Hello. Looking for help with constructing a PowerShell script that will do the following csv file contains list of users (upn) PowerShell script reads all users from csv file (step1.) does a compare or hash table against users in three specific OU's in AD using (upn). The three specific OU's contain all of our vendor accounts If a match is found, extend account expiration + 90 days if a match is not found write the non matched accounts to a separate .csv file Thank you very much in advance for any help

Try something like this: $OUNames = "OU=1,OU=X,DC=domain,DC=tld", "OU=2,OU=Y,DC=domain,DC=tld", "OU=3,OU=X,DC=domain,DC=tld" Import-Csv C:\Junk\AllHands.csv | ForEach-Object{ $u = Get-ADUser -Filter "userPrincipalName -eq '$($_.UPN)'" -Properties AccountExpires,distinguishedName if ($u){ $OU = $u.DistinguishedName.Substring($u.DistinguishedName.IndexOf('OU=',[System.StringComparison]::CurrentCultureIgnoreCase)) if ($OUNames -contains $OU){ Set-ADAccountExpiration -Identity $u.distinguishedName -DateTime ([datetime]::fromfiletime($u.accountexpires)).AddDays(90) } else{ $_ } } else { $_ } } | Export-Csv C:\Junk\WhoAreThesePeople.csv -NoTypeInformation NOTE: I haven't run this code. You should try it first by adding the "-WhatIf" switch to the Set-ADAccountExpiration cmdlet until you're sure it does what you want!

Thank you very much. I appreciate your help! I will test in our lab

help with Poweshell compare\hashtable

Accepted answer

Rich Matheisen 44,776 Reputation points

2021-11-04T15:03:11.447+00:00
Try something like this:

$OUNames = "OU=1,OU=X,DC=domain,DC=tld", "OU=2,OU=Y,DC=domain,DC=tld", "OU=3,OU=X,DC=domain,DC=tld" Import-Csv C:\Junk\AllHands.csv | ForEach-Object{ $u = Get-ADUser -Filter "userPrincipalName -eq '$($_.UPN)'" -Properties AccountExpires,distinguishedName if ($u){ $OU = $u.DistinguishedName.Substring($u.DistinguishedName.IndexOf('OU=',[System.StringComparison]::CurrentCultureIgnoreCase)) if ($OUNames -contains $OU){ Set-ADAccountExpiration -Identity $u.distinguishedName -DateTime ([datetime]::fromfiletime($u.accountexpires)).AddDays(90) } else{ $_ } } else { $_ } } | Export-Csv C:\Junk\WhoAreThesePeople.csv -NoTypeInformation

NOTE: I haven't run this code. You should try it first by adding the "-WhatIf" switch to the Set-ADAccountExpiration cmdlet until you're sure it does what you want!
Please sign in to rate this answer.
Skip Hofmann 341 Reputation points

2021-11-04T17:54:55.14+00:00

Hello

Thanks again for your assistance with this. When i run the script in my lab i am getting the following error

Get-ADUser : Error parsing query: 'userPrincipalName -eq @{userprincipalname=Akhil.Gattu@mydomain.com}.UPN' Error Message: 'syntax error' at position: '23'.
At line:4 char:15

... $u = Get-ADUser -Filter "userPrincipalName -eq $_.UPN" -Proper ...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CategoryInfo : ParserError: (:) [Get-ADUser], ADFilterParsingException

FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Microsoft.ActiveDirectory.Management.Commands.GetADUser

Rich Matheisen 44,776 Reputation points

2021-11-04T18:14:53.193+00:00

Sorry. My bad. The filter string should look like this:

$u = Get-ADUser -Filter "userPrincipalName -eq '$($_.UPN)'" -Properties AccountExpires,distinguishedName

Skip Hofmann 341 Reputation points

2021-11-04T18:59:06.647+00:00

I think there is something still wrong with the filter string. When i run this
$u = Get-ADUser -Filter "userPrincipalName -eq '$($_.UPN)'" -Properties AccountExpires,distinguishedName

i get error

Get-ADUser : The search filter cannot be recognized
At line:1 char:6

$u = Get-ADUser -Filter "userPrincipalName -eq '$($_.UPN)'" -Properti ...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CategoryInfo : NotSpecified: (:) [Get-ADUser], ADException

FullyQualifiedErrorId : ActiveDirectoryServer:8254,Microsoft.ActiveDirectory.Management.Commands.GetADUser

Rich Matheisen 44,776 Reputation points

2021-11-04T20:11:43.957+00:00

What is the name of the CSV column header that has the UserPrincipalName in it? I used "UPN" in my example, but I have no idea what you're using in your CSV since you didn't post any information about the CSV format.

