locked
Get-ADGroupMember by different criteria RRS feed

  • Question

  • I've got the following code working to list AD group members by specific group and retrieve their properties. I need to create a report though and seperate it into three seperate sections - accounts logged in within 30 days, accounts not logged in within 30 days, and disabled accounts.

    Get-ADGroupMember My_Group | GetADUser -Properties samaccountname, emailaddress, description, lastlogondate | Select samaccountname, emailaddress, description, lastlogondate
    
    

    When I've ran it off as well I plan to convert the output to HTML and email the report. Emailing it is straightforward and converting it to HTML seems so as well using the -fragment switch and a bit of CSS.

    What's the best way to go about seperating the listed members into three categories while keeping the existing working code? For example, adding a 'where account disabled' to the end of that line. Or 'where last logged on' meets a certain criteria? I could run the command three times or perform an operation on just the one. It'd run once a month overnight against less than 100 users so no massive performance hit.

    Thanks in advance

    Tuesday, April 1, 2014 8:13 AM

Answers

  • Hi AJ,

    why use the Search-ADAccount, when you already got Get-ADUser? Let's see ...

    # Get all Members
    $Users = Get-ADGroupMember Standard_Accounts | Get-ADUser -Properties samaccountname, emailaddress, description, lastlogondate
    
    # Select disabled users
    $Users | Where {$_.Enabled -ne $true} | select samaccountname, emailaddress, description, lastlogondate
    
    # Select Users that haven't logged in in some time
    $Users | Where {$_.LastLogonDate -lt (Get-Date).AddDays(-90)} | select samaccountname, emailaddress, description, lastlogondate
    
    # Select Users that have logged in recently
    $Users | Where {$_.LastLogonDate -ge (Get-Date).AddDays(-90)} | select samaccountname, emailaddress, description, lastlogondate

    That way you only search once and filter out those results 3 times.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    • Proposed as answer by Mike Laughlin Tuesday, April 1, 2014 2:33 PM
    • Marked as answer by AnnaWY Sunday, April 13, 2014 8:54 AM
    Tuesday, April 1, 2014 2:12 PM

All replies

  • Hi AJ,

    I'd recommend storing the output of Get-ADGroupMember | Get-ADUser into a variable (let's call it $users). Then I'd separate the contents of that variable with three separate Where commands like this:

    $users | Where {[condition]} | Select [Properties you want]

    Either store this into another variable or pipe it directly into file-output.

    Cheers,
    Fred

    P.s.: I'd go the extra mile and care about script performance, even if your environment doesn't really require it - it helps avoid falling into bad habits. You may some day be required to care about performance scaling after all :)


    There's no place like 127.0.0.1

    Tuesday, April 1, 2014 9:21 AM
  • Of the three commands I need, I've got the following two working:

    #get-aduser by group
    Get-ADGroupMember Standard_Accounts | Get-ADUser -Properties samaccountname, emailaddress, description, lastlogondate | select samaccountname, emailaddress, description, lastlogondate


    #list disabled accounts
    Get-ADGroupMember Standard_Accounts | Get-ADUser -Properties samaccountname, emailaddress, description, lastlogondate | Where-Object {$_.enabled -ne "True"} |select samaccountname, emailaddress, description, lastlogondate
    


    The third doesn't work for me because I can't pipe Get-ADGroupMember into Search-ADAccount then use the -AccountInactive switch.

    #list accounts not logged on within 30 days
    Search-ADAccount -AccountInactive -TimeSpan 30.00:00:00 | Where {$_.Enabled} | Get-ADUser -Properties samaccountname, emailaddress, description, lastlogondate | select samaccountname, emailaddress, description, lastlogondate

    Can anyone advise me on how to limit Search-ADAccount to the members of the group as per the previous two lines of code, or possibly a different approach maybe keeping it as a one-liner?

    Thanks



    Tuesday, April 1, 2014 12:16 PM
  • Hi AJ,

    why use the Search-ADAccount, when you already got Get-ADUser? Let's see ...

    # Get all Members
    $Users = Get-ADGroupMember Standard_Accounts | Get-ADUser -Properties samaccountname, emailaddress, description, lastlogondate
    
    # Select disabled users
    $Users | Where {$_.Enabled -ne $true} | select samaccountname, emailaddress, description, lastlogondate
    
    # Select Users that haven't logged in in some time
    $Users | Where {$_.LastLogonDate -lt (Get-Date).AddDays(-90)} | select samaccountname, emailaddress, description, lastlogondate
    
    # Select Users that have logged in recently
    $Users | Where {$_.LastLogonDate -ge (Get-Date).AddDays(-90)} | select samaccountname, emailaddress, description, lastlogondate

    That way you only search once and filter out those results 3 times.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    • Proposed as answer by Mike Laughlin Tuesday, April 1, 2014 2:33 PM
    • Marked as answer by AnnaWY Sunday, April 13, 2014 8:54 AM
    Tuesday, April 1, 2014 2:12 PM