-ADComputer -SearchBase $ADObjects -Filter * | ForEach-Object{Add-ADGroupMember -Identity 'Corporate Office Computers' -Members $_ -WhatIf}
When I run this, all the WhatIf messages appear and no errors show however once completed, none of the items from the $ADObjects OU are added. Any suggestions?
I think you might not understand the "WhatIf" switch. This will prevent any changes actually being actioned and will report "What if" would happen if the switch was not there. The following code worked on my system:
$ADObjects = "OU=Desktops,DC=MyDomain,DC=com"
$AddGroup = "GroupAddingObjectsTo"
Get-ADComputer -SearchBase $ADObjects -Filter * | ForEach-Object {Add-ADGroupMember -Identity $AddGroup -Members $_}
I've been tasked with finding service accounts (in our shop, that's user accounts starting with 'svc-' in the username) that have expiring passwords. Normally service accounts should not have expiring passwords, so I'm trying to find service accounts incorrectly created so they can be fixed.
I've been using Search-ADAccount and I'm having parameter issues. If I use this:
Search-ADAccount -PasswordNeverExpires | Where {$_.SamAccountName -like 'SVC-*'}
then I get long lists of results, none of which have expiring passwords. But if I'm including the -PasswordNeverExpires parameter, then I'm filtering out any accounts which do have expiring passwords, no?
I've also tried this:
Search-ADAccount | Where {$_.SamAccountName -like 'SVC-*' -and $_.PasswordNeverExpires -like 'FALSE' }
but I only get an error: "Parameter set cannot be resolved using the specified named parameters." That sounds like Search-ADAccount requires certain parameters, but I don't see in the help files which parameters are required.
It's counter-intuitive (to me) that Search-ADAccount has a parameter which can search for one Boolean condition (TRUE) but not the other.
Get-ADUser doesn't seem to have any password configuration info.
Yes, Trondh. That's it. I first looked at Get-ADUser, but the help files didn't mention anything about the PasswordNeverExpires parameter, and piping a single result into Get-Member didn't reveal any relevant property to search against.
In sum, this is the one-liner that worked:
Get-ADUser -filter {PasswordNeverExpires -eq $False} | Where {$_.SamAccountName -like 'SVC-*'}
Thanks again.
I would just use get-aduser (need to clean up the filter param, I just banged this together in my head):
$adusers = Get-ADUser -Filter * -Properties * | where {$_.PasswordNeverExpires -eq $false}
did you try $_.PasswordNeverExpires -eq $false?
I'm trying to remove all the principal group memberships starting with the name of all computer accounts in one specific ou.
I've tried browsing to the OU with the AD provider, typing gci and getting a list of all the computers in the ou to find their ADPrincipalGroupMembership which works. Also, using get-adcomputer -searchbase <ou> -filter * works too. But I can't then remove every group that each machine is a member of.
When I then try to expand on that with remove-ADPrincipalGroupMembership, my input for the groups to remove are system.string and remove-ADPrincipalGroupMembership won't accept that. I have something like this so far/
Get-ADComputer -SearchBase 'OU=blahblah' -Filter * |
Remove-ADPrincipalGroupMembership -MemberOf (Get-ADGroup -Filter 'name -like "17"')
I've read help and examples but I can't find how to do this. I don't want to give up and just use the gui :)
thank you
You can try this...I am not able to test it to confirm it works, but I think it should.
$Comps = Get-ADComputer -SearchBase 'OU=blahblah' -Filter * -Prop MemberOf
Foreach ($Comp in $Comps)
{
$Groups = $Comp.MemberOf | ? {$_ -like "CN=17*"}
if ($Groups)
{
Remove-ADPrincipalGroupMembership -Identity $Comp -MemberOf $Groups -Whatif #-Confirm $False
}
}
Assuming it works with the -whatif statement, by default I believe that command will prompt you if you're sure about each removal which could be a pain so you could uncomment -confirm $false to try and avoid that.
Also it is assuming the distinguished name of each group is going to be something along the lines of
CN=17groupA,OU=Computer Groups,OU=Computer,DC=TEST,DC=NET
I am using the powershell command below to get a list of computers that havent been logged into in the past 60 days. This is returning all OU computers. Is it possible to change the line below to return from a certain OU?
Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | FT Name,lastLogonDate
From the online help page try using -SearchBase filter
C:\PS>Get-ADComputer -LDAPFilter "(name=*laptop*)" -SearchBase "CN=Computers,DC=Fabrikam,DC=com"