Solved

Powershell command to list non-existent users in new domain

Posted on 2013-11-25
5
571 Views
Last Modified: 2014-01-09
To keep it simple.....We are in the process of migrating from two legacy domains to one new domain.  I am trying to compare the list of user accounts (DisabledAccts.txt) that exist in the old domain (The SamAccountNames from the legacy domains are listed in a text file.) with the new domain to see which accounts exist in both domains.  I'm using Powershell.  My commands are this (all one line if it doesn't appear that way):

get-content C:\Results\DisabledAccts.txt | Get-ADUser -Filter * -Properties * -SearchBase "OU=Domain Users,DC=company,DC=local" -SearchScope Subtree| Select-Object Name,Samaccountname,Enabled,distinguishedname |export-csv C:\Results\DisabledBothDomains.CSV

However, If an account in the DisabledAccts.txt file is not found in the new domain, I'd like a separate list created that at least outputs the SamAccountName from the DisabledAccts.Txt list to a different text file, so that accounts not in the new domain can be identified.

Is there an easy way to do this in Powershell?  When an account isn't found, when I output to the console, I see something like this "Get-ADUser : Cannot find an object with identity: " followed by the username.
0
Comment
Question by:Darthyw
  • 2
  • 2
5 Comments
 
LVL 36

Expert Comment

by:Mahesh
ID: 39675535
Since i am not powershell Expert, but You can do it with AD saved queries and excel Vlookup

You can create saved query in each domain to list down all existing user accounts with "pre windows 2000 account name" or logonName and then export those query results to csv files

Open both csv file with excel and run vlookup against them to identify \ compare similar and dissimilar object

Dissimilar object are not migrated from source

Optionally you can use "highlight duplicate cells" feature in Excel.

Mahesh
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39675764
Try..
$logfile = "C:\temp\log.txt"
Set-Content $logfile $null
	Get-content C:\Results\DisabledAccts.txt | % {
	$User = $_
	Try {
	Get-ADUser $User -Properties * -SearchBase "OU=Domain Users,DC=company,DC=local" -SearchScope Subtree -EA STOP | Select-Object Name,Samaccountname,Enabled,distinguishedname
	}
	Catch{
	Add-Content $logfile $User
	}
} | Export-Csv C:\Results\DisabledBothDomains.CSV -nti

Open in new window

C:\temp\log.txt will have all accounts which are not there in AD..
0
 

Author Comment

by:Darthyw
ID: 39681430
Thanks Subsun.  I see what you're aiming to do with the Try and Catch.  Something is still not quite right.  The script creates the LOG.TXT, and catches the user accounts not found in the Domain Users....but it catches all the user accounts from the original DisabledAccts.txt as if the Get-ADUser part of the script is not working correctly.
0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 39681447
Did you update correct SearchBase in script?

Change line 9 to following and rerun the script. This will help you to capture the errors in log file..
Add-Content $logfile "$User - Error $($_.Exception.Message)"

Open in new window

0
 

Author Comment

by:Darthyw
ID: 39768508
Thanks Subsun.  I got tied up and moved onto other work, but I'll give you the points for the effort.  I'm just not sure where the issue in the script was, and am no longer there to look at it.  Thanks.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question