?
Solved

Script not catching all AD accounts

Posted on 2014-01-08
4
Medium Priority
?
814 Views
Last Modified: 2014-01-09
HI EE

SubSun helped me with the script below and I needed a bit of help on it .. the scrtipt is not outputing any SamAccountNames on the report that are not found in AD .

So lets say I have 10 SAmAccountNames in the TermUsers.txt file and one of those is not a valid AD Accunt . The output file will add a line for the previous sam account name on the list that is valid and it will tag it with Directory object not found .

It should add the Directory object not found with the SamAccountName that was not found in AD.



Import-Module ActiveDirectory

Function De-Provision {
    [CmdletBinding()]
    param(  
      [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelinebyPropertyName=$True)]
        [String]$SAMAccountName,
      [Parameter(Mandatory=$True,ValueFromPipelinebyPropertyName=$True)]
      [String]$Disabledby
    )
             process {
            $user = Get-ADUser $SAMAccountName -properties memberof,Enabled
            $report = "c:\Powershell\Term\groups_$($user.SAMAccountName)_$(Get-date -f dd-MM-yyyy).txt"
            "=============== UserName $($user.SAMAccountName)===============" >> $report
            "$($user.distinguishedName)" >> $report
            #Disable User
                  If ($user.Enabled -eq $true)
                  {
                        $user | Disable-ADAccount
                        "$($user.SAMAccountName) is disabled by script" >> $report
                        $Dis = "Disabled by script"
                        
                  }
                        Elseif ($user.Enabled -eq $False) {
                        "$($user.SAMAccountName) is already disabled" >> $report
                        $Dis = "Already disabled"
                $user | Set-ADUser -Office "Nightly Term Report $Disabledby $(Get-date)"
                  }
                  #Remove Group membership
                  Try{
                        $Groups = Get-ADPrincipalGroupMembership $user
                        "Group membership $($user.SAMAccountName)" >> $report
                        $Groups | Select -ExpandProperty Name >> $report
                        $Groups | ?{$_.Name -ne "Domain Users"} |%{Remove-ADPrincipalGroupMembership $user -MemberOf $_ -Confirm:$False}
                        "Removed group membership for $($user.SAMAccountName)" >> $report
                  }
                  Catch{
                        "Error in group membership removal for $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                  }
                    #Move user object
                  Try{
                        $user | Move-ADObject -TargetPath "OU=My,DC=org" -EA STOP
                        "Moved user $($user.SAMAccountName) to Disabled Accounts OU" >> $report
                        $Move = "Moved user"
                  }
                  Catch{
                        "Error in moving user $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                        $Move = $_.Exception.Message
                  }
            New-Object PSObject -Property @{
            SAMAccountName = $user.SAMAccountName
            MoveStat = $Move
            Disabled = $Dis
            DN = $user.distinguishedName
            }
            }
}

GC TermUsers.txt | De-Provision -DisabledBy "Name" | Export-csv "c:\Powershell\Term\NightlyTermReport_$(Get-date -f dd-MM-yyy-hhmmss).csv" -NTI
0
Comment
Question by:MilesLogan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 40

Accepted Solution

by:
footech earned 2000 total points
ID: 39766875
I'm not sure exactly what you're describing either happens or you want to happen.  The function generates a main file, and also one per user.
Try this, it will insert the "not found" message in the main file.
Import-Module ActiveDirectory

Function De-Provision {
    [CmdletBinding()]
    param(  
      [Parameter(Mandatory=$True,ValueFromPipeline=$True,ValueFromPipelinebyPropertyName=$True)]
        [String]$SAMAccountName,
      [Parameter(Mandatory=$True,ValueFromPipelinebyPropertyName=$True)]
      [String]$Disabledby
    )
        process {
            try {
                $user = Get-ADUser $SAMAccountName -properties memberof,Enabled
                $report = "c:\Powershell\Term\groups_$($user.SAMAccountName)_$(Get-date -f dd-MM-yyyy).txt"
                "=============== UserName $($user.SAMAccountName)===============" >> $report
                "$($user.distinguishedName)" >> $report
                #Disable User
                If ($user.Enabled -eq $true) 
                {
                    $user | Disable-ADAccount
                    "$($user.SAMAccountName) is disabled by script" >> $report
                    $Dis = "Disabled by script"
                        
                }
                    Elseif ($user.Enabled -eq $False) {
                    "$($user.SAMAccountName) is already disabled" >> $report
                    $Dis = "Already disabled"
                    $user | Set-ADUser -Office "Nightly Term Report $Disabledby $(Get-date)"
                }
                #Remove Group membership
                Try{
                    $Groups = Get-ADPrincipalGroupMembership $user
                    "Group membership $($user.SAMAccountName)" >> $report
                    $Groups | Select -ExpandProperty Name >> $report
                    $Groups | ?{$_.Name -ne "Domain Users"} |%{Remove-ADPrincipalGroupMembership $user -MemberOf $_ -Confirm:$False}
                    "Removed group membership for $($user.SAMAccountName)" >> $report
                }
                Catch{
                    "Error in group membership removal for $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                }
                #Move user object
                Try{
                    $user | Move-ADObject -TargetPath "OU=My,DC=org" -EA STOP
                    "Moved user $($user.SAMAccountName) to Disabled Accounts OU" >> $report
                    $Move = "Moved user"
                }
                Catch{
                    "Error in moving user $($user.SAMAccountName) : $($_.Exception.Message)" >> $report
                    $Move = $_.Exception.Message
                }
                New-Object PSObject -Property @{
                    SAMAccountName = $user.SAMAccountName
                    MoveStat = $Move
                    Disabled = $Dis
                    DN = $user.distinguishedName
                    }
            }
            catch {
                New-Object PSObject -Property @{
                    SAMAccountName = "$SAMAccountName not found in AD"
                    MoveStat = ""
                    Disabled = ""
                    DN = ""
                    }
            }
        }
}


GC TermUsers.txt | De-Provision -DisabledBy "Name" | Export-csv "c:\Powershell\Term\NightlyTermReport_$(Get-date -f dd-MM-yyy-hhmmss).csv" -NTI 

Open in new window

0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39766987
thats awesome ! that was it .. one more quick one ? or I can create a new question if you like since the original one was answered .

The output file is in the order below ..
MoveStat,Disabled,DN, SAMAccountName

Can you help me change it to the order below ??
SAMAccountName,Disabled,MoveStat, DN
0
 
LVL 40

Expert Comment

by:footech
ID: 39767426
You just have to insert a Select-Object command before Export-CSV and specify the properties in the order you want.
GC TermUsers.txt | De-Provision -DisabledBy "Name" | Select SAMAccountName,Disabled,MoveStat,DN | Export-csv "c:\Powershell\Term\NightlyTermReport_$(Get-date -f dd-MM-yyy-hhmmss).csv" -NTI

Open in new window

0
 
LVL 2

Author Closing Comment

by:MilesLogan
ID: 39768572
Thank you  footech !! helped me out alot !
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question