Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Script not catching all AD accounts

Posted on 2014-01-08
4
Medium Priority
?
830 Views
Last Modified: 2014-01-09
HI EE

SubSun helped me with the script below and I needed a bit of help on it .. the scrtipt is not outputing any SamAccountNames on the report that are not found in AD .

So lets say I have 10 SAmAccountNames in the TermUsers.txt file and one of those is not a valid AD Accunt . The output file will add a line for the previous sam account name on the list that is valid and it will tag it with Directory object not found .

It should add the Directory object not found with the SamAccountName that was not found in AD.



Import-Module ActiveDirectory

Function De-Provision {
    [CmdletBinding()]
    param(  
      [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelinebyPropertyName=$True)]
        [String]$SAMAccountName,
      [Parameter(Mandatory=$True,ValueFromPipelinebyPropertyName=$True)]
      [String]$Disabledby
    )
             process {
            $user = Get-ADUser $SAMAccountName -properties memberof,Enabled
            $report = "c:\Powershell\Term\groups_$($user.SAMAccountName)_$(Get-date -f dd-MM-yyyy).txt"
            "=============== UserName $($user.SAMAccountName)===============" >> $report
            "$($user.distinguishedName)" >> $report
            #Disable User
                  If ($user.Enabled -eq $true)
                  {
                        $user | Disable-ADAccount
                        "$($user.SAMAccountName) is disabled by script" >> $report
                        $Dis = "Disabled by script"
                        
                  }
                        Elseif ($user.Enabled -eq $False) {
                        "$($user.SAMAccountName) is already disabled" >> $report
                        $Dis = "Already disabled"
                $user | Set-ADUser -Office "Nightly Term Report $Disabledby $(Get-date)"
                  }
                  #Remove Group membership
                  Try{
                        $Groups = Get-ADPrincipalGroupMembership $user
                        "Group membership $($user.SAMAccountName)" >> $report
                        $Groups | Select -ExpandProperty Name >> $report
                        $Groups | ?{$_.Name -ne "Domain Users"} |%{Remove-ADPrincipalGroupMembership $user -MemberOf $_ -Confirm:$False}
                        "Removed group membership for $($user.SAMAccountName)" >> $report
                  }
                  Catch{
                        "Error in group membership removal for $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                  }
                    #Move user object
                  Try{
                        $user | Move-ADObject -TargetPath "OU=My,DC=org" -EA STOP
                        "Moved user $($user.SAMAccountName) to Disabled Accounts OU" >> $report
                        $Move = "Moved user"
                  }
                  Catch{
                        "Error in moving user $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                        $Move = $_.Exception.Message
                  }
            New-Object PSObject -Property @{
            SAMAccountName = $user.SAMAccountName
            MoveStat = $Move
            Disabled = $Dis
            DN = $user.distinguishedName
            }
            }
}

GC TermUsers.txt | De-Provision -DisabledBy "Name" | Export-csv "c:\Powershell\Term\NightlyTermReport_$(Get-date -f dd-MM-yyy-hhmmss).csv" -NTI
0
Comment
Question by:MilesLogan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 41

Accepted Solution

by:
footech earned 2000 total points
ID: 39766875
I'm not sure exactly what you're describing either happens or you want to happen.  The function generates a main file, and also one per user.
Try this, it will insert the "not found" message in the main file.
Import-Module ActiveDirectory

Function De-Provision {
    [CmdletBinding()]
    param(  
      [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelinebyPropertyName=$True)]
        [String]$SAMAccountName,
      [Parameter(Mandatory=$True,ValueFromPipelinebyPropertyName=$True)]
      [String]$Disabledby
    )
        process {
            try {
                $user = Get-ADUser $SAMAccountName -properties memberof,Enabled
                $report = "c:\Powershell\Term\groups_$($user.SAMAccountName)_$(Get-date -f dd-MM-yyyy).txt"
                "=============== UserName $($user.SAMAccountName)===============" >> $report
                "$($user.distinguishedName)" >> $report
                #Disable User
                If ($user.Enabled -eq $true) 
                {
                    $user | Disable-ADAccount
                    "$($user.SAMAccountName) is disabled by script" >> $report
                    $Dis = "Disabled by script"
                        
                }
                    Elseif ($user.Enabled -eq $False) {
                    "$($user.SAMAccountName) is already disabled" >> $report
                    $Dis = "Already disabled"
                    $user | Set-ADUser -Office "Nightly Term Report $Disabledby $(Get-date)"
                }
                #Remove Group membership
                Try{
                    $Groups = Get-ADPrincipalGroupMembership $user
                    "Group membership $($user.SAMAccountName)" >> $report
                    $Groups | Select -ExpandProperty Name >> $report
                    $Groups | ?{$_.Name -ne "Domain Users"} |%{Remove-ADPrincipalGroupMembership $user -MemberOf $_ -Confirm:$False}
                    "Removed group membership for $($user.SAMAccountName)" >> $report
                }
                Catch{
                    "Error in group membership removal for $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                }
                #Move user object
                Try{
                    $user | Move-ADObject -TargetPath "OU=My,DC=org" -EA STOP
                    "Moved user $($user.SAMAccountName) to Disabled Accounts OU" >> $report
                    $Move = "Moved user"
                }
                Catch{
                    "Error in moving user $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                    $Move = $_.Exception.Message
                }
                New-Object PSObject -Property @{
                    SAMAccountName = $user.SAMAccountName
                    MoveStat = $Move
                    Disabled = $Dis
                    DN = $user.distinguishedName
                    }
            }
            catch {
                New-Object PSObject -Property @{
                    SAMAccountName = "$SAMAccountName not found in AD"
                    MoveStat = ""
                    Disabled = ""
                    DN = ""
                    }
            }
        }
}


GC TermUsers.txt | De-Provision -DisabledBy "Name" | Export-csv "c:\Powershell\Term\NightlyTermReport_$(Get-date -f dd-MM-yyy-hhmmss).csv" -NTI 

Open in new window

0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39766987
thats awesome ! that was it .. one more quick one ? or I can create a new question if you like since the original one was answered .

The output file is in the order below ..
MoveStat,Disabled,DN, SAMAccountName

Can you help me change it to the order below ??
SAMAccountName,Disabled,MoveStat, DN
0
 
LVL 41

Expert Comment

by:footech
ID: 39767426
You just have to insert a Select-Object command before Export-CSV and specify the properties in the order you want.
GC TermUsers.txt | De-Provision -DisabledBy "Name" | Select SAMAccountName,Disabled,MoveStat,DN | Export-csv "c:\Powershell\Term\NightlyTermReport_$(Get-date -f dd-MM-yyy-hhmmss).csv" -NTI

Open in new window

0
 
LVL 2

Author Closing Comment

by:MilesLogan
ID: 39768572
Thank you  footech !! helped me out alot !
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question