Sign in
 
HomeLibraryLearnDownloadsRepositoryCommunityForumsBlog
Script Center >
Powershell script to get certain properties from all users

Answered Powershell script to get certain properties from all users

  • Tuesday, October 30, 2012 10:56 PM
     
     
    Sign In to Vote
    0

    I need to write a script that will get the following properties from all users in an OU:

    -Name

    -Country

    -Manager name

    -Last login date

    -Account expiration date

    I can write a script to retrieve some of these properties, but I cannot seem to put them all together and get it formatted.  Does anyone know of a script that can get these properties and output them to a CSV file?




    • Edited by Austin Y Tuesday, October 30, 2012 11:01 PM
    •  
     

All Replies

  • Tuesday, October 30, 2012 11:27 PM
    Moderator
     
     
    Sign In to Vote
    0

    What script have you written so far, and with what results?

    Bill

     
  • Tuesday, October 30, 2012 11:34 PM
     
     
    Sign In to Vote
    0

    Search-ADAccount -UsersOnly -SearchBase "OU=International,DC=mycompany,DC=com" -AccountDisabled:$false | Get-ADUser -Properties Name, manager, LastLogon | Select Name, manager, LastLogon | export-csv C:\users\me\desktop\tester.csv -NoTypeInformation

    This script outputs the names, manager names and last logon times.  However, most of the users' last logon times are "12/31/1600 7:00:00 PM" for some reason....

     
  • Wednesday, October 31, 2012 12:12 AM
    Moderator
     
     
    Sign In to Vote
    1

    First, the date in 1600 is  the zero date (offset by your time zone), meaning the value has never been set. However, the lastLogon attribute is not replicated between DC's. A different value for each user is saved on every DC in the domain, representing when the user authenticated to that DC. Your query hit a DC where many users have never authenticated. Instead, you should retrieve lastLogonTimeStamp. This value is only updated when the user authenticates if the old value is more than 14 days in the past, but then the new value is replicated to all DC's. This would give you a much better indication (within 14 days) if the account is stale.

    Next, I see no need to pipe the output of Search-ADAccount to Get-ADUser. You can simply run Get-ADUser with "-filter *" to retrieve all users. This cmdlet has a -SearchBase parameter as well.

    Richard Mueller - MVP Directory Services

     
  • Wednesday, October 31, 2012 12:19 AM
    Moderator
     
     Answered
    Sign In to Vote
    0

    To get the attributes you request using Get-ADUser, use the -Properties parameter and specify: AccountExpirationDate, Country, Manager, LastLogonDate. AccountExpirationDate converts the value of the accountExpires attribute into a date in the local time zone. LastLogonDate converts the value of lastLogonTimeStamp into a date in the current time zone. Country is a 2 character abbreviation. Manager is the distinguished name of the manager. For name, you either want Name, which will be the Common Name of the user (the value of the cn attribute), or sAMAccountName, which is the "pre-Windows 2000 logon" name

    Richard Mueller - MVP Directory Services

    • Marked As Answer by Austin Y Wednesday, October 31, 2012 7:28 PM
    •  
     
  • Wednesday, October 31, 2012 7:29 PM
     
     
    Sign In to Vote
    0

    Thank you for your help!  For anyone interested, this is the script I ended up with.

    Get-AdUser -Filter 'PasswordNeverExpires -eq $false' -SearchBase "OU=International,DC=mydomain,DC=com" -Properties Name, Manager, Country, AccountExpirationDate, LastLogonDate  | Format-list -property Name, Manager, Country, AccountExpirationDate, LastLogonDate | out-file c:\userinfo.txt