I have found this script that filters me the passwprdexpirydate of enabled accounts on AD.
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed” |
Select-Object -Property “Displayname”,#{Name=“ExpiryDate”;Expression{[datetime]::FromFileTime($_.“msDS-UserPasswordExpiryTimeComputed”)}}
It works fine but I would like to have it search just one specific AD account that I will type in. How do I accomplish that?
I would
This is one of those times where reading the documentation would answer your question, as the examples cover this question...
You can either replace the Filter for the Identity param:
Get-ADUser -Identity USERNAME
Or, update the filter:
Get-ADUser -Filter {Name -eq "USERNAME"}
Try something like this:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –
Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",#{Name="ExpiryDate";Expression=
{[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} |
Where-Object {$_.DisplayName -like "Username"}
Related
I would like to filter some conditions with Get-ADUser to get Users, since I have input some value same as UserPrincipalName into msDS-cloudExtensionAttribute20 (e.g. Email address), when I run this code it didn't show any error with it but not working, how to solve this problem, please kindly help
Thanks
$msDS = "msDS-cloudExtensionAttribute20"
get-aduser -filter {(Enabled -eq $true) -and (UserPrincipalName -eq '$msDS')} -SearchBase 'OU="",OU="",OU="" ,DC=""' -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress,"msDS-cloudExtensionAttribute20",UserPrincipalName | where { $_.passwordexpired -eq $false }
LDAP's query filter syntax does not support arbitrary comparison across multiple attributes the way you wish (although that would have been cool!) - you'll want to query all possible users and filter them client-side with PowerShell:
Get-ADUser -Filter {Enabled -eq $true} -SearchBase 'OU="",OU="",OU="" ,DC=""' -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress,"msDS-cloudExtensionAttribute20",UserPrincipalName | Where-Object {
$_.passwordexpired -eq $false -and $_.'msDS-cloudExtensionAttribute20' -eq $_.UserPrincipalName
}
I'm looking for some guidance on creating a powershell script that will check security and distribution groups from specific OU's and see if the owner is a user who's disabled.
We have lots of old groups in our AD created by ex employees that need to be cleaned up.
This is what i've started with.
$managedByGroups = get-adgroup -filter 'groupCategory -eq "Distribution"' -SearchBase "OU=SydExchangeGroups,OU=SydGroups,OU=Sydney,DC=my,DC=org,DC=biz" -Properties distinguishedname, managedby | select sAMAccountName, managedby
$disabledUsers = Get-ADUser -Filter {Enabled -eq $false} -SearchBase "OU=SydDisabledUsers,OU=SydMisc,OU=Sydney,DC=my,DC=org,DC=biz" | select distinguishedname
foreach ($group in $managedByGroups){
if($managedByGroups.managedby -eq $disabledUsers.distinguishedname)
{
write-output
}
}
Thanks
There are a number of issues with your if block:
you are looping through $managedByGroups, but you are never using that variable (it should be $group.managedby)
you are trying to compare 1 element with a list of elements, in this case consider using -in operator instead of -eq.
you should treat the case when there is no value for managedby attribute, in case you do not get the desired results.
An alternative to your code may is below.
I'm first getting the list of managedby users, then i'm looping though each entry, and if it is not null, we try to do a get-aduser filtering by enabled status and the distinguishedname.
$DisabledManagedBy variable will contains ADUser objects which are disabled.
$grp = get-adgroup -filter 'groupCategory -eq "Distribution"' -Properties ManagedBy,DistinguishedName
$DisabledManagedBy = foreach ($item in $grp.ManagedBy) {
if ($item) {
Get-ADUser -Filter {Enabled -eq $false -and DistinguishedName -like $item} -Properties DistinguishedName
}
}
I worked this out eventually by doing the following:
$myDisabledUsers = #()
$date = get-date -format dd-MM-yyyy
$managedSydGroups = Get-ADGroup -Filter * -Properties * -Searchbase "OU=SydExchangeGroups,OU=SydGroups,OU=Sydney,DC=my,DC=biz,DC=org" | where {$_.managedby -ne $null} | select name, managedby
$disabledSydUser = Get-ADUser -Filter * -SearchBase "OU=SydDisabledUsers,OU=SydMisc,OU=Sydney,DC=my,DC=biz,DC=org" | where {$_.enabled -eq $false} | select -ExpandProperty distinguishedname
$disabledOwners = foreach($group in $managedSydGroups)
{
$managedByString = [string]$group.managedby
if($disabledSydUser -contains $managedByString)
{$myDisabledUsers += $group}
}
The script below works as is, I need to add the enabled -eq $true piece so I can audit the user list to see if they are also enabled (not just disabled). I have tried various ways and the scripted error out. Can anyone help?
