locked
export disabled users that have mail attribute RRS feed

  • Question

  • hello. thanks for the time.  i have another question.  I had 2 tasks.  1 to get a list of all disabled users in the last 90days with no email attribute. i was able to achieve that. next is to get a list of all disabled users in the last 90days with an mail attribute only.  I guess it sounds dumb that I got the first but not the second.  I am just confused and hit a wall...

    I combed through and pieced this together for AD users with null mail attribute:

    $90Days= (get-date).adddays(-90)

    get-aduser -searchbase "OU=disabled,DC=corporation,dc=com" -filter {(lastlogondate -notlike "*" -OR lastlogondate -le $90Days) -AND (passwordlastset -le $90days) -AND (enabled -eq $false)} | where-object {$_.mail -eq $null} | select-object name,lastlogondate,passwordlastset,mail

    This one gives me all disabled users with or without mail attribute. I just want the ones with mail attributes:

    $90Days= (get-date).adddays(-90)
    get-aduser -searchbase "OU=disabled,DC=corporation,dc=com" -filter {(lastlogondate -notlike "*" -OR lastlogondate -le $90Days) -AND (passwordlastset -le $90days) -AND (enabled -eq $false)} -properties lastlogondate,passwordlastset,mail | select-object name,lastlogondate,passwordlastset,mail |Export-csv c:\scripts\disabled\aliases.csv

    thanks for the efforts and input.

    Wednesday, July 17, 2013 5:53 AM

Answers

  • Have you tried adjusting the where-object statement in the first script to :

    where-object {$_.mail ne $null}

    which will then retrieve all those users which DO have something listed in the mail attribute?

    One thing to note is that only tells you that something is listed in the mail attribute in AD, which doesn't necessarily mean they actually have a mailbox (you could for instance manually type someone's external email address in that field). To test it for certain you might try passing the filtered get-aduser listing to Get-Mailbox within a try/catch block to confirm if they really do exist. There may be a better way to do the Get-Mailbox test but unfortunately I couldn't find one.

    • Marked as answer by goof1427 Wednesday, July 17, 2013 2:25 PM
    Wednesday, July 17, 2013 6:41 AM

All replies

  • Your first script actually gave you false result.  By default Get-ADUser only returns certain attributes and when it gets to your Where-Object statement the mail property does not exist and it should've given you errors.

    This should work (untested since I'm at home without AD access):

    $90Days= (get-date).adddays(-90)
    Get-ADUser -searchbase "OU=disabled,DC=corporation,dc=com" -filter {(lastlogondate -notlike "*" -OR lastlogondate -le $90Days) -AND (passwordlastset -le $90days) -AND (enabled -eq $false) -AND (mail -eq '*')} -properties lastlogondate,passwordlastset,mail | Select-Object name,lastlogondate,passwordlastset,mail | Export-Csv c:\scripts\disabled\aliases.csv -NoTypeInformation

    Just add (mail -eq '*') in your filter and it should work.

    Wednesday, July 17, 2013 6:28 AM
  • Have you tried adjusting the where-object statement in the first script to :

    where-object {$_.mail ne $null}

    which will then retrieve all those users which DO have something listed in the mail attribute?

    One thing to note is that only tells you that something is listed in the mail attribute in AD, which doesn't necessarily mean they actually have a mailbox (you could for instance manually type someone's external email address in that field). To test it for certain you might try passing the filtered get-aduser listing to Get-Mailbox within a try/catch block to confirm if they really do exist. There may be a better way to do the Get-Mailbox test but unfortunately I couldn't find one.

    • Marked as answer by goof1427 Wednesday, July 17, 2013 2:25 PM
    Wednesday, July 17, 2013 6:41 AM
  • ha simple as that.  -ne ... brilliant.

    Thanks Keith.  As for if they have a mailbox or not I'll let the helpdesk figure that part out. have them work for something. :)

    What I could look to do is to remove that alias from the mailbox to. Automate everything!  I guess it could save hours of work for them.  Any ideas ? 

    Wednesday, July 17, 2013 2:29 PM