question

rerhart-1356 avatar image
0 Votes"
rerhart-1356 asked RichMatheisen-8856 answered

How do I modify this script?

I have this script that works nicely that shows me user accounts within an OU that are NOT part of a group. However, how do I update the script to?:

  1. Search multiple OUs.

  2. Do not show DISABLED user accounts.

  3. Do not show EXPIRED user accounts.

  4. Do not show user accounts from the NONVPN group.


$users = Get-ADUser -Filter * -SearchBase "OU=USA,DC=company,DC=com"
$group = "VPN"
$members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty Name
$users | ForEach-Object {
$user = $_.Name
If ($members -notcontains $user) {
Write-Host "Accounting OU: $user DOES NOT exist in the VPN group"
}}

windows-server-powershell
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered RichMatheisen-8856 edited

Hi @rerhart-1356 ,

maybe this is helpful (not tested):

 # Get AD User with expiration date less than today 
 Get-ADUser $User -Properties * | Where-Object {$_.AccountExpirationDate -le (Get-Date)}
 # Get enabled AD user only
 Get-ADUser $User -Properties * | Where-Object {$_.Enabled -like “true”}
 # Combined
 Get-ADUser $User -Properties * | Where-Object {($_.AccountExpirationDate -le (Get-Date)) -and ($_.Enabled -like “true”)}
 # Get-ADuser search Subtree of -Searchbase
 Get-ADUser $User -Properties * -SearchBase "OU=USA,DC=company,DC=com" -SearchScope Subtree
 # User not in Group
 $notinGroup = get-adgroup "NONVPN "
 Get-ADUser $User -Properties * | Where-Object {$notinGroup.DistinguishedName -notin $_.memberof}


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

What I need is this:

List all ENABLED and NON Expired users from OU=USA and OU=Europe that are NOT members of VPN, but ARE members of NONVPN. I've got this script but still isn't giving me what I need....

$grp1 = (Get-ADGroup 'VPN').DistinguishedName
$grp2 = (Get-ADGroup 'NONVPN').DistinguishedName
$date = (Get-Date)
$filter="Enabled -eq '$true' -and AccountExpirationDate -lt '$date' -and memberof -notlike '$grp1' -and memberof -like '$grp2' "
Get-Aduser -Filter $filter -SearchBase "OU=USA,DC=company,DC=com" | Select Name
Get-Aduser -Filter $filter -SearchBase "OU=Europe,DC=company,DC=com" | Select Name

0 Votes 0 ·

Hi @rerhart-1356 ,

what is missing or what is wrong? "but still isn't giving me what I need." could you please explain with a little more details what in detail is "wrong".


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

0 Votes 0 ·
rerhart-1356 avatar image rerhart-1356 AndreasBaumgarten ·

It is returning back Enabled/Expired users that are members of the NONVPN group. If User Account A is Enabled and not Expired, and NOT in VPN, but IS in NONVPN, I do not want to see his name in the results. I only need results for:

Enabled and not Expired users that are NOT in the VPN group... but if they ARE in NONVPN group, then do not show in the results.

...and I have about 2-3 specific OUs to search, not the entire domain.

0 Votes 0 ·

I'm pretty sure the confusion came from your description and the code you used as an example. Easy enough to fix, though. Change the name of the group (in the code)!

0 Votes 0 ·

The comparison on the expiration date should be "less than", not "less than or equal".

Accounts expire at the end of the day. So if the expiry date is today and you use the "-le" comparison operator with today's date you may get some unexpected accounts in the results.

0 Votes 0 ·
RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered RichMatheisen-8856 commented

Something like this:

 $group = "VPN"
 $OU = "OU=USA,DC=company,DC=com"
 $now = (Get-Date).Date
 $members =  Get-ADGroupMember -Identity $group -Recursive | 
                 Select-Object -ExpandProperty distinguishedName
 Get-ADUser -Filter "enabled -eq 'true'" -SearchBase $OU |
     Where-Object {$_.accountexpirationdate -lt $now} |
         ForEach-Object {
             If ($members -notcontains $_.distinguishedname) {
                 Write-Host "Accounting OU: $($_.name) DOES NOT exist in the $group group"
             }
     }
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Ok, thanks. That works partially. It is still outputting expired user accounts.
Also, how can I add that if they are NOT part of group "NONVPN", do not display in the output?

I also need to search about 3 specific OUs, but I can run this 3 times for that and change $OU.

0 Votes 0 ·

Some clarification, please:

Are there one, or two groups involved? Your 1st code example had the group "VPN" in it. Now there's also a group named "NONVPN"?

The way you state the NONVPN condition is by using a double negative. Would it be clearer to say that if they ARE a member of the group NONVPN that the account should be listed?

There's no need to run the script three times, but it would have been good to completely state the requirements in the first place!

0 Votes 0 ·
RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered

Try this:

 $vpn = "VPN"
 $nonvpn = "NONVPN"
 $OUs =  "OU=USA,DC=company,DC=com", "OU=Europe,DC=company,DC=com"
 $now = (Get-Date).Date  # accouns expiring today are NOT YET expired!
 $VPNmembers =  Get-ADGroupMember -Identity $vpn -Recursive | 
                 Select-Object -ExpandProperty distinguishedName
 $NONVPNmembers =  Get-ADGroupMember -Identity $nonvpn -Recursive | 
         Select-Object -ExpandProperty distinguishedName
 $OUs |
     Get-ADUser -Filter "enabled -eq 'true'" -SearchBase $_ |
         Where-Object { (-not $_.accountexpirationdate) -OR ($_.accountexpirationdate -gt $now) } |  # no expiry date or not expired
             ForEach-Object {
                 If ($vpnmembers -notcontains $_.distinguishedname -AND $nonvpmmembers -contains $_.distinguishedname) {
                     Write-Host "Accounting OU: $($_.name) is ENABLED, NOT expired, DOES NOT exist in the $vpn group, but DOES exits in $nonvpn group"
                 }
         }
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.