How do I modify this script?

Question

How do I modify this script?

rerhart 6

I have this script that works nicely that shows me user accounts within an OU that are NOT part of a group. However, how do I update the script to?:

Search multiple OUs.
Do not show DISABLED user accounts.
Do not show EXPIRED user accounts.
Do not show user accounts from the NONVPN group.

$users = Get-ADUser -Filter * -SearchBase "OU=USA,DC=company,DC=com"
$group = "VPN"
$members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty Name
$users | ForEach-Object {
$user = $_.Name
If ($members -notcontains $user) {
Write-Host "Accounting OU: $user DOES NOT exist in the VPN group"
}}

0 comments

3 answers

Your answer

Answer 1

Try this:

$vpn = "VPN"
$nonvpn = "NONVPN"
$OUs =  "OU=USA,DC=company,DC=com", "OU=Europe,DC=company,DC=com"
$now = (Get-Date).Date  # accouns expiring today are NOT YET expired!
$VPNmembers =  Get-ADGroupMember -Identity $vpn -Recursive | 
                Select-Object -ExpandProperty distinguishedName
$NONVPNmembers =  Get-ADGroupMember -Identity $nonvpn -Recursive | 
        Select-Object -ExpandProperty distinguishedName
$OUs |
    Get-ADUser -Filter "enabled -eq 'true'" -SearchBase $_ |
        Where-Object { (-not $_.accountexpirationdate) -OR ($_.accountexpirationdate -gt $now) } |  # no expiry date or not expired
            ForEach-Object {
                If ($vpnmembers -notcontains $_.distinguishedname -AND $nonvpmmembers -contains $_.distinguishedname) {
                    Write-Host "Accounting OU: $($_.name) is ENABLED, NOT expired, DOES NOT exist in the $vpn group, but DOES exits in $nonvpn group"
                }
        }

Answer 2

Rich Matheisen 48,116

Something like this:

$group = "VPN"
$OU = "OU=USA,DC=company,DC=com"
$now = (Get-Date).Date
$members =  Get-ADGroupMember -Identity $group -Recursive | 
                Select-Object -ExpandProperty distinguishedName
Get-ADUser -Filter "enabled -eq 'true'" -SearchBase $OU |
    Where-Object {$_.accountexpirationdate -lt $now} |
        ForEach-Object {
            If ($members -notcontains $_.distinguishedname) {
                Write-Host "Accounting OU: $($_.name) DOES NOT exist in the $group group"
            }
    }

rerhart 6 Reputation points

2021-10-01T20:10:01.707+00:00

Ok, thanks. That works partially. It is still outputting expired user accounts.
Also, how can I add that if they are NOT part of group "NONVPN", do not display in the output?

I also need to search about 3 specific OUs, but I can run this 3 times for that and change $OU.
Rich Matheisen 48,116 Reputation points

2021-10-01T21:20:53.003+00:00

Some clarification, please:

Are there one, or two groups involved? Your 1st code example had the group "VPN" in it. Now there's also a group named "NONVPN"?

The way you state the NONVPN condition is by using a double negative. Would it be clearer to say that if they ARE a member of the group NONVPN that the account should be listed?

There's no need to run the script three times, but it would have been good to completely state the requirements in the first place!

Answer 3

Andreas Baumgarten 132.1K MVP Volunteer Moderator

Hi @rerhart ,

maybe this is helpful (not tested):

# Get AD User with expiration date less than today   
Get-ADUser $User -Properties * | Where-Object {$_.AccountExpirationDate -le (Get-Date)}  
# Get enabled AD user only  
Get-ADUser $User -Properties * | Where-Object {$_.Enabled -like “true”}  
# Combined  
Get-ADUser $User -Properties * | Where-Object {($_.AccountExpirationDate -le (Get-Date)) -and ($_.Enabled -like “true”)}  
# Get-ADuser search Subtree of -Searchbase  
Get-ADUser $User -Properties * -SearchBase "OU=USA,DC=company,DC=com" -SearchScope Subtree  
# User not in Group  
$notinGroup = get-adgroup "NONVPN "  
Get-ADUser $User -Properties * | Where-Object {$notinGroup.DistinguishedName -notin $_.memberof}

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

rerhart 6 Reputation points

2021-10-01T18:40:35.93+00:00

What I need is this:

List all ENABLED and NON Expired users from OU=USA and OU=Europe that are NOT members of VPN, but ARE members of NONVPN. I've got this script but still isn't giving me what I need....

$grp1 = (Get-ADGroup 'VPN').DistinguishedName
$grp2 = (Get-ADGroup 'NONVPN').DistinguishedName
$date = (Get-Date)
$filter="Enabled -eq '$true' -and AccountExpirationDate -lt '$date' -and memberof -notlike '$grp1' -and memberof -like '$grp2' "
Get-Aduser -Filter $filter -SearchBase "OU=USA,DC=company,DC=com" | Select Name
Get-Aduser -Filter $filter -SearchBase "OU=Europe,DC=company,DC=com" | Select Name
Andreas Baumgarten 132.1K Reputation points MVP Volunteer Moderator

2021-10-01T18:55:54.083+00:00

Hi @rerhart ,

what is missing or what is wrong? "but still isn't giving me what I need." could you please explain with a little more details what in detail is "wrong".

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten
rerhart 6 Reputation points

2021-10-01T19:06:42.717+00:00

It is returning back Enabled/Expired users that are members of the NONVPN group. If User Account A is Enabled and not Expired, and NOT in VPN, but IS in NONVPN, I do not want to see his name in the results. I only need results for:

Enabled and not Expired users that are NOT in the VPN group... but if they ARE in NONVPN group, then do not show in the results.

...and I have about 2-3 specific OUs to search, not the entire domain.
Rich Matheisen 48,116 Reputation points

2021-10-01T19:34:08.797+00:00

The comparison on the expiration date should be "less than", not "less than or equal".

Accounts expire at the end of the day. So if the expiry date is today and you use the "-le" comparison operator with today's date you may get some unexpected accounts in the results.
Rich Matheisen 48,116 Reputation points

2021-10-01T19:37:53.087+00:00

I'm pretty sure the confusion came from your description and the code you used as an example. Easy enough to fix, though. Change the name of the group (in the code)!

Share via

How do I modify this script?

3 answers

Your answer