Exclude Certain OUs from Get-ADUser

Hi EE

can someone help me put a Powershell script that will exclude certain OUs from the entire domain search ?

Will something lie this work  ? I have eight OUs that I need to exclude from the search .. can someone help ?

Get-ADUser -Filter * -Properties SamAccountname,Enabled |  Where-Object {(($_.samaccountname.length -eq 7) -and (( ??? -notlike ??)))} | Select SamAccountname,Enabled | Export-Csv Data.csv -nti

Open in new window

LVL 2
MilesLoganAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chirag NagrekarSystem AnalystCommented:
OK, so if you want to list all users accounts that are enabled in your domain, but exclude the DSADMINS OU's then I would use this command

Get-ADUser -Filter  {(Enabled -eq "True")} | ? { ($_.distinguishedname -notlike '*DSADMINS*') -or ($_.DistinguishedName -notlike "Builtin*") }

Open in new window


Source : https://social.technet.microsoft.com/Forums/windowsserver/en-US/78a5dc73-89b1-47bc-a65c-22f3945ca1ba/how-to-get-list-of-users-excluding-a-praticular-ou-and-its-sub-ous?forum=winserverpowershell
0
MilesLoganAuthor Commented:
right .. but how can I add specific OUs to exclude ?
0
FOXActive Directory/Exchange EngineerCommented:
Try the below

$ExclusionOU = @('distinguishednameofou1','distinguishednameofou2','distinguishednameofou3')
Get-ADUser  -Filter  {(Enabled -eq "True")} | ? { ($_.distinguishedname -notlike '$ExclusionOU') -or ($_.DistinguishedName -notlike "Builtin*") }
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

oBdACommented:
List the OUs in the $ExcludeOUs array; you don't need the DC=... part, it will be added automatically
$domainDN = (Get-ADDomain).DistinguishedName
$excludeOUs = @(
	'OU=SomeOU,OU=Whatever'
	'OU=SomeOtherOU,OU=SomeOtherParent,OU=Wherever'
) | ForEach-Object {$_ + ',' + $domainDN}
Get-ADUser -Filter * -Property Enabled |
	Select-Object SamAccountName, Enabled, @{n='ParentContainer'; e={$_.DistinguishedName -replace '\A.*?,(?=(CN|OU|DC)=)'}} |
	Where-Object {($_.SamAccountName.Length -eq 7) -and ($excludeOUs -notcontains $_.ParentContainer)} |
	Select-Object -Property SamAccountname, Enabled |
	Export-Csv -NoTypeInformation -Path Data.csv

Open in new window

1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MilesLoganAuthor Commented:
Hi 0BdA

I tested it with just two OUs and modified the script to also include CanonicalName and those accounts accounts from the excluded OUs still show up on the CSV.. any ideas ?
0
oBdACommented:
Do not modify the script, except for the $excludeOUs array, and the export file name.
If you want to exclude a container, like the default 'Users' container, just add 'CN=Users' to the array.
And I repeat, just in case: do not add the ",DC=..." of the path.
PS console example with an abbreviated version for a test user:
PS C:\> $domainDN = (Get-ADDomain).DistinguishedName
PS C:\> $ExcludeOUs = @() | ForEach-Object {$_ + ',' + $domainDN}
PS C:\> Get-ADUser -Identity jdoe -Property Enabled |
>> Select-Object SamAccountName, Enabled, @{n='ParentContainer'; e={$_.DistinguishedName -replace '\A.*?,(?=(CN|OU|DC)=)'}} |
>> Where-Object {($_.SamAccountName.Length -eq 4) -and ($ExcludeOUs -notcontains $_.ParentContainer)} | ft Sam*, Enabled -au
>>

SamAccountName Enabled
-------------- -------
jdoe              True


PS C:\> $ExcludeOUs = @('CN=Users') | ForEach-Object {$_ + ',' + $domainDN}
PS C:\> Get-ADUser -Identity jdoe -Property Enabled |
>> Select-Object SamAccountName, Enabled, @{n='ParentContainer'; e={$_.DistinguishedName -replace '\A.*?,(?=(CN|OU|DC)=)'}} |
>> Where-Object {($_.SamAccountName.Length -eq 4) -and ($ExcludeOUs -notcontains $_.ParentContainer)} | ft Sam*, Enabled -au
>>
PS C:\>

Open in new window

1
MilesLoganAuthor Commented:
Hi oBdA
I copied your script again and just modified line 3 like shown below .

First try
'OU=Disabled Accounts,OU=Service Accounts'

Second try
'Disabled Accounts,Service Accounts'

I still see in the report account from the Disabled accounts OU

One minor thing I had to modify ..
Line 5 I added -Server <DCNAME> the data is from a different domain which I am currently logged into
1
oBdACommented:
Then you need to add the same server to the Get-ADDomain in line 1:
$domainDN = (Get-ADDomain -Server <DCNAME>).DistinguishedName

Open in new window

0
MilesLoganAuthor Commented:
This is what I am running .. line 3 is the only other change ... and I still see accounts from Disabled Accounts OU

Line 3 I tried .
'CN=Disabled Accounts'
'Disabled Accounts'
'OU=Disabled Accounts'

$domainDN = (Get-ADDomain -server MyDCfqdn).DistinguishedName
$excludeOUs = @(
	'CN=Disabled Accounts'
	) | ForEach-Object {$_ + ',' + $domainDN}
Get-ADUser -server MyDCfqdn -Filter * -Property Enabled |
	Select-Object SamAccountName, Enabled, @{n='ParentContainer'; e={$_.DistinguishedName -replace '\A.*?,(?=(CN|OU|DC)=)'}} |
	Where-Object {($_.SamAccountName.Length -eq 7) -and ($excludeOUs -notcontains $_.ParentContainer)} |
	Select-Object -Property SamAccountname, Enabled |
	Export-Csv -NoTypeInformation -Path Datatest.csv

Open in new window

2
oBdACommented:
"Disabled Accounts" is an OU, not a container. Only some of the default containers are actual containers (like Users), and that is none of them
The OUs listed will not be recursed, the users have to be directly in the OU listed.
Based on your former comment, try
	'OU=Disabled Accounts,OU=Service Accounts'

Open in new window

1
MilesLoganAuthor Commented:
another twist to this .. thank you for the assistance by the way ..

so within Disabled Accounts and Service Accounts I have other OUs , so I moved two accounts to the root of Disabled Accounts and Service Accounts thinking those should not show up on the report but they still do ..

I also tested with line 1 and 5 with MyDomain.com and DCServerName.MyDomain.com and still get the same results .
0
oBdACommented:
When you move accounts, remember that you don't necessarily work on the DC that the script uses, and that it can take some time until the change has replicated to the other DCs.
In a PS console, enter
$domainDN = (Get-ADDomain -server MyDCfqdn).DistinguishedName
(Get-ADOrganizationalUnit -Filter "Name -eq 'Disabled Accounts'" -Server MyDCfqdn).DistinguishedName

Open in new window

The first command should return the DC=... part of the target domain.
The second command will return the OU's DistinguishedName. Everything until the first (and excluding) ",DC=" has to be added to the array. Everything starting from the first DC= should be identical with what the first command returned.
1
MilesLoganAuthor Commented:
thanks .. it matches what I have been entering .. I will keep testing and let you know.
0
MilesLoganAuthor Commented:
Sorry for the late reply , thank you so much
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.