I have limited, self-taught experience with PowerShell so this is probably something basic but I can't seem to get it right.
I'm in Active Directory and I need to pull a list of users who's email address doesn't start with their SamAccountName.
(So if your login is jdoe but your email is johndoe#mycompany.com then your profile would be returned)
I've got most of what I need...but I can't figure out how to compare the two properties against eachother.
Right now I have
Get-ADUser -Filter 'enabled -eq $true' -Properties *|
Where {$_.PasswordNeverExpires -eq $false} |
Select Name, SamAccountName, EmailAddress, PasswordNeverExpires
I've tried a few different things to filter what I need, the following command shows exactly what I want (but of course this syntax doesn't work)
Get-ADUser -Filter 'enabled -eq $true' -Properties *|
Where {$_.PasswordNeverExpires -eq $false} |
Where-Object EmailAddress -Contains SamAccountName |
Select Name, SamAccountName, EmailAddress, PasswordNeverExpires
Thanks!
Use a scriptblock for the Where-Object filter like in your second pipeline element:
Where-Object { $_.EmailAddress -notlike "$($_.SamAccountName)*" }
You can even combine it with the first filter, using the -and operator:
Where-Object { $_.PasswordNeverExpires -eq $false -and $_.EmailAddress -notlike "$($_.SamAccountName)*" }
Finally, specify only the properties you need rather that -Properties * (no need to wait for the Domain Controller to return data you won't need):
$Properties = 'Name','SamAccountName','EmailAddress','PasswordNeverExpires'
Get-ADUser -Filter 'enabled -eq $true' -Properties $Properties |Where-Object {
$_.PasswordNeverExpires -eq $false -and
$_.EmailAddress -notlike "$($_.SamAccountName)*"
} |Select-Object $Properties
Related
We are using a good script that we would like to extend to search for users everywhere except one OU. How can I do this?
Thanks in advance for your help!
PasswordChangeNotification
How to instert this code?
Get-ADOrganizationalUnit -filter * -SearchBase 'OU=test,DC=test,DC=com' | foreach {
if($_.distinguishedname -ne "OU=not,OU=that,OU=orgUnit,OU=test,DC=test,DC=com"){
$users=Get-ADUser -filter * -searchbase $_.distinguishedname -ResultPageSize 2000 -resultSetSize 500 -searchscope Onelevel | where-object enabled -eq true
$total=($users | measure-object).count
New-Object psobject -Property #{
OU=$_.Name;
A=$Total
}
}
}
On line 132 of the file you've linked to, you'll find the statement that actually queries Active Directory for the users:
$users = get-aduser -filter {(Enabled -eq $true) -and (PasswordNeverExpires -eq $false)} -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress | where { $_.passwordexpired -eq $false }
Add the following statement to the next line:
$users = $users |Where-Object distinguishedname -notlike "*,OU=not,OU=that,OU=orgUnit,OU=test,DC=test,DC=com"
... and leave the rest of the script as-is
I would like to filter some conditions with Get-ADUser to get Users, since I have input some value same as UserPrincipalName into msDS-cloudExtensionAttribute20 (e.g. Email address), when I run this code it didn't show any error with it but not working, how to solve this problem, please kindly help
Thanks
$msDS = "msDS-cloudExtensionAttribute20"
get-aduser -filter {(Enabled -eq $true) -and (UserPrincipalName -eq '$msDS')} -SearchBase 'OU="",OU="",OU="" ,DC=""' -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress,"msDS-cloudExtensionAttribute20",UserPrincipalName | where { $_.passwordexpired -eq $false }
LDAP's query filter syntax does not support arbitrary comparison across multiple attributes the way you wish (although that would have been cool!) - you'll want to query all possible users and filter them client-side with PowerShell:
Get-ADUser -Filter {Enabled -eq $true} -SearchBase 'OU="",OU="",OU="" ,DC=""' -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress,"msDS-cloudExtensionAttribute20",UserPrincipalName | Where-Object {
$_.passwordexpired -eq $false -and $_.'msDS-cloudExtensionAttribute20' -eq $_.UserPrincipalName
}
I'm looking for some guidance on creating a powershell script that will check security and distribution groups from specific OU's and see if the owner is a user who's disabled.
We have lots of old groups in our AD created by ex employees that need to be cleaned up.
This is what i've started with.