$userID = Import-Csv "c:\users.csv"
foreach ($user in $userID) {
$employeeID = $user.employeeID
Get-ADUser -Filter {employeeID -eq $employeeID -and Enabled -eq $false} -Properties displayName,employeeID,mail,intelOwnerID,title,"msDS-UserPasswordExpiryTimeComputed","lastLogon" |
select "Displayname", "Enabled",
#{n="PasswordExpiryDate";e={[DateTime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}},
#{n='LastLogon';e={[DateTime]::FromFileTime($_.lastLogon)}},
SamAccountName, employeeID, mail, intelOwnerID, title |
Export-Csv -Append "c:\temp\usersacct.csv"
To get both enabled and disabled users that are listed in your .csv you just need to stop filtering on Enabled -eq $false. Just change this line:
Get-ADUser -Filter {employeeID -eq $employeeID -and Enabled -eq $false} -Properties displayName,employeeID,mail,intelOwnerID,title,"msDS-UserPasswordExpiryTimeComputed","lastLogon" |
to
Get-ADUser -Filter {employeeID -eq $employeeID} -Properties displayName,employeeID,mail,intelOwnerID,title,"msDS-UserPasswordExpiryTimeComputed","lastLogon" |
I have limited, self-taught experience with PowerShell so this is probably something basic but I can't seem to get it right.
I'm in Active Directory and I need to pull a list of users who's email address doesn't start with their SamAccountName.
(So if your login is jdoe but your email is johndoe#mycompany.com then your profile would be returned)
I've got most of what I need...but I can't figure out how to compare the two properties against eachother.
Right now I have
Get-ADUser -Filter 'enabled -eq $true' -Properties *|
Where {$_.PasswordNeverExpires -eq $false} |
Select Name, SamAccountName, EmailAddress, PasswordNeverExpires
I've tried a few different things to filter what I need, the following command shows exactly what I want (but of course this syntax doesn't work)
Get-ADUser -Filter 'enabled -eq $true' -Properties *|
Where {$_.PasswordNeverExpires -eq $false} |
Where-Object EmailAddress -Contains SamAccountName |
Select Name, SamAccountName, EmailAddress, PasswordNeverExpires
Thanks!
Use a scriptblock for the Where-Object filter like in your second pipeline element:
Where-Object { $_.EmailAddress -notlike "$($_.SamAccountName)*" }
You can even combine it with the first filter, using the -and operator:
Where-Object { $_.PasswordNeverExpires -eq $false -and $_.EmailAddress -notlike "$($_.SamAccountName)*" }
Finally, specify only the properties you need rather that -Properties * (no need to wait for the Domain Controller to return data you won't need):
$Properties = 'Name','SamAccountName','EmailAddress','PasswordNeverExpires'
Get-ADUser -Filter 'enabled -eq $true' -Properties $Properties |Where-Object {
$_.PasswordNeverExpires -eq $false -and
$_.EmailAddress -notlike "$($_.SamAccountName)*"
} |Select-Object $Properties
I am a bit of a powershell novice so any help is greatly appreciated. I am using the following script to get and export a list of AD accounts that are expiring, that match the specific description item. I have not been able to get it to successfully include the expiration date. This is the script as it currently works.
$users = Get-QADUser -SizeLimit 10000 -SearchRoot 'company.com/employees' -IncludedProperties "description" | where {$_.description -like "non-company*" }
#(foreach($user in $users)
{
$user | Select-Object DisplayName,LogonName,description
}) | export-Csv "C:\Users\svcacct\Documents\Steve Test Scripts\test.csv" -noType
I have tried adding -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} but it just fails.
Thanks for your help.
You can try this:
Import-Module ActiveDirectory
$users = Get-ADUser -Filter {(Enabled -eq $True -and PasswordNeverExpires -eq $False) -and (Description -like "non-company*")} -SearchBase "OU=employees,DC=Company,DC=com" -Properties Description,DisplayName,sAMAccountName
#(ForEach($user In $users){
$user | Select-Object DisplayName,sAMAccountName,Description
}) | Export-Csv "C:\Users\svcacct\Documents\Steve Test Scripts\test.csv" -noType