Skip Hofmann 341 Reputation points

2021-11-04T20:59:01.087+00:00

I'm using upn in my .csv file. The script is looking at what is in the .csv import file and its writing whatever it finds in the .csv import file to the WhoAreThesePeople.csv file. Its not extending the expiration date for users that are found both in the OU's and in the CSV. Below is what im using.

$OUNames = "OU=FMI,OU=Cognizant,OU=FM Users,OU=Corp,DC=ip-tech,DC=com", "OU=BPO and RPA,OU=Cognizant,OU=Consultants,OU=Users,OU=Corp,DC=ip-tech,DC=com"
Import-Csv C:\temp\test2.csv |
ForEach-Object{
get-aduser -Filter "userPrincipalName -eq '$($.upn)'"
if ($u){
$OU = ( $u.DistinguishedName.Substring($u.DistinguishedName).IndexOf('OU=',[System.StringComparison]::CurrentCultureIgnoreCase) )
if ($OUNames -contains $OU){
Set-ADAccountExpiration -Identity $u.distinguishedName -DateTime ([datetime]::fromfiletime($.properties.accountexpires[0])).AddDays(90)
}
else{
$_
}
}
else {
$_
}
} | Export-Csv C:\temp\WhoAreThesePeople.csv -NoTypeInformation

Rich Matheisen 44,776 Reputation points

2021-11-04T21:14:36.03+00:00

Please use the "Code Sample" editor when you post code. It's the 5th icon from the left on the Formatting bar.

The normal text editor munges code by dropping certain characters when they occur in sequence with other characters, screws up formatting, etc. It also makes separating code from narrative text difficult.

Skip Hofmann 341 Reputation points

2021-11-04T21:19:00.21+00:00

apologies. Thank you for hanging in there with me. Below is the code

$OUNames = "OU=FMI,OU=Cognizant,OU=FM Users,OU=Corp,DC=ip-tech,DC=com", "OU=BPO and RPA,OU=Cognizant,OU=Consultants,OU=Users,OU=Corp,DC=ip-tech,DC=com" Import-Csv C:\temp\test2.csv | ForEach-Object{ get-aduser -Filter "userPrincipalName -eq '$($_.upn)'" if ($u){ $OU = ( $u.DistinguishedName.Substring($u.DistinguishedName).IndexOf('OU=',[System.StringComparison]::CurrentCultureIgnoreCase) ) if ($OUNames -contains $OU){ Set-ADAccountExpiration -Identity $u.distinguishedName -DateTime ([datetime]::fromfiletime($_.properties.accountexpires[0])).AddDays(90) } else{ $_ } } else { $_ } } | Export-Csv C:\temp\WhoAreThesePeople.csv -NoTypeInformation

Skip Hofmann 341 Reputation points

2021-11-04T21:22:43.32+00:00

What this code appears to be doing is writing whatever it finds in the import .csv file to the WhoAreThesePeople.csv . What i need are the differences between what is in the import .csv file and the OU's to be written to the WhoAreThesePeople.csv, and all matching or found accounts should have their accountexpires + 90 days

Rich Matheisen 44,776 Reputation points

2021-11-04T21:23:00.377+00:00

You haven't assigned the result of Get-ADUser to the variable $u in the code you posted.

get-aduser -Filter "userPrincipalName -eq '$($.upn)'"

. . . should be:

$u = get-aduser -Filter "userPrincipalName -eq '$($.upn)'"

Skip Hofmann 341 Reputation points

2021-11-04T21:37:44.387+00:00

Okay, that makes sense. I added $u. Now its trying to extend the expiration date, but its failing with

Cannot convert argument "startIndex", with value: "CN=testuser2,OU=TEST,OU=TEST2,OU=TEST Users,OU=LAB,DC=LAB,DC=com", for "Substring" to type "System.Int32": "Cannot convert value "CN=testuser2,OU=TEST,OU=TEST2,OU=TEST Users,OU=LAB,DC=LAB,DC=com" to type "System.Int32". Error: "Input string was not in a correct format."" At C:\scripts\TomG.ps1:6 char:14 + ... $OU = ( $u.DistinguishedName.Substring($u.DistinguishedNa ..

