Append AD description vs overwrite

Welcome Forums General PowerShell Q&A Append AD description vs overwrite

This topic contains 9 replies, has 5 voices, and was last updated by

 
Participant
2 years, 3 months ago.

  • Author
    Posts
  • #53262

    Participant
    Points: 0
    Rank: Member

    Hi all,

    I have the below script that will search for the last logon time stamp that is older than X amount of days. It will then take the results and disable overwrite the description field then move to a disabled users OU. I'm struggling to figure out to append the existing AD description field and not actually overwrite it. For example existing description for a user is "Finance – New York, New York" and I want the script to append and have "Finance – New York, New York ***Disabled and moved date script runs***"

    Any help would be greatly appreciated.

    #Import AD PS Module
    Import-Module ActiveDirectory
    #Domain name
    $domain = "mydomain.COM"
    #Number of days to consider a user stale
    $daysInactive = 365
    $time = (Get-Date).Adddays(-($daysInactive))
    #Get stale AD users, filtering out some OUs and object names
    $staleUsers = Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp -SearchBase "DC=mydomain,DC=COM" | Where-Object { `
    $_.DistinguishedName -notmatch 'OU=Users,DC=mydomain,DC=COM' `
    -and $_.DistinguishedName -notmatch 'OU=IT,DC=mydomain,DC=COM' `
    -and $_.SamAccountName -notlike "*IWAM*" `
    -and $_.SamAccountName -notlike "*SRV**" `
    -and $_.SamAccountName -notlike "*IUSR*" `
    -and $_.SamAccountName -notlike "*WMUS*" `
    -and $_.SamAccountName -notlike "*Mailbox*" ` }

    #Modify stale user's description, disable them, and move them to Disabled OU
    $staleUsers | ForEach {
    #Set description and disable account
    Set-ADUser $_ -Description "Disabled and moved on $(Get-Date)" -Enabled $false
    #Move account
    Move-ADObject $_ -TargetPath "OU=Disabled accounts,OU=Users,DC=mydomain,DC=COM"
    }

  • #53316

    Moderator
    Points: 24
    Team Member
    Rank: Member

    Hi Joel,

    You'll need to handle this in your script.

    1. Get the current value of the Description field
    2. Append the text if not already present
    3. Overwrite the Description field with the new value

  • #53449

    Participant
    Points: 0
    Rank: Member

    Joel,

    I provided the example of how to do this in the other thread you created:

    https://powershell.org/forums/topic/for-each-to-disable-move-to-specific-ou-append-ad-discription-with-text/

    • #53494

      Participant
      Points: 0
      Rank: Member

      Sorry, I missed that some how. I'm trying to use it and keep getting the below prompt.

      cmdlet Set-ADUser at command pipeline position 1
      Supply values for the following parameters:
      Identity:

      Below is the entire script. I'm not sure what I'm missing. The goal is find every users that match the search criteria and add the text to the description field, disable, and move them. I'm not sure what I'm missing.

      #Import AD PS Module
      Import-Module ActiveDirectory
      #Domain name
      $domain = "mydomain.COM"
      #Number of days to consider a user stale
      $daysInactive = 90
      $time = (Get-Date).Adddays(-($daysInactive))
      $Today = Get-Date -format d
      $oldDescription = $Query.Description
      $addDescription = "*** Disabled and moved $Today ***"
      $newDescription = "$addDescription; oldDescription"
      $Query = $staleUsers
      #Get stale AD users, filtering out some OUs and object names
      $staleUsers = Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp -SearchBase "DC=mydomain,DC=COM" | Where-Object { `
      $_.DistinguishedName -notmatch 'OU=Users,DC=mydomain,DC=COM' `
      -and $_.DistinguishedName -notmatch 'OU=IT,DC=mydomain,DC=COM' `
      -and $_.SamAccountName -notlike "*IWAM*" `
      -and $_.SamAccountName -notlike "*SRV**" `
      -and $_.SamAccountName -notlike "*IUSR*" `
      -and $_.SamAccountName -notlike "*WMUS*" `
      -and $_.SamAccountName -notlike "*Mailbox*" ` }
      #Modify stale users description, disable them, and moved them to Disabled OU
      $staleUsers | ForEach {
      Set-ADUser -Description $newDescription
      #Move Account
      Move-ADObject $_ -TargetPath "OU=Disabled accounts,OU=Users,mydomain,DC=COM"
      }

  • #53454

    Participant
    Points: 21
    Rank: Member

    Original text + additional text doesn't incur extra cost.

  • #53503

    Participant
    Points: 324
    Helping Hand
    Rank: Contributor

    This line is incorrect:

    $newDescription = "$addDescription; oldDescription"
    

    You need to use something like this:

    $oldDescription = "Old Description"
    $today = Get-Date -Format d
    
    $newDescription = "*** Disabled and moved $today ***; $oldDescription"
    #or
    $newDescription = "*** Disabled and moved $today ***; " + $oldDescription
    #or
    $newDescription = "*** Disabled and moved {0} ***; {1}" -f  $today, $oldDescription
    
    • #53512

      Participant
      Points: 0
      Rank: Member

      Thanks for your info. I've updated to the below. Should this work?

      #Import AD PS Module
      Import-Module ActiveDirectory
      #Domain name
      $domain = "mydomain.COM"
      #Number of days to consider a user stale
      $daysInactive = 90
      $time = (Get-Date).Adddays(-($daysInactive))
      $Today = Get-Date -format d
      $oldDescription = $Query.Description
      $newDescription = "$*** Disabled and moved $Today ***; oldDescription"
      $Query = $staleUsers
      #Get stale AD users, filtering out some OUs and object names
      $staleUsers = Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp -SearchBase "DC=mydomain,DC=COM" | Where-Object { `
      $_.DistinguishedName -notmatch 'OU=Users,DC=mydomain,DC=COM' `
      -and $_.DistinguishedName -notmatch 'OU=IT,DC=mydomain,DC=COM' `
      -and $_.SamAccountName -notlike "*IWAM*" `
      -and $_.SamAccountName -notlike "*SRV**" `
      -and $_.SamAccountName -notlike "*IUSR*" `
      -and $_.SamAccountName -notlike "*WMUS*" `
      -and $_.SamAccountName -notlike "*Mailbox*" ` }
      #Modify stale users description, disable them, and moved them to Disabled OU
      $staleUsers | ForEach {
      Set-ADUser -Description $newDescription
      #Move Account
      Move-ADObject $_ -TargetPath "OU=Disabled accounts,OU=Users,mydomain,DC=COM"
      }

  • #53540

    Participant
    Points: 0
    Rank: Member

    Hey Joel,

    Sorry I realized that there was a typo in my code. Rob is correct. olddescription is a variable, so it should have a $ preceding it in the declaration of newdescription.

    $newDescription = "*** Disabled and moved $Today ***; $oldDescription"
    • #53546

      Participant
      Points: 0
      Rank: Member

      Sorry for making this so difficult. I have updated but still not working for me. This part of the script is where it is prompting.

      $staleUsers | ForEach {
      Set-ADUser -Description $newDescription -Enabled $false
      #Move Account
      Move-ADObject $_ -TargetPath "OU=Disabled accounts,OU=Users,DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM"
      }

      The prompt I receive
      cmdlet Set-ADUser at command pipeline position 1
      Supply values for the following parameters:
      Identity:

      Also, here are the variables in play for this section of the code. I'm thinking that maybe I have the old description variable wrong?

      $newDescription = "*** Disabled and moved $Today ***; $oldDescription"
      $Today = Get-Date -format d
      $oldDescription = $Query.Description
      $Query = $staleUsers
      $staleUsers = Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp -SearchBase "DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM" | Where-Object { `
      $_.DistinguishedName -notmatch 'OU=Users,DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM' `
      -and $_.DistinguishedName -notmatch 'OU=IT,DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM' `
      -and $_.SamAccountName -notlike "*IWAM*" `
      -and $_.SamAccountName -notlike "*SRV**" `
      -and $_.SamAccountName -notlike "*IUSR*" `
      -and $_.SamAccountName -notlike "*WMUS*" `
      -and $_.SamAccountName -notlike "*Mailbox*" ` }

  • #53554

    Participant
    Points: 0
    Rank: Member

    I believe it is asking for the identity because there is nothing specified after Set-ADUser. You should be able to just add the $_ same as you did to the Move-ADObject.

    $staleUsers | ForEach {
    Set-ADUser $_ -Description $newDescription -Enabled $false
    #Move Account
    Move-ADObject $_ -TargetPath "OU=Disabled accounts,OU=Users,DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM"
    }

    Another way to construct your foreach statement to better understand it is

    ForEach ($user in $staleUsers) {
    Set-ADUser $user -Description $newDescription -Enabled $false
    #Move Account
    Move-ADObject $user -TargetPath "OU=Disabled accounts,OU=Users,DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM"
    }

    As far as the declaration of $oldDescription, you are pulling the description of everyone in the whole query and the declaration is in the wrong order. You need to make sure that the variable definitions are looking for variables that already exist. Forget about using $Query and try something like this:

    $Today = Get-Date -format d
    ForEach ($user in $staleUsers) {
    $oldDescription = $user.Description
    $newDescription = "*** Disabled and moved $Today ***; $oldDescription"
    Set-ADUser $user -Description $newDescription -Enabled $false
    #Move Account
    Move-ADObject $user -TargetPath "OU=Disabled accounts,OU=Users,DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM"
    }

The topic ‘Append AD description vs overwrite’ is closed to new replies.