Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 846
  • Last Modified:

Script not catching all AD accounts

HI EE

SubSun helped me with the script below and I needed a bit of help on it .. the scrtipt is not outputing any SamAccountNames on the report that are not found in AD .

So lets say I have 10 SAmAccountNames in the TermUsers.txt file and one of those is not a valid AD Accunt . The output file will add a line for the previous sam account name on the list that is valid and it will tag it with Directory object not found .

It should add the Directory object not found with the SamAccountName that was not found in AD.



Import-Module ActiveDirectory

Function De-Provision {
    [CmdletBinding()]
    param(  
      [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelinebyPropertyName=$True)]
        [String]$SAMAccountName,
      [Parameter(Mandatory=$True,ValueFromPipelinebyPropertyName=$True)]
      [String]$Disabledby
    )
             process {
            $user = Get-ADUser $SAMAccountName -properties memberof,Enabled
            $report = "c:\Powershell\Term\groups_$($user.SAMAccountName)_$(Get-date -f dd-MM-yyyy).txt"
            "=============== UserName $($user.SAMAccountName)===============" >> $report
            "$($user.distinguishedName)" >> $report
            #Disable User
                  If ($user.Enabled -eq $true)
                  {
                        $user | Disable-ADAccount
                        "$($user.SAMAccountName) is disabled by script" >> $report
                        $Dis = "Disabled by script"
                        
                  }
                        Elseif ($user.Enabled -eq $False) {
                        "$($user.SAMAccountName) is already disabled" >> $report
                        $Dis = "Already disabled"
                $user | Set-ADUser -Office "Nightly Term Report $Disabledby $(Get-date)"
                  }
                  #Remove Group membership
                  Try{
                        $Groups = Get-ADPrincipalGroupMembership $user
                        "Group membership $($user.SAMAccountName)" >> $report
                        $Groups | Select -ExpandProperty Name >> $report
                        $Groups | ?{$_.Name -ne "Domain Users"} |%{Remove-ADPrincipalGroupMembership $user -MemberOf $_ -Confirm:$False}
                        "Removed group membership for $($user.SAMAccountName)" >> $report
                  }
                  Catch{
                        "Error in group membership removal for $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                  }
                    #Move user object
                  Try{
                        $user | Move-ADObject -TargetPath "OU=My,DC=org" -EA STOP
                        "Moved user $($user.SAMAccountName) to Disabled Accounts OU" >> $report
                        $Move = "Moved user"
                  }
                  Catch{
                        "Error in moving user $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                        $Move = $_.Exception.Message
                  }
            New-Object PSObject -Property @{
            SAMAccountName = $user.SAMAccountName
            MoveStat = $Move
            Disabled = $Dis
            DN = $user.distinguishedName
            }
            }
}

GC TermUsers.txt | De-Provision -DisabledBy "Name" | Export-csv "c:\Powershell\Term\NightlyTermReport_$(Get-date -f dd-MM-yyy-hhmmss).csv" -NTI
0
MilesLogan
Asked:
MilesLogan
  • 2
  • 2
1 Solution
 
footechCommented:
I'm not sure exactly what you're describing either happens or you want to happen.  The function generates a main file, and also one per user.
Try this, it will insert the "not found" message in the main file.
Import-Module ActiveDirectory

Function De-Provision {
    [CmdletBinding()]
    param(  
      [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelinebyPropertyName=$True)]
        [String]$SAMAccountName,
      [Parameter(Mandatory=$True,ValueFromPipelinebyPropertyName=$True)]
      [String]$Disabledby
    )
        process {
            try {
                $user = Get-ADUser $SAMAccountName -properties memberof,Enabled
                $report = "c:\Powershell\Term\groups_$($user.SAMAccountName)_$(Get-date -f dd-MM-yyyy).txt"
                "=============== UserName $($user.SAMAccountName)===============" >> $report
                "$($user.distinguishedName)" >> $report
                #Disable User
                If ($user.Enabled -eq $true) 
                {
                    $user | Disable-ADAccount
                    "$($user.SAMAccountName) is disabled by script" >> $report
                    $Dis = "Disabled by script"
                        
                }
                    Elseif ($user.Enabled -eq $False) {
                    "$($user.SAMAccountName) is already disabled" >> $report
                    $Dis = "Already disabled"
                    $user | Set-ADUser -Office "Nightly Term Report $Disabledby $(Get-date)"
                }
                #Remove Group membership
                Try{
                    $Groups = Get-ADPrincipalGroupMembership $user
                    "Group membership $($user.SAMAccountName)" >> $report
                    $Groups | Select -ExpandProperty Name >> $report
                    $Groups | ?{$_.Name -ne "Domain Users"} |%{Remove-ADPrincipalGroupMembership $user -MemberOf $_ -Confirm:$False}
                    "Removed group membership for $($user.SAMAccountName)" >> $report
                }
                Catch{
                    "Error in group membership removal for $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                }
                #Move user object
                Try{
                    $user | Move-ADObject -TargetPath "OU=My,DC=org" -EA STOP
                    "Moved user $($user.SAMAccountName) to Disabled Accounts OU" >> $report
                    $Move = "Moved user"
                }
                Catch{
                    "Error in moving user $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                    $Move = $_.Exception.Message
                }
                New-Object PSObject -Property @{
                    SAMAccountName = $user.SAMAccountName
                    MoveStat = $Move
                    Disabled = $Dis
                    DN = $user.distinguishedName
                    }
            }
            catch {
                New-Object PSObject -Property @{
                    SAMAccountName = "$SAMAccountName not found in AD"
                    MoveStat = ""
                    Disabled = ""
                    DN = ""
                    }
            }
        }
}


GC TermUsers.txt | De-Provision -DisabledBy "Name" | Export-csv "c:\Powershell\Term\NightlyTermReport_$(Get-date -f dd-MM-yyy-hhmmss).csv" -NTI 

Open in new window

0
 
MilesLoganAuthor Commented:
thats awesome ! that was it .. one more quick one ? or I can create a new question if you like since the original one was answered .

The output file is in the order below ..
MoveStat,Disabled,DN, SAMAccountName

Can you help me change it to the order below ??
SAMAccountName,Disabled,MoveStat, DN
0
 
footechCommented:
You just have to insert a Select-Object command before Export-CSV and specify the properties in the order you want.
GC TermUsers.txt | De-Provision -DisabledBy "Name" | Select SAMAccountName,Disabled,MoveStat,DN | Export-csv "c:\Powershell\Term\NightlyTermReport_$(Get-date -f dd-MM-yyy-hhmmss).csv" -NTI

Open in new window

0
 
MilesLoganAuthor Commented:
Thank you  footech !! helped me out alot !
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now