Rich Matheisen 44,776 Reputation points

2021-11-04T21:41:21.463+00:00

Oops! Misplaced parenthesis in my code! THe line should look like this:

$OU = $u.DistinguishedName.Substring($u.DistinguishedName.IndexOf('OU=',[System.StringComparison]::CurrentCultureIgnoreCase))

I'll correct the code I posted.

Skip Hofmann 341 Reputation points

2021-11-04T21:54:59.793+00:00

Made the change. Now im getting . Again thank you for all your help

Cannot index into a null array. At C:\scripts\TomG.ps1:8 char:18 + ... Set-ADAccountExpiration -Identity $u.distinguishedName -D ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : NullArray

Rich Matheisen 44,776 Reputation points

2021-11-04T22:48:22.56+00:00

I'm glad I put that "I haven't run this code" disclaimer at the bottom! I gotta stop recycling old code. :-(

The idea was correct, but it came from a script written years ago in a different language. The line should be:

Set-ADAccountExpiration -Identity $u.distinguishedName -DateTime ([datetime]::fromfiletime($u.accountexpires)).AddDays(90)

I've corrected the original code sample, too.

Skip Hofmann 341 Reputation points

2021-11-04T23:34:02.423+00:00

The code is now changing the expiration date on my test account, however the year is 1601. Also the differences or (none matching accounts) between what is in the .csv import file and what is found in the OU's is not being written to "WhoAreThesePeople.csv"

Thanks again for all your help. much appreciated

Rich Matheisen 44,776 Reputation points

2021-11-05T01:39:36.147+00:00

Is it safe to assume that the expiry date on your test user wasn't set before you ran your test?

If the accountexpires property isn't set it evaluates to zero. When you convert a file time of zero you get:

[datetime]::fromfiletime(0) Sunday, December 31, 1600 7:00:00 PM

Your criteria was to unconditionally increment the expiry date by 90 days it the account was found in one three OU's. If that's not what you want, then test that property and if it's zero either skip the incrementation or set it to 90 days from today.

You may also encounter a problem if the value of accountexpires is too large (because it's never been set to anything).

I have an account that has a value of 9223372036854775807 and powershell complains:

Exception calling "FromFileTime" with "1" argument(s): "Not a valid Win32 FileTime.

The way to handle that is to wrap the conversion of accountexpires into a DateTime object in a Try\Catch and if the conversion fails to just not increment the date.

Skip Hofmann 341 Reputation points

2021-11-05T04:41:18.993+00:00

"Your criteria was to unconditionally increment the expiry date by 90 days if the account was found in one three OU's."
It was to increase the expiration date by 90 days. ( i think we are saying the same thing) And if no match was found between the import .csv file and one of the 3 OU's then write the missing account to the output file. My test account did have an expiration date set. I was 11/14/2021

Skip Hofmann 341 Reputation points

2021-11-05T15:10:55.867+00:00

This actually works for our needs. the only thing the script is not doing now, is writing the differences to the output file

$OUNames = "OU=FMI,OU=Cognizant,OU=FM Users,OU=Corp,DC=ip-tech,DC=com", "OU=BPO and RPA,OU=Cognizant,OU=Consultants,OU=Users,OU=Corp,DC=ip-tech,DC=com" Import-Csv C:\temp\test2.csv | ForEach-Object{ $u = get-aduser -Filter "userPrincipalName -eq '$($_.upn)'" if ($u){ $OU = $u.DistinguishedName.Substring($u.DistinguishedName.IndexOf('OU=',[System.StringComparison]::CurrentCultureIgnoreCase)) if ($OUNames -contains $OU){ Set-ADAccountExpiration -Identity $u.distinguishedName -TimeSpan 90.0:0 } else{ $_ } } else { $_ } } | Export-Csv C:\temp\WhoAreThesePeople.csv -NoTypeInformation

Rich Matheisen 44,776 Reputation points

2021-11-05T19:43:56.453+00:00

Well, "increase the expiration date by 90 days" would mean take the existing expiry date and add 90 days to it.

The code you're using now (with the -TimeSpan parameter) sets the expiry date to 90 days from today regardless of any existing value -- even if the account was never set to expire before.

So, no, we aren't saying the same thing. :-)
Sign in to comment

help with Poweshell compare\hashtable

1 additional answer