Powershell Scripting help needed - how to format the output of Get-ADUser distinguishedname field, so that it is easier to read. RRS feed

  • Question

  • I have been asked by our corporate security officer to perform an audit on our AD objects.

    Currently he has asked me to get him a list of all users who are ENABLED, who have not logged onto our network in 200 days or more, and to include the OU's that they reside in for easier filtering. I'm not to include computer accounts or disabled accounts.

    We used to have a tool that would easily produce these reports by performing its own PowerShell and LDAP query's, however the decision was made not to renew our license for this product - so now I'm left scrambling with Powershell of which i have limited experience with.

    I have searched the net and have found many scripts that I was able to make a few adjustments to in order to provide the basic output I need.

    Currently I'm using a script which was made by Anthony Guimelli that I have edited very minimally for my purposes. His script really helped me for the most part, but I'm stuck with getting my output to display the way our security guy wants it.

    As you can see bellow, I've adapted it for my purposes by changing it to reflect only created AD object 90 days or older, and who have not logged onto our network in the past 200 days.

    I used the distinguished name attribute in order to attempt to output the OU path, but I believe he wants it cleaned up to be easier read as this will be going to the executives I believe.

    Is there anyway I can, within the script, get it to reformat the distinguished name output, to display the information similar to root\parent ou\sub-ou\sub-ou\..\..\user-object?

    And no, not all our OU's are multi-depth, but some are 2 deep for sub-categorization.


    Import-Module ActiveDirectory

    $myDomain = Get-ADDomain
    $myDomainName = $myDomain.NetBIOSname
    $Createdbase = 90
    $unused = 200

    $csvFilePath = "C:\test\test3.csv"

    [datetime]$DCD = (Get-Date).AddDays("-$Createdbase")
    [datetime]$DXP = (Get-Date).AddDays("-$unused")

    $userCollection = Search-ADAccount -AccountInactive -TimeSpan "$unused.00:00:00" | Where {($_.ObjectClass -eq 'user') -and ($_.ObjectClass -ne 'computer')}
    $userCollection | Get-ADUser -Properties * | Select Name, LastLogonDate,whenCreated,passwordLastSet,Description, DistinguishedName | Where {$_.whenCreated -le $DCD} | Export-Csv $csvFilePath -NoTypeInformation


    Tuesday, April 9, 2013 5:49 PM


  • Try this:

    $userCollection | Get-ADUser -Properties * | Select Name, LastLogonDate,whenCreated,passwordLastSet,Description, DistinguishedName, CanonicalName | Where {$_.whenCreated -le $DCD} | Export-Csv $csvFilePath -NoTypeInformation

    My preference is not to have Get-ADUser return all properties since it may impact performance.  I always tell the cmdlet what I'm looking for:

    $properties = @('Name', 'LastLogonDate','whenCreated','passwordLastSet','Description', 'DistinguishedName', 'CanonicalName')
    $userCollection | Get-ADUser -Properties $properties | Select $properties | Where {$_.whenCreated -le $DCD} | Export-Csv $csvFilePath -NoTypeInformation

    • Marked as answer by IamMred Wednesday, May 22, 2013 10:25 PM
    Tuesday, April 9, 2013 6:17 PM