locked
How is that possible to interrogate the AD users that is NOT the member of the specific OU listed? RRS feed

  • Question

  • People,

    I need some help in modifying the AD OU filter above to exclude the AD User accounts that are located in those OU in the lists.

    This is the script that I have tried with, but the result is always containing User accounts in those OU.

    $filter = "(Enabled -eq 'true') -and ((mail -notlike '*') -or (company -notlike '*') -or (l -notlike '*') -or (physicalDeliveryOfficeName -notlike '*') -or (title -notlike '*') -or ( (telephoneNumber -notlike '*') -and (mobile -notlike '*')) )"
    $properties = @('mail', 'physicalDeliveryOfficeName', 'Company', 'DisplayName', 'title', 'SamAccountName', 'CanonicalName', 'lastlogondate', 'mobile', 'telephoneNumber','l','Whencreated')
    $domainDN = (Get-ADDomain).DistinguishedName
    
    $excludeOUs = @(
    	'OU=Disabled Users,DC=GlobalCorp,DC=com'
    	'OU=GlobalCorp Testing,DC=GlobalCorp,DC=com'
    	'OU=Admin Accounts,OU=GlobalCorp Global,DC=GlobalCorp,DC=com'
    	'OU=Service Accounts,OU=GlobalCorp Global,DC=GlobalCorp,DC=com'
    	'OU=Shared Mailboxes,OU=GlobalCorp Global,DC=GlobalCorp,DC=com'
    )
    
    Get-ADUser -Filter $filter -Properties $properties -SearchBase $domainDN |
    	Select-Object -Property `
    		DisplayName,
    		Company,
    		Title,
    		TelephoneNumber,
    		Mobile,
    		PhysicalDeliveryOfficeName,
    		SamAccountName,
    		Mail,
    		@{n = "OU"; e = { $_.CanonicalName.Remove($_.CanonicalName.LastIndexOf($_.Name) - 1) } },
    		@{n = 'CN'; e = { Split-Path $_.CanonicalName -Parent } },
    		@{n = 'ParentContainer'; e = { $_.DistinguishedName -replace '^CN=.*?(?=CN|OU)' } },
    		LastLogondate,
    		WhenCreated |
    	Where-Object {
    		($excludeOUs -notcontains $_.ParentContainer) -and
            ($_.SamAccountName -notmatch '^(Temp|Kiosk|HealthMailbox|SVC|Test|admin|\$') -and
            ($_.DisplayName -notmatch 'Admin|Calendar|Room')
    	} |
    	ConvertTo-HTML | Set-Variable HTMLBody
    
    Send-MailMessage -SmtpServer SMTP.GlobalCo.com -From "$env:COMPUTERNAME@$env:userdnsdomain" -To Admin@MSP.com -Subject "AD User Incomplete report as at $((Get-Date).ToString('dd-MM-yyyy'))" -Body ($HTMLBody -join '`n') -BodyAsHTML
    

    Any help would be greatly appreciated.

    Thank you in advance.


    /* Server Support Specialist */

    Monday, October 14, 2019 6:38 AM

All replies

  • You have failed to say what the issue is.


    \_(ツ)_/

    Monday, October 14, 2019 6:47 AM
  • Hi OP, your script is working perfectly after adding a ")" in Where-Object:

    ($_.SamAccountName -notmatch '^(Temp|Kiosk|HealthMailbox|SVC|Test|admin|\$)') -and

    • Proposed as answer by Gijs Kerstens Monday, October 14, 2019 12:12 PM
    Monday, October 14, 2019 11:48 AM
  • If I understand your question correctly and if you put the OUs to be excluded in variables then this might lead to you to your destination :

    Get-ADUser -Filter "*" | where{($_.distinguishedname -notlike "*$ou1*") -or ($_.distinguishedname -notlike "*$ou2*")}  

    GD


    GD

    • Proposed as answer by Gudakesh (GD) Monday, October 14, 2019 12:33 PM
    Monday, October 14, 2019 12:33 PM
  • You have failed to say what the issue is.


    \_(ツ)_/

    Hi @JRV,

    The issue here is the OU I have is consists of smaller sub company in different region, hence each of those

    company have their own Service Accounts, Shared Mailboxes, Meeting Rooms, etc..

     
        'OU=GlobalCorp Testing,DC=GlobalCorp,DC=com',
        'OU=HeadOffice,OU=Shared Mailboxes,DC=GlobalCorp,DC=com',
    
        'OU=Branch1,OU=Shared Mailboxes,DC=GlobalCorp,DC=com',
        'OU=Branch2,OU=Shared Mailboxes,DC=GlobalCorp,DC=com',
        'OU=Branch3,OU=Shared Mailboxes,DC=GlobalCorp,DC=com',
    	
        'OU=Service Accounts,DC=GlobalCorp,DC=com',
        'OU=Service Accounts,OU=Users,OU=Branch1,DC=GlobalCorp,DC=com',
        'OU=Service Accounts,OU=Users,OU=Branch2,DC=GlobalCorp,DC=com',
        'OU=Service Accounts,OU=Users,OU=Branch3,DC=GlobalCorp,DC=com',
    
        'OU=Administrative Accounts,DC=GlobalCorp,DC=com',
        'OU=Developer Accounts,DC=GlobalCorp,DC=com',
        'OU=Disabled Users,DC=GlobalCorp,DC=com',
        'OU=Domain Admin Accounts,DC=GlobalCorp,DC=com',
        'OU=External Service Accounts,DC=GlobalCorp,DC=com'

    How to properly exclude the AD users from the above OU structure?


    /* Server Support Specialist */

    Tuesday, October 15, 2019 4:26 AM
  • posted the answer in one of the other forums you asked this in.


    \_(ツ)_/

    Tuesday, October 15, 2019 4:55 AM