Solved

Script not catching all AD accounts

Posted on 2014-01-08
4
771 Views
Last Modified: 2014-01-09
HI EE

SubSun helped me with the script below and I needed a bit of help on it .. the scrtipt is not outputing any SamAccountNames on the report that are not found in AD .

So lets say I have 10 SAmAccountNames in the TermUsers.txt file and one of those is not a valid AD Accunt . The output file will add a line for the previous sam account name on the list that is valid and it will tag it with Directory object not found .

It should add the Directory object not found with the SamAccountName that was not found in AD.



Import-Module ActiveDirectory

Function De-Provision {
    [CmdletBinding()]
    param(  
      [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelinebyPropertyName=$True)]
        [String]$SAMAccountName,
      [Parameter(Mandatory=$True,ValueFromPipelinebyPropertyName=$True)]
      [String]$Disabledby
    )
             process {
            $user = Get-ADUser $SAMAccountName -properties memberof,Enabled
            $report = "c:\Powershell\Term\groups_$($user.SAMAccountName)_$(Get-date -f dd-MM-yyyy).txt"
            "=============== UserName $($user.SAMAccountName)===============" >> $report
            "$($user.distinguishedName)" >> $report
            #Disable User
                  If ($user.Enabled -eq $true)
                  {
                        $user | Disable-ADAccount
                        "$($user.SAMAccountName) is disabled by script" >> $report
                        $Dis = "Disabled by script"
                        
                  }
                        Elseif ($user.Enabled -eq $False) {
                        "$($user.SAMAccountName) is already disabled" >> $report
                        $Dis = "Already disabled"
                $user | Set-ADUser -Office "Nightly Term Report $Disabledby $(Get-date)"
                  }
                  #Remove Group membership
                  Try{
                        $Groups = Get-ADPrincipalGroupMembership $user
                        "Group membership $($user.SAMAccountName)" >> $report
                        $Groups | Select -ExpandProperty Name >> $report
                        $Groups | ?{$_.Name -ne "Domain Users"} |%{Remove-ADPrincipalGroupMembership $user -MemberOf $_ -Confirm:$False}
                        "Removed group membership for $($user.SAMAccountName)" >> $report
                  }
                  Catch{
                        "Error in group membership removal for $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                  }
                    #Move user object
                  Try{
                        $user | Move-ADObject -TargetPath "OU=My,DC=org" -EA STOP
                        "Moved user $($user.SAMAccountName) to Disabled Accounts OU" >> $report
                        $Move = "Moved user"
                  }
                  Catch{
                        "Error in moving user $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                        $Move = $_.Exception.Message
                  }
            New-Object PSObject -Property @{
            SAMAccountName = $user.SAMAccountName
            MoveStat = $Move
            Disabled = $Dis
            DN = $user.distinguishedName
            }
            }
}

GC TermUsers.txt | De-Provision -DisabledBy "Name" | Export-csv "c:\Powershell\Term\NightlyTermReport_$(Get-date -f dd-MM-yyy-hhmmss).csv" -NTI
0
Comment
Question by:MilesLogan
  • 2
  • 2
4 Comments
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
Comment Utility
I'm not sure exactly what you're describing either happens or you want to happen.  The function generates a main file, and also one per user.
Try this, it will insert the "not found" message in the main file.
Import-Module ActiveDirectory

Function De-Provision {
    [CmdletBinding()]
    param(  
      [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelinebyPropertyName=$True)]
        [String]$SAMAccountName,
      [Parameter(Mandatory=$True,ValueFromPipelinebyPropertyName=$True)]
      [String]$Disabledby
    )
        process {
            try {
                $user = Get-ADUser $SAMAccountName -properties memberof,Enabled
                $report = "c:\Powershell\Term\groups_$($user.SAMAccountName)_$(Get-date -f dd-MM-yyyy).txt"
                "=============== UserName $($user.SAMAccountName)===============" >> $report
                "$($user.distinguishedName)" >> $report
                #Disable User
                If ($user.Enabled -eq $true) 
                {
                    $user | Disable-ADAccount
                    "$($user.SAMAccountName) is disabled by script" >> $report
                    $Dis = "Disabled by script"
                        
                }
                    Elseif ($user.Enabled -eq $False) {
                    "$($user.SAMAccountName) is already disabled" >> $report
                    $Dis = "Already disabled"
                    $user | Set-ADUser -Office "Nightly Term Report $Disabledby $(Get-date)"
                }
                #Remove Group membership
                Try{
                    $Groups = Get-ADPrincipalGroupMembership $user
                    "Group membership $($user.SAMAccountName)" >> $report
                    $Groups | Select -ExpandProperty Name >> $report
                    $Groups | ?{$_.Name -ne "Domain Users"} |%{Remove-ADPrincipalGroupMembership $user -MemberOf $_ -Confirm:$False}
                    "Removed group membership for $($user.SAMAccountName)" >> $report
                }
                Catch{
                    "Error in group membership removal for $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                }
                #Move user object
                Try{
                    $user | Move-ADObject -TargetPath "OU=My,DC=org" -EA STOP
                    "Moved user $($user.SAMAccountName) to Disabled Accounts OU" >> $report
                    $Move = "Moved user"
                }
                Catch{
                    "Error in moving user $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                    $Move = $_.Exception.Message
                }
                New-Object PSObject -Property @{
                    SAMAccountName = $user.SAMAccountName
                    MoveStat = $Move
                    Disabled = $Dis
                    DN = $user.distinguishedName
                    }
            }
            catch {
                New-Object PSObject -Property @{
                    SAMAccountName = "$SAMAccountName not found in AD"
                    MoveStat = ""
                    Disabled = ""
                    DN = ""
                    }
            }
        }
}


GC TermUsers.txt | De-Provision -DisabledBy "Name" | Export-csv "c:\Powershell\Term\NightlyTermReport_$(Get-date -f dd-MM-yyy-hhmmss).csv" -NTI 

Open in new window

0
 
LVL 2

Author Comment

by:MilesLogan
Comment Utility
thats awesome ! that was it .. one more quick one ? or I can create a new question if you like since the original one was answered .

The output file is in the order below ..
MoveStat,Disabled,DN, SAMAccountName

Can you help me change it to the order below ??
SAMAccountName,Disabled,MoveStat, DN
0
 
LVL 39

Expert Comment

by:footech
Comment Utility
You just have to insert a Select-Object command before Export-CSV and specify the properties in the order you want.
GC TermUsers.txt | De-Provision -DisabledBy "Name" | Select SAMAccountName,Disabled,MoveStat,DN | Export-csv "c:\Powershell\Term\NightlyTermReport_$(Get-date -f dd-MM-yyy-hhmmss).csv" -NTI

Open in new window

0
 
LVL 2

Author Closing Comment

by:MilesLogan
Comment Utility
Thank you  footech !! helped me out alot !
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Create and license users in Office 365 in bulk based on a CSV file. A step-by-step guide with PowerShell script examples.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now