none
Powershell - check user account status and OU path RRS feed

  • Question

  • HI Guys

    I have the following powershell script that checks Samaccountname against a predefined list.  

    Get-Content C:\users.txt | Get-ADUser | select SamAccountName,Enabled | Export-Csv C:\AcctStatus.csv -NoTypeInformation

    The output indicates if the accounts are either enabled (TRUE) or disabled (FALSE).

    I would like to know exactly which OU each account lives in AD and the last login time of each account. 

    Thanks 

    Ivan



    • Edited by Ivan Davids Friday, October 30, 2015 7:24 AM
    Friday, October 30, 2015 7:18 AM

Answers

  • The manager shows up like that DN only.

    You need to use Get-ADUser on the manager attribute to get only the name or CN.

    This is something called as Custom \ Calculated Properties.

    PS > get-aduser satyajit -Properties manager | select Name,manager
    
    Name                                                   manager
    ----                                                   -------
    satyajit                                               CN=John,OU=Users,DC=contoso,DC=com
    
    
    PS > get-aduser satyajit -Properties manager | select Name,@{n='manager';e={$(Get-ADuser $_.Manager).Name}}
    
    Name                                                   manager
    ----                                                   -------
    satyajit                                               John

    Hope you get that it would be slower for 2x calls.

    ---------------------------------------------------------------------------------------------------------------

    Regards,

    Satyajit

    Please“Vote As Helpful” if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.






    • Edited by Satyajit321 Friday, October 30, 2015 10:43 AM
    • Marked as answer by Ivan Davids Friday, October 30, 2015 11:04 AM
    Friday, October 30, 2015 10:28 AM
  • Get-Content C:\users.txt | Get-ADUser -properties LastLogonDate | select SamAccountName,Enabled,LastLogonDate,DistinguishedName | Export-Csv C:\AcctStatus.csv -NoTypeInformation
    LastLogonDate gives you the formatted datetime you're looking for, but you have to define it as a property with get-aduser.

    Cheers,

    Ruud
    Twitter:    Blog: www.ruudborst.nl  LinkedIn:    
    Note: Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    • Marked as answer by Ivan Davids Friday, October 30, 2015 9:17 AM
    Friday, October 30, 2015 9:13 AM
  • That's no problem, of course the property has to exist as an AD attribute.

    Try 'get-aduser -properties *' on a user and see for yourself which one you want to use. The reason why the wilcard is not used by default is because of performance issues when you query a large number of users.


    Cheers,

    Ruud
    Twitter:    Blog: www.ruudborst.nl  LinkedIn:    
    Note: Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    • Marked as answer by Ivan Davids Friday, October 30, 2015 10:10 AM
    Friday, October 30, 2015 9:40 AM
  • Yess, like Satyajit said, add '@{n='manager';e={$(Get-ADuser $_.Manager).Name}}' to the select statement, you can change name to something else.

    Cheers,

    Ruud
    Twitter:    Blog: www.ruudborst.nl  LinkedIn:    
    Note: Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.


    • Edited by Ruud BorstMVP Friday, October 30, 2015 10:53 AM
    • Marked as answer by Ivan Davids Friday, October 30, 2015 11:04 AM
    Friday, October 30, 2015 10:53 AM

All replies

  • Hi Ivan,

    lastLogonTimestamp and DistinguishedName should give you the required details.

    Normally we can convert lastLogonTimestamp with w32tm; find the below example:-

    The command

    w32tm.exe /ntte 128271382742968750


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Friday, October 30, 2015 7:39 AM
  • Hi Satyajit

    Thanks for your response. I've tried both options and there is no data displayed under the lastLogonTimestam column. 

    Everything else seems fine


     

    Friday, October 30, 2015 7:55 AM
  • Get-Content C:\users.txt | Get-ADUser -properties LastLogonDate | select SamAccountName,Enabled,LastLogonDate,DistinguishedName | Export-Csv C:\AcctStatus.csv -NoTypeInformation
    LastLogonDate gives you the formatted datetime you're looking for, but you have to define it as a property with get-aduser.

    Cheers,

    Ruud
    Twitter:    Blog: www.ruudborst.nl  LinkedIn:    
    Note: Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    • Marked as answer by Ivan Davids Friday, October 30, 2015 9:17 AM
    Friday, October 30, 2015 9:13 AM
  • Works like a charm !! Is there a way to add multiple properties in get-aduser? i.e Get-ADUser -properties LastLogonDate,EmployeeID

    Friday, October 30, 2015 9:22 AM
  • That's no problem, of course the property has to exist as an AD attribute.

    Try 'get-aduser -properties *' on a user and see for yourself which one you want to use. The reason why the wilcard is not used by default is because of performance issues when you query a large number of users.


    Cheers,

    Ruud
    Twitter:    Blog: www.ruudborst.nl  LinkedIn:    
    Note: Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    • Marked as answer by Ivan Davids Friday, October 30, 2015 10:10 AM
    Friday, October 30, 2015 9:40 AM
  • tried it and it works great! 

    one last question (I hope)... we are making use of the "Manager" field in AD... and I can see the results in the output of the query... however it shows the full DN of the "Manager" field and not just the manager Name.

    If I look in the user properties in AD there is a NAME option, but it (friendly name for manager) does not exist when i look at the object in ADSEDIT... 

    and the result displays the distinguishedName... so is it possible to display the manager CN ? 


    Friday, October 30, 2015 10:08 AM
  • The manager shows up like that DN only.

    You need to use Get-ADUser on the manager attribute to get only the name or CN.

    This is something called as Custom \ Calculated Properties.

    PS > get-aduser satyajit -Properties manager | select Name,manager
    
    Name                                                   manager
    ----                                                   -------
    satyajit                                               CN=John,OU=Users,DC=contoso,DC=com
    
    
    PS > get-aduser satyajit -Properties manager | select Name,@{n='manager';e={$(Get-ADuser $_.Manager).Name}}
    
    Name                                                   manager
    ----                                                   -------
    satyajit                                               John

    Hope you get that it would be slower for 2x calls.

    ---------------------------------------------------------------------------------------------------------------

    Regards,

    Satyajit

    Please“Vote As Helpful” if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.






    • Edited by Satyajit321 Friday, October 30, 2015 10:43 AM
    • Marked as answer by Ivan Davids Friday, October 30, 2015 11:04 AM
    Friday, October 30, 2015 10:28 AM
  • Yess, like Satyajit said, add '@{n='manager';e={$(Get-ADuser $_.Manager).Name}}' to the select statement, you can change name to something else.

    Cheers,

    Ruud
    Twitter:    Blog: www.ruudborst.nl  LinkedIn:    
    Note: Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.


    • Edited by Ruud BorstMVP Friday, October 30, 2015 10:53 AM
    • Marked as answer by Ivan Davids Friday, October 30, 2015 11:04 AM
    Friday, October 30, 2015 10:53 AM
  • Thanks for your help guys!
    Friday, October 30, 2015 11:04 AM
  • No problem at all Ivan, good luck learning PowerShell!

    Cheers,

    Ruud
    Twitter:    Blog: www.ruudborst.nl  LinkedIn:    
    Note: Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Friday, October 30, 2015 12:33 PM