Solved

Script not catching all AD accounts

Posted on 2014-01-08
4
778 Views
Last Modified: 2014-01-09
HI EE

SubSun helped me with the script below and I needed a bit of help on it .. the scrtipt is not outputing any SamAccountNames on the report that are not found in AD .

So lets say I have 10 SAmAccountNames in the TermUsers.txt file and one of those is not a valid AD Accunt . The output file will add a line for the previous sam account name on the list that is valid and it will tag it with Directory object not found .

It should add the Directory object not found with the SamAccountName that was not found in AD.



Import-Module ActiveDirectory

Function De-Provision {
    [CmdletBinding()]
    param(  
      [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelinebyPropertyName=$True)]
        [String]$SAMAccountName,
      [Parameter(Mandatory=$True,ValueFromPipelinebyPropertyName=$True)]
      [String]$Disabledby
    )
             process {
            $user = Get-ADUser $SAMAccountName -properties memberof,Enabled
            $report = "c:\Powershell\Term\groups_$($user.SAMAccountName)_$(Get-date -f dd-MM-yyyy).txt"
            "=============== UserName $($user.SAMAccountName)===============" >> $report
            "$($user.distinguishedName)" >> $report
            #Disable User
                  If ($user.Enabled -eq $true)
                  {
                        $user | Disable-ADAccount
                        "$($user.SAMAccountName) is disabled by script" >> $report
                        $Dis = "Disabled by script"
                        
                  }
                        Elseif ($user.Enabled -eq $False) {
                        "$($user.SAMAccountName) is already disabled" >> $report
                        $Dis = "Already disabled"
                $user | Set-ADUser -Office "Nightly Term Report $Disabledby $(Get-date)"
                  }
                  #Remove Group membership
                  Try{
                        $Groups = Get-ADPrincipalGroupMembership $user
                        "Group membership $($user.SAMAccountName)" >> $report
                        $Groups | Select -ExpandProperty Name >> $report
                        $Groups | ?{$_.Name -ne "Domain Users"} |%{Remove-ADPrincipalGroupMembership $user -MemberOf $_ -Confirm:$False}
                        "Removed group membership for $($user.SAMAccountName)" >> $report
                  }
                  Catch{
                        "Error in group membership removal for $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                  }
                    #Move user object
                  Try{
                        $user | Move-ADObject -TargetPath "OU=My,DC=org" -EA STOP
                        "Moved user $($user.SAMAccountName) to Disabled Accounts OU" >> $report
                        $Move = "Moved user"
                  }
                  Catch{
                        "Error in moving user $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                        $Move = $_.Exception.Message
                  }
            New-Object PSObject -Property @{
            SAMAccountName = $user.SAMAccountName
            MoveStat = $Move
            Disabled = $Dis
            DN = $user.distinguishedName
            }
            }
}

GC TermUsers.txt | De-Provision -DisabledBy "Name" | Export-csv "c:\Powershell\Term\NightlyTermReport_$(Get-date -f dd-MM-yyy-hhmmss).csv" -NTI
0
Comment
Question by:MilesLogan
  • 2
  • 2
4 Comments
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 39766875
I'm not sure exactly what you're describing either happens or you want to happen.  The function generates a main file, and also one per user.
Try this, it will insert the "not found" message in the main file.
Import-Module ActiveDirectory

Function De-Provision {
    [CmdletBinding()]
    param(  
      [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelinebyPropertyName=$True)]
        [String]$SAMAccountName,
      [Parameter(Mandatory=$True,ValueFromPipelinebyPropertyName=$True)]
      [String]$Disabledby
    )
        process {
            try {
                $user = Get-ADUser $SAMAccountName -properties memberof,Enabled
                $report = "c:\Powershell\Term\groups_$($user.SAMAccountName)_$(Get-date -f dd-MM-yyyy).txt"
                "=============== UserName $($user.SAMAccountName)===============" >> $report
                "$($user.distinguishedName)" >> $report
                #Disable User
                If ($user.Enabled -eq $true) 
                {
                    $user | Disable-ADAccount
                    "$($user.SAMAccountName) is disabled by script" >> $report
                    $Dis = "Disabled by script"
                        
                }
                    Elseif ($user.Enabled -eq $False) {
                    "$($user.SAMAccountName) is already disabled" >> $report
                    $Dis = "Already disabled"
                    $user | Set-ADUser -Office "Nightly Term Report $Disabledby $(Get-date)"
                }
                #Remove Group membership
                Try{
                    $Groups = Get-ADPrincipalGroupMembership $user
                    "Group membership $($user.SAMAccountName)" >> $report
                    $Groups | Select -ExpandProperty Name >> $report
                    $Groups | ?{$_.Name -ne "Domain Users"} |%{Remove-ADPrincipalGroupMembership $user -MemberOf $_ -Confirm:$False}
                    "Removed group membership for $($user.SAMAccountName)" >> $report
                }
                Catch{
                    "Error in group membership removal for $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                }
                #Move user object
                Try{
                    $user | Move-ADObject -TargetPath "OU=My,DC=org" -EA STOP
                    "Moved user $($user.SAMAccountName) to Disabled Accounts OU" >> $report
                    $Move = "Moved user"
                }
                Catch{
                    "Error in moving user $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                    $Move = $_.Exception.Message
                }
                New-Object PSObject -Property @{
                    SAMAccountName = $user.SAMAccountName
                    MoveStat = $Move
                    Disabled = $Dis
                    DN = $user.distinguishedName
                    }
            }
            catch {
                New-Object PSObject -Property @{
                    SAMAccountName = "$SAMAccountName not found in AD"
                    MoveStat = ""
                    Disabled = ""
                    DN = ""
                    }
            }
        }
}


GC TermUsers.txt | De-Provision -DisabledBy "Name" | Export-csv "c:\Powershell\Term\NightlyTermReport_$(Get-date -f dd-MM-yyy-hhmmss).csv" -NTI 

Open in new window

0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39766987
thats awesome ! that was it .. one more quick one ? or I can create a new question if you like since the original one was answered .

The output file is in the order below ..
MoveStat,Disabled,DN, SAMAccountName

Can you help me change it to the order below ??
SAMAccountName,Disabled,MoveStat, DN
0
 
LVL 39

Expert Comment

by:footech
ID: 39767426
You just have to insert a Select-Object command before Export-CSV and specify the properties in the order you want.
GC TermUsers.txt | De-Provision -DisabledBy "Name" | Select SAMAccountName,Disabled,MoveStat,DN | Export-csv "c:\Powershell\Term\NightlyTermReport_$(Get-date -f dd-MM-yyy-hhmmss).csv" -NTI

Open in new window

0
 
LVL 2

Author Closing Comment

by:MilesLogan
ID: 39768572
Thank you  footech !! helped me out alot !
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlleā€¦
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stopā€¦

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now