$managedByGroups = get-adgroup -filter 'groupCategory -eq "Distribution"' -SearchBase "OU=SydExchangeGroups,OU=SydGroups,OU=Sydney,DC=my,DC=org,DC=biz" -Properties distinguishedname, managedby | select sAMAccountName, managedby
$disabledUsers = Get-ADUser -Filter {Enabled -eq $false} -SearchBase "OU=SydDisabledUsers,OU=SydMisc,OU=Sydney,DC=my,DC=org,DC=biz" | select distinguishedname
foreach ($group in $managedByGroups){
if($managedByGroups.managedby -eq $disabledUsers.distinguishedname)
{
write-output
}
}
Thanks
There are a number of issues with your if block:
you are looping through $managedByGroups, but you are never using that variable (it should be $group.managedby)
you are trying to compare 1 element with a list of elements, in this case consider using -in operator instead of -eq.
you should treat the case when there is no value for managedby attribute, in case you do not get the desired results.
An alternative to your code may is below.
I'm first getting the list of managedby users, then i'm looping though each entry, and if it is not null, we try to do a get-aduser filtering by enabled status and the distinguishedname.
$DisabledManagedBy variable will contains ADUser objects which are disabled.
$grp = get-adgroup -filter 'groupCategory -eq "Distribution"' -Properties ManagedBy,DistinguishedName
$DisabledManagedBy = foreach ($item in $grp.ManagedBy) {
if ($item) {
Get-ADUser -Filter {Enabled -eq $false -and DistinguishedName -like $item} -Properties DistinguishedName
}
}
I worked this out eventually by doing the following:
$myDisabledUsers = #()
$date = get-date -format dd-MM-yyyy
$managedSydGroups = Get-ADGroup -Filter * -Properties * -Searchbase "OU=SydExchangeGroups,OU=SydGroups,OU=Sydney,DC=my,DC=biz,DC=org" | where {$_.managedby -ne $null} | select name, managedby
$disabledSydUser = Get-ADUser -Filter * -SearchBase "OU=SydDisabledUsers,OU=SydMisc,OU=Sydney,DC=my,DC=biz,DC=org" | where {$_.enabled -eq $false} | select -ExpandProperty distinguishedname
$disabledOwners = foreach($group in $managedSydGroups)
{
$managedByString = [string]$group.managedby
if($disabledSydUser -contains $managedByString)
{$myDisabledUsers += $group}
}
I have found this script that filters me the passwprdexpirydate of enabled accounts on AD.
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed” |
Select-Object -Property “Displayname”,#{Name=“ExpiryDate”;Expression{[datetime]::FromFileTime($_.“msDS-UserPasswordExpiryTimeComputed”)}}
It works fine but I would like to have it search just one specific AD account that I will type in. How do I accomplish that?
I would
This is one of those times where reading the documentation would answer your question, as the examples cover this question...
You can either replace the Filter for the Identity param:
Get-ADUser -Identity USERNAME
Or, update the filter:
Get-ADUser -Filter {Name -eq "USERNAME"}
Try something like this:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –
Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",#{Name="ExpiryDate";Expression=
{[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} |
Where-Object {$_.DisplayName -like "Username"}
The script below works as is, I need to add the enabled -eq $true piece so I can audit the user list to see if they are also enabled (not just disabled). I have tried various ways and the scripted error out. Can anyone help?
$userID = Import-Csv "c:\users.csv"
foreach ($user in $userID) {
$employeeID = $user.employeeID
Get-ADUser -Filter {employeeID -eq $employeeID -and Enabled -eq $false} -Properties displayName,employeeID,mail,intelOwnerID,title,"msDS-UserPasswordExpiryTimeComputed","lastLogon" |
select "Displayname", "Enabled",
#{n="PasswordExpiryDate";e={[DateTime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}},
#{n='LastLogon';e={[DateTime]::FromFileTime($_.lastLogon)}},
SamAccountName, employeeID, mail, intelOwnerID, title |
Export-Csv -Append "c:\temp\usersacct.csv"
To get both enabled and disabled users that are listed in your .csv you just need to stop filtering on Enabled -eq $false. Just change this line:
Get-ADUser -Filter {employeeID -eq $employeeID -and Enabled -eq $false} -Properties displayName,employeeID,mail,intelOwnerID,title,"msDS-UserPasswordExpiryTimeComputed","lastLogon" |
to
Get-ADUser -Filter {employeeID -eq $employeeID} -Properties displayName,employeeID,mail,intelOwnerID,title,"msDS-UserPasswordExpiryTimeComputed","lastLogon" |