Solved

PowerShell Script as Scheduled Task works on one OU but not another

Posted on 2014-09-23
16
313 Views
Last Modified: 2014-09-23
Here is my PowerShell script:

$a = "<style>"
$a = $a + "BODY{background-color:white;}"
$a = $a + "TABLE{border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}"
$a = $a + "TH{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:thistle}"
$a = $a + "TD{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:palegoldenrod}"
$a = $a + "</style>"

#Load Active Directory Module
if(@(get-module | where-object {$_.Name -eq "ActiveDirectory"} ).count -eq 0) {import-module ActiveDirectory}

# get domain maximumPasswordAge value

$MaxPassAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.days

if($MaxPassAge -le 0)

{ 

  throw "Domain 'MaximumPasswordAge' password policy is not configured."

} 

#Send Alert to User

$DaysToExpire = 14

Get-ADUser -SearchBase "ou=3rdLevelA, ou=2ndLevel, ou=1stLevel, dc=domain, dc=com" -searchscope subtree -Filter {(Enabled -eq "True") -and (mail -like "*")} -Properties * | Select-Object Name,@{Name="Expires";Expression={ $MaxPassAge - ((Get-Date) - ($_.PasswordLastSet)).days}} | Where-Object {$_.Expires -gt -1 -AND $_.Expires -le $DaysToExpire} |  ConvertTo-Html -head $a  -body "<H1>Service Account Passwords Expiring Soon</H1>" | Out-File e:\temp\serviceaccounts.html

Send-MailMessage -to email@domain.com -From email@domain.com -Subject "Service Account Passwords Expiring Soon" -Attachments E:\temp\serviceaccounts.html -SmtpServer smtpserver.domain.com

Open in new window


This script runs as a Scheduled Task to check user accounts in AD to see if their password is expiring within the next 14 days.  If the script finds passwords expiring within this 14 day period, it creates a basic html file with those results then emails it to me every day.  It searches users in OUs and it works just fine except when you switch to a particular OU; we'll call the working container 3rdLevelA and the problem container 3rdLevelB.  Both containers have users in them that I know are close to expiring because I've checked them both manually with a separate PowerShell command.

I welcome any advice or ideas as to why this won't work.
0
Comment
Question by:bjbouchard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +1
16 Comments
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 40339318
3rdlevelB is sibling or child of 3LevelA?
You need to change value of -searchBase accordingly.
0
 

Author Comment

by:bjbouchard
ID: 40339327
3rdLevelB is not a child/sibling of 3rdLevelA.  They are both children/siblings of the next OU (2ndLevel)
0
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 40339353
If 3rdLevelB is at same level as 3rdLevelA
Domain.com
   1stLevel
      2ndLevel
         3rdLevelA
         3rdLevelB
Use this.
OU=3rdLevelB,OU=2ndLevel,OU=1stLevel,DC=domain,DC=com

Open in new window


If 3rdLevelB is under of 3rdLevelA
Domain.com
   1stLevel
      2ndLevel
         3rdLevelA
             3rdLevelB
Use this
OU=3rdLevelB,OU=3rdLevelA,OU=2ndLevel,OU=1stLevel,DC=domain,DC=com

Open in new window

0
Office 365 Training for IT Pros

Learn how to provision Office 365 tenants, synchronize your on-premise Active Directory, and implement Single Sign-On.

 

Author Comment

by:bjbouchard
ID: 40339378
As you can see from my actual script on the original question, I've already got that setup.  I simply change the script from this:  OU=3rdLevelA,OU=2ndLevel,OU=1stLevel,DC=domain,DC=com

to this:  OU=3rdLevelB,OU=2ndLevel,OU=1stLevel,DC=domain,DC=com

and that's when it returns no results.  There are accounts expiring within both OUs so I know it's not an issue of me just thinking that there should be results when there aren't.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40339422
I would make sure that 3rdLevelB is actually an OU and not just a container.

If this works, CN=3rdLevelB,OU=2ndLevel,OU=1stLevel,DC=domain,DC=com

then it is not a true OU

You can tell the difference by the folder icon.
difference.png
0
 

Author Comment

by:bjbouchard
ID: 40339442
It most definitely is an OU.  I know the difference between them, and it isn't one of the built-in AD Containers (such as Users or Computers), it's an actual OU.  

