none
PowerShell Help - Query Users Across Multiple Domains RRS feed

  • Question

  • Good afternoon all.

    I have tasked myself to create a script to assist our help desk unlock end user accounts. Yes, we currently still get users who call and request assistance in the old fashion way.

    What I am trying to attempt:

    • Input email address using $ADuser.mail. There's a reason we use email instead of SAMAccountName. That currently works.
    • Check if account is locked. If locked prompt to unlock the account and write output the account was unlocked.
    • If account not locked write output stating the account is not locked.
    I have a version shown below that currently works but I need it to query throughout 3 domains which are all in the same forest.
    If I specify the domain and set an $domain = "domain here" it works like a charm but I need to have it check across 3 domains.
    I have tried with foreach domain in domains but this hasn't worked. I just thought I can gave it query a broader area. To put it into perspective I can go into ADUC and switch over to Entire Directory and from there manually search for users in my 3 domains but I can't get the script to do it.
    Here is what I currently have:


    ##############################################################################


    $userEmail = Read-Host 'Enter email address'
    $domain = "domain here"
    $ADuser = Get-ADUser -Filter 'Mail -eq $userEmail' -Properties LockedOut -Server $domain
    IF ($ADuser.LockedOut -eq $true)
    {
    Write-Warning -Message $('{0} is locked' -f $($ADuser.mail))
    do
    {
    $ans4 = Read-Host -Prompt 'Do you wish to unlock the account? (Y/N)'
    }
    while ($ans4 -notin 'Y','N')
    switch($ans4)
    {
    'Y'
    {
    $ADuser | Unlock-ADAccount -Server $domain -Confirm:$false
    Write-Host -ForegroundColor Green -Object $('{0} has been unlocked' -f $($ADuser.mail))
    }
    'N'
    {
    Write-Warning -Message $('{0} will NOT be unlocked' -f $($ADuser.mail))
    }
    }
    }
    ELSE
    {
    Write-Host -ForegroundColor Green $('{0} is NOT locked' -f $($ADuser.mail))
    }
    

    ##############################################################################

    What mechanism can I use so it searches 3 possible domains (within same forest) for the users.

    I also tried with GCServer:3268 but I understand this has read only therefore it doesn't pick up if the account is locked or not.
    Any help would be greatly appreciated.
    Thursday, August 13, 2020 10:07 PM

All replies

  • I have tried with foreach domain in domains but this hasn't worked. 

    I don't have a way to test this but I don't see how your code works at all. The -Filter argument on Get-ADUser uses single quotes which will not expand the $userEmail variable. You need to use double quotes.   

    Looping thru a foreach $domain is fairly easy. Try the code below.

    Also note that the PS in PSTools is not "PowerShell". Powershell has moved to the new MS Q&A. 

    https://social.technet.microsoft.com/Forums/en-US/3069af6c-e7ef-4ce1-8232-d15654fa2cc5/announcement-8220windows-powershell8221-forum-will-be-migrating-to-a-new-home-on-microsoft?forum=winserverpowershell

    #############################################################################
    $domains = "domain1","domain2","domain3"
    $userEmail = Read-Host 'Enter email address'
    $locked = $false 
    foreach ($domain in $domains) {
    	$ADuser = Get-ADUser -Filter "Mail -eq $userEmail" -Properties LockedOut -Server $domain
    	IF ($ADuser.LockedOut -eq $true)
    	{
    		$locked = $true 
    		Write-Warning -Message $('{0} is locked' -f $($ADuser.mail))
    		do
    		{
    			$ans4 = Read-Host -Prompt 'Do you wish to unlock the account? (Y/N)'
    		} while ($ans4 -notin 'Y','N')
    		switch($ans4)
    		{
    			'Y'
    			{
    				$ADuser | Unlock-ADAccount -Server $domain -Confirm:$false
    				Write-Host -ForegroundColor Green -Object $('{0} has been unlocked' -f $($ADuser.mail))
    			}
    			'N'
    			{
    				Write-Warning -Message $('{0} will NOT be unlocked' -f $($ADuser.mail))
    			}
    		}
    	}
    }
    if ($locked -eq $false)
    	{
    	Write-Host -ForegroundColor Green $('{0} is NOT locked' -f $($ADuser.mail))
    	}
    ##############################################################################
    

    Thursday, August 13, 2020 11:41 PM
  • Thank you so much for the input and for taking the time to assist me on my way there.


    I tried running it and I noticed 2 things.


    I get these errors:

    Get-ADUser : Error parsing query: 'Mail -eq testemail@domain.com' Error Message: 'syntax error' at position: '10'.
    At line:5 char:12
    + ...   $ADuser = Get-ADUser -Filter "Mail -eq $userEmail" -Properties Lock ...
    +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ParserError: (:) [Get-ADUser], ADFilterParsingException
        + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Microsoft.Ac 
       tiveDirectory.Management.Commands.GetADUser
     
    Get-ADUser : Error parsing query: 'Mail -eq testemail@domain.com' Error Message: 'syntax error' at position: '10'.
    At line:5 char:12
    + ...   $ADuser = Get-ADUser -Filter "Mail -eq $userEmail" -Properties Lock ...
    +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ParserError: (:) [Get-ADUser], ADFilterParsingException
        + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Microsoft.Ac 
       tiveDirectory.Management.Commands.GetADUser
     
    Get-ADUser : Error parsing query: 'Mail -eq testemail@domain.com' Error Message: 'syntax error' at position: '10'.
    At line:5 char:12
    + ...   $ADuser = Get-ADUser -Filter "Mail -eq $userEmail" -Properties Lock ...
    +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ParserError: (:) [Get-ADUser], ADFilterParsingException
        + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Microsoft.Ac 
       tiveDirectory.Management.Commands.GetADUser

    I replaced the original with with testemail@domain.com in the errors above.

    It will state the account is not locked and end even though it is.

    I know you mentioned not being able to test it fully but perhaps with the errors shown above you might help me decipher what is wrong. It seems to have issues with this line:

    $ADuser = Get-ADUser -Filter "Mail -eq $userEmail" -Properties LockedOut -Server $domain

    Thanks again!


    Friday, August 14, 2020 4:18 AM
  • EDIT:

    I fixed the parsing error by replacing line 10 with

    $ADuser = Get-ADUser -Filter 'Mail -eq $userEmail' -Properties LockedOut -Server $domain

    It apparently didn't like the double quotes.

    Thing is it's still stating the account isn't locked which it is.. I wonder what it isn't reading correctly.

    Friday, August 14, 2020 5:07 AM
  • This example shows single quotes round the name. Try that.

    $domain = "myorg.com"
    $userEmail = "me@myorg.com"
    $filter = "Mail -eq '" + $userEmail + "'"
    $ADuser = Get-ADUser -Filter $filter -Properties LockedOut -Server $domain
    $ADuser | format-list -property *

    ...or..

    $domain = "myorg.com"
    $userEmail = "me@myorg.com"
    $ADuser = Get-ADUser -Filter "Mail -eq '$userEmail'" -Properties LockedOut -Server $domain
    $ADuser | format-list -property *


    • Edited by MotoX80 Friday, August 14, 2020 12:51 PM
    Friday, August 14, 2020 12:48 PM