How do I modify this script?

rerhart 6 Reputation points
2021-10-01T15:49:21.02+00:00

I have this script that works nicely that shows me user accounts within an OU that are NOT part of a group. However, how do I update the script to?:

  1. Search multiple OUs.
  2. Do not show DISABLED user accounts.
  3. Do not show EXPIRED user accounts.
  4. Do not show user accounts from the NONVPN group.

$users = Get-ADUser -Filter * -SearchBase "OU=USA,DC=company,DC=com"
$group = "VPN"
$members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty Name
$users | ForEach-Object {
$user = $_.Name
If ($members -notcontains $user) {
Write-Host "Accounting OU: $user DOES NOT exist in the VPN group"
}}

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,455 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Andreas Baumgarten 103.6K Reputation points MVP
    2021-10-01T16:45:42.517+00:00

    Hi @rerhart ,

    maybe this is helpful (not tested):

    # Get AD User with expiration date less than today   
    Get-ADUser $User -Properties * | Where-Object {$_.AccountExpirationDate -le (Get-Date)}  
    # Get enabled AD user only  
    Get-ADUser $User -Properties * | Where-Object {$_.Enabled -like “true”}  
    # Combined  
    Get-ADUser $User -Properties * | Where-Object {($_.AccountExpirationDate -le (Get-Date)) -and ($_.Enabled -like “true”)}  
    # Get-ADuser search Subtree of -Searchbase  
    Get-ADUser $User -Properties * -SearchBase "OU=USA,DC=company,DC=com" -SearchScope Subtree  
    # User not in Group  
    $notinGroup = get-adgroup "NONVPN "  
    Get-ADUser $User -Properties * | Where-Object {$notinGroup.DistinguishedName -notin $_.memberof}  
    

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten


  2. Rich Matheisen 45,831 Reputation points
    2021-10-01T19:28:50.613+00:00

    Something like this:

    $group = "VPN"
    $OU = "OU=USA,DC=company,DC=com"
    $now = (Get-Date).Date
    $members =  Get-ADGroupMember -Identity $group -Recursive | 
                    Select-Object -ExpandProperty distinguishedName
    Get-ADUser -Filter "enabled -eq 'true'" -SearchBase $OU |
        Where-Object {$_.accountexpirationdate -lt $now} |
            ForEach-Object {
                If ($members -notcontains $_.distinguishedname) {
                    Write-Host "Accounting OU: $($_.name) DOES NOT exist in the $group group"
                }
        }
    

  3. Rich Matheisen 45,831 Reputation points
    2021-10-01T21:42:35.353+00:00

    Try this:

    $vpn = "VPN"
    $nonvpn = "NONVPN"
    $OUs =  "OU=USA,DC=company,DC=com", "OU=Europe,DC=company,DC=com"
    $now = (Get-Date).Date  # accouns expiring today are NOT YET expired!
    $VPNmembers =  Get-ADGroupMember -Identity $vpn -Recursive | 
                    Select-Object -ExpandProperty distinguishedName
    $NONVPNmembers =  Get-ADGroupMember -Identity $nonvpn -Recursive | 
            Select-Object -ExpandProperty distinguishedName
    $OUs |
        Get-ADUser -Filter "enabled -eq 'true'" -SearchBase $_ |
            Where-Object { (-not $_.accountexpirationdate) -OR ($_.accountexpirationdate -gt $now) } |  # no expiry date or not expired
                ForEach-Object {
                    If ($vpnmembers -notcontains $_.distinguishedname -AND $nonvpmmembers -contains $_.distinguishedname) {
                        Write-Host "Accounting OU: $($_.name) is ENABLED, NOT expired, DOES NOT exist in the $vpn group, but DOES exits in $nonvpn group"
                    }
            }
    
    0 comments No comments