locked
Export Disabled AD user accounts outside specific OU only to .CSV not working? RRS feed

  • Question

  • Hi People,

    I have created the below PowerShell script, but the result is not always correct.

    $filter = '(Enabled -eq $false)'
    $ResultDirectory = 'C:\Disabled-ADAccountOutsideOU.csv'
    $domainDN = (Get-ADDomain).DistinguishedName
    
    $excludeOUs = @(
        'OU=Site1,OU=Disabled Users'
        'OU=Site2,OU=Disabled Users'
        'OU=SiteX,OU=Disabled Users'
    ) | ForEach-Object { $_ + ',' + $domainDN }
    Get-ADUser -Filter $filter -Properties * |
        Where-Object { ($_.SamAccountName.Length -eq 7) -and ($excludeOUs -notcontains $_.ParentContainer) } |
        Select-Object -Property SamAccountName, Enabled, @{ n = 'ParentContainer'; e = { $_.DistinguishedName -replace '\A.*?,(?=(CN|OU|DC)=)' } }, CanonicalName, lastlogondate |
        Export-Csv -NoTypeInformation -Path $ResultDirectory


    Expected: Only export the Disabled AD account outside the Excluded OU lists to.CSV file.

    Result:

    • Some OU like CN=Users, DC=Domain, DC=com which also have some Disabled AD accounts are skipped or not even checked?
    • The exported.CSV also still contains the Disabled AD account from OU=SiteX, OU=Disabled Users and some other in the Excluded OU?

    Thank you in advance.


    /* Server Support Specialist */


    Tuesday, November 20, 2018 5:03 AM

Answers

  • Order is necessary.

    Get-ADUser -Filter $filter -Properties * |
        Select-Object -Property SamAccountName, Enabled, @{ n = 'ParentContainer'; e = { $_.DistinguishedName -replace '\A.*?,(?=(CN|OU|DC)=)' } }, CanonicalName, lastlogondate |
        Where-Object { ($_.SamAccountName.Length -eq 7) -and ($excludeOUs -notcontains $_.ParentContainer) } |
        Export-Csv -NoTypeInformation -Path $ResultDirectory


    \_(ツ)_/

    Tuesday, November 20, 2018 5:34 AM
  • Length -eq 7?


    \_(ツ)_/

    Tuesday, November 20, 2018 6:05 AM

All replies

  • Pleas e do not post colorized code.  Use the code posting tool provided.


    \_(ツ)_/

    Tuesday, November 20, 2018 5:06 AM
  • Pleas e do not post colorized code.  Use the code posting tool provided.


    \_(ツ)_/

    OK, it has been edited.
    I'm still baffled as to why the result is not running correctly?

    /* Server Support Specialist */

    Tuesday, November 20, 2018 5:08 AM
  • Order is necessary.

    Get-ADUser -Filter $filter -Properties * |
        Select-Object -Property SamAccountName, Enabled, @{ n = 'ParentContainer'; e = { $_.DistinguishedName -replace '\A.*?,(?=(CN|OU|DC)=)' } }, CanonicalName, lastlogondate |
        Where-Object { ($_.SamAccountName.Length -eq 7) -and ($excludeOUs -notcontains $_.ParentContainer) } |
        Export-Csv -NoTypeInformation -Path $ResultDirectory


    \_(ツ)_/

    Tuesday, November 20, 2018 5:34 AM
  • Order is necessary.

    Get-ADUser -Filter $filter -Properties * |
        Select-Object -Property SamAccountName, Enabled, @{ n = 'ParentContainer'; e = { $_.DistinguishedName -replace '\A.*?,(?=(CN|OU|DC)=)' } }, CanonicalName, lastlogondate |
        Where-Object { ($_.SamAccountName.Length -eq 7) -and ($excludeOUs -notcontains $_.ParentContainer) } |
        Export-Csv -NoTypeInformation -Path $ResultDirectory


    \_(ツ)_/

    Hi JRV,

    Yes, that does make sense.

    However, the Disabled AD account in the Users Container is still not reported?

    how to include this CN: CN=Users,DC=Domain,DC=com


    /* Server Support Specialist */

    Tuesday, November 20, 2018 5:55 AM
  • Length -eq 7?


    \_(ツ)_/

    Tuesday, November 20, 2018 6:05 AM
  • Yes, now it works well.
    that was the filter for the AD account with the name equals 7 characters :-)

    /* Server Support Specialist */

    Tuesday, November 20, 2018 6:09 AM