locked
Get-ADUser multiple query RRS feed

  • Question

  • I currently want to list all users within Active directory that are a member of GroupA or GroupB AND the Account Enabled = False (disabled) OR it has an Expiration date before todays date

    Below is a script i am using and it appears to be resulting on every user account regardless if they are part of GroupA or GroupB (I change the group Member Identity each time)

    I have no idea why the GetAD-GroupMember is not piping to the Get-ADUser

    Get-ADgroupmember  -identity "GroupA" |  Get-ADUser -Filter * -Properties * | ? { `
    ($_.Enabled -EQ $False) -OR `
    ($_.AccountExpirationDate -ne $NULL -AND $_.AccountExpirationDate -LT (Get-Date)) }  | select displayname, samaccountname, enabled, created, distinguishedname| ft

    I tried to adjust the script like below which also fails

    Get-ADUser -Filter * -Properties * | ? {{$_.memberof -eq "GroupA"} or {$_.member of "GroupB"} -and {( $_.Enabled -EQ $False) -OR ($_.AccountExpirationDate -NE $NULL -AND $_.AccountExpirationDate -LT (Get-Date)) }} 

    Any advice would be welcome

    Friday, July 14, 2017 2:44 PM

Answers

  • Get-ADgroupmember GroupA | 
    	Where{$_.objectClass -eq 'User'} |
    	Get-ADUser -Properties displayname, created, AccountExpirationDate |
    	Where-Object{ $_.Enabled -eq $false -and $_.AccountExpirationDate -and $_.AccountExpirationDate -lt [datetime]::Today } |
    	Select-Object displayname, samaccountname, enabled, created, distinguishedname | 
    	Format-Table
    


    \_(ツ)_/

    Friday, July 14, 2017 3:17 PM

All replies

  • The memberOf attribute is a collection of distinguished names. No entry will equal "GroupA" or "GroupB". Either specify the full distinguished names, or use the -Like operator and the "*" wildcard character.

    It would be more efficient to filter, rather than pipe to a Where clause, but then only the -eq (and -ne) operator is supported with DN attributes like memberOf, and you must specify the full distinguishedName.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, July 14, 2017 3:08 PM
  • Get-ADgroupmember GroupA | 
    	Where{$_.objectClass -eq 'User'} |
    	Get-ADUser -Properties displayname, created, AccountExpirationDate |
    	Where-Object{ $_.Enabled -eq $false -and $_.AccountExpirationDate -and $_.AccountExpirationDate -lt [datetime]::Today } |
    	Select-Object displayname, samaccountname, enabled, created, distinguishedname | 
    	Format-Table
    


    \_(ツ)_/

    Friday, July 14, 2017 3:17 PM
  • Thanks

    This did the job, i just changed the Account Enabled = False OR Account Expirationdate as it appears we have users who have disabled accounts  that have no expiration or expired accounts with enabled set to true

    Barrie

    Friday, July 14, 2017 3:30 PM