Append AD description vs overwrite

This topic contains 9 replies, has 5 voices, and was last updated by Profile photo of Edmond Yee Edmond Yee 2 weeks, 6 days ago.

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #53262
    Profile photo of Joel Daigle
    Joel Daigle
    Participant

    Hi all,

    I have the below script that will search for the last logon time stamp that is older than X amount of days. It will then take the results and disable overwrite the description field then move to a disabled users OU. I'm struggling to figure out to append the existing AD description field and not actually overwrite it. For example existing description for a user is "Finance – New York, New York" and I want the script to append and have "Finance – New York, New York ***Disabled and moved date script runs***"

    Any help would be greatly appreciated.

    #Import AD PS Module
    Import-Module ActiveDirectory
    #Domain name
    $domain = "mydomain.COM"
    #Number of days to consider a user stale
    $daysInactive = 365
    $time = (Get-Date).Adddays(-($daysInactive))
    #Get stale AD users, filtering out some OUs and object names
    $staleUsers = Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp -SearchBase "DC=mydomain,DC=COM" | Where-Object { `
    $_.DistinguishedName -notmatch 'OU=Users,DC=mydomain,DC=COM' `
    -and $_.DistinguishedName -notmatch 'OU=IT,DC=mydomain,DC=COM' `
    -and $_.SamAccountName -notlike "*IWAM*" `
    -and $_.SamAccountName -notlike "*SRV**" `
    -and $_.SamAccountName -notlike "*IUSR*" `
    -and $_.SamAccountName -notlike "*WMUS*" `
    -and $_.SamAccountName -notlike "*Mailbox*" ` }

    #Modify stale user's description, disable them, and move them to Disabled OU
    $staleUsers | ForEach {
    #Set description and disable account
    Set-ADUser $_ -Description "Disabled and moved on $(Get-Date)" -Enabled $false
    #Move account
    Move-ADObject $_ -TargetPath "OU=Disabled accounts,OU=Users,DC=mydomain,DC=COM"
    }

    #53316
    Profile photo of Daniel Krebs
    Daniel Krebs
    Participant

    Hi Joel,

    You'll need to handle this in your script.

    1. Get the current value of the Description field
    2. Append the text if not already present
    3. Overwrite the Description field with the new value

    #53449
    Profile photo of Edmond Yee
    Edmond Yee
    Participant

    Joel,

    I provided the example of how to do this in the other thread you created:

    #53454
    Profile photo of Dan Potter
    Dan Potter
    Participant

    Original text + additional text doesn't incur extra cost.

    #53494
    Profile photo of Joel Daigle
    Joel Daigle
    Participant

    Sorry, I missed that some how. I'm trying to use it and keep getting the below prompt.

    cmdlet Set-ADUser at command pipeline position 1
    Supply values for the following parameters:
    Identity:

    Below is the entire script. I'm not sure what I'm missing. The goal is find every users that match the search criteria and add the text to the description field, disable, and move them. I'm not sure what I'm missing.

    #Import AD PS Module
    Import-Module ActiveDirectory
    #Domain name
    $domain = "mydomain.COM"
    #Number of days to consider a user stale
    $daysInactive = 90
    $time = (Get-Date).Adddays(-($daysInactive))
    $Today = Get-Date -format d
    $oldDescription = $Query.Description
    $addDescription = "*** Disabled and moved $Today ***"
    $newDescription = "$addDescription; oldDescription"
    $Query = $staleUsers
    #Get stale AD users, filtering out some OUs and object names
    $staleUsers = Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp -SearchBase "DC=mydomain,DC=COM" | Where-Object { `
    $_.DistinguishedName -notmatch 'OU=Users,DC=mydomain,DC=COM' `
    -and $_.DistinguishedName -notmatch 'OU=IT,DC=mydomain,DC=COM' `
    -and $_.SamAccountName -notlike "*IWAM*" `
    -and $_.SamAccountName -notlike "*SRV**" `
    -and $_.SamAccountName -notlike "*IUSR*" `
    -and $_.SamAccountName -notlike "*WMUS*" `
    -and $_.SamAccountName -notlike "*Mailbox*" ` }
    #Modify stale users description, disable them, and moved them to Disabled OU
    $staleUsers | ForEach {
    Set-ADUser -Description $newDescription
    #Move Account
    Move-ADObject $_ -TargetPath "OU=Disabled accounts,OU=Users,mydomain,DC=COM"
    }

    #53503
    Profile photo of Rob Simmers
    Rob Simmers
    Participant

    This line is incorrect:

    $newDescription = "$addDescription; oldDescription"
    

    You need to use something like this:

    $oldDescription = "Old Description"
    $today = Get-Date -Format d
    
    $newDescription = "*** Disabled and moved $today ***; $oldDescription"
    #or
    $newDescription = "*** Disabled and moved $today ***; " + $oldDescription
    #or
    $newDescription = "*** Disabled and moved {0} ***; {1}" -f  $today, $oldDescription
    
    #53512
    Profile photo of Joel Daigle
    Joel Daigle
    Participant

    Thanks for your info. I've updated to the below. Should this work?

    #Import AD PS Module
    Import-Module ActiveDirectory
    #Domain name
    $domain = "mydomain.COM"
    #Number of days to consider a user stale
    $daysInactive = 90
    $time = (Get-Date).Adddays(-($daysInactive))
    $Today = Get-Date -format d
    $oldDescription = $Query.Description
    $newDescription = "$*** Disabled and moved $Today ***; oldDescription"
    $Query = $staleUsers
    #Get stale AD users, filtering out some OUs and object names
    $staleUsers = Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp -SearchBase "DC=mydomain,DC=COM" | Where-Object { `
    $_.DistinguishedName -notmatch 'OU=Users,DC=mydomain,DC=COM' `
    -and $_.DistinguishedName -notmatch 'OU=IT,DC=mydomain,DC=COM' `
    -and $_.SamAccountName -notlike "*IWAM*" `
    -and $_.SamAccountName -notlike "*SRV**" `
    -and $_.SamAccountName -notlike "*IUSR*" `
    -and $_.SamAccountName -notlike "*WMUS*" `
    -and $_.SamAccountName -notlike "*Mailbox*" ` }
    #Modify stale users description, disable them, and moved them to Disabled OU
    $staleUsers | ForEach {
    Set-ADUser -Description $newDescription
    #Move Account
    Move-ADObject $_ -TargetPath "OU=Disabled accounts,OU=Users,mydomain,DC=COM"
    }

    #53540
    Profile photo of Edmond Yee
    Edmond Yee
    Participant

    Hey Joel,

    Sorry I realized that there was a typo in my code. Rob is correct. olddescription is a variable, so it should have a $ preceding it in the declaration of newdescription.

    $newDescription = "*** Disabled and moved $Today ***; $