Also, I just told the previous expert that it works for 3rdLevelA which is on the same level (child/parent relationship) as 3rdLevelB, so, no, putting CN=3rdLevelB isn't relevant or even a possibility.

Both OUs worked at one time.  I can't tell you what's changed since that time though.
0
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 40339454
how many DC's you have? please check the replication status.
0
 
LVL 5

Expert Comment

by:RAdministrator
ID: 40339458
Check if the user whose credentials the task is using has NTFS permissions on the  3rdLevelB OU. OUs have security properties just like any other object.
If it doesn't, (or maybe even if it does), you could change the task to run under the system account.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40339468
If it works for one and not the other, it definitely sounds like a permission issue.

RAdministrators suggestion could be correct
0
 
LVL 12

Accepted Solution

by:
Vaseem Mohammed earned 500 total points
ID: 40339475
is there any kind of delegation setup for the account under which you are performing the task?
are you getting any sort of error?
remove  -and (mail -like "*") from -Filter and see if something shows up.

Try executing just this code
$MaxPassAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.days
if($MaxPassAge -le 0)
{throw "Domain 'MaximumPasswordAge' password policy is not configured."} 
$DaysToExpire = 14
Get-ADUser -SearchBase "OU=3rdLevelB,OU=2ndLevel,OU=1stLevel,DC=domain,DC=com" -searchscope Subtree -Filter * -Properties * |
Select-Object Name,@{Name="Expires";Expression={ $MaxPassAge - ((Get-Date) - ($_.PasswordLastSet)).days}} |
Where-Object {$_.Expires -gt -1 -AND $_.Expires -le $DaysToExpire} 

Open in new window

0
 

Author Comment

by:bjbouchard
ID: 40339492
Vaseem:  how many DC's you have? please check the replication status.
This has already been checked.  The number of DCs doesn't matter; replication is good.

RAdministrator:  Check if the user whose credentials the task is using has NTFS permissions on the  3rdLevelB OU. OUs have security properties just like any other object.
 If it doesn't, (or maybe even if it does), you could change the task to run under the system account.

I've already checked this and given the user account that's used to run these tasks full control over the OU in question.

Joshua Grantom:  If it works for one and not the other, it definitely sounds like a permission issue.
This is where I am leaning, but it doesn't make sense as the user account used to run the Scheduled Tasks is the same for all tasks and has permissions to the out-file that it writes to, the folder where the out-file resides, the disk where the folder resides, and has the log on as a batch and log on locally rights on the server as well as full permission on the OU that it isn't working on.  The code for the one PowerShell script that checks 3rdLevelA is the exact same code that checks 3rdLevelB with the exception of the OU that it checks.
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40339499
Maybe the distinguished name of the OU was changed or something? Just for amusement, make sure you have advanced features checked in view in ADUC, go to the properties of the OU, go to Attribute Editor and check the distinguishedName attribute
0
 

Author Comment

by:bjbouchard
ID: 40339526
Joshua:  That's actually a good suggestion.  I checked and the DN is the same, it hasn't changed.

Any other ideas?
0
 

Author Comment

by:bjbouchard
ID: 40339559
Vaseem:  It ended up being what you suggested.  I looked at the Email section of the account with an expiring password and it didn't have an email address.  I can either remove the -and (mail -like "*")  from the filter or simply put an email in there.  Just as a test I put an email in on one of the accounts that was expiring and sure enough it showed up.  Thanks for the help everyone.
0
 

Author Closing Comment

by:bjbouchard
ID: 40339562
If the Email section of the properties for an AD User Object is null (nothing there) it won't process the script any further; at least for my particular script.
0
 
LVL 5

Expert Comment

by:RAdministrator
ID: 40339569
Edit: I noticed that my latest question was also answered.

OTOH Vaseem Mohammed mentioned to remove the mail attribute filter because that would limit the search output to email-enabled users. Might that have any impact on your filter output? Especially since you're trying to retrieve service accounts which aren't always mail enabled? I'm just thinking aloud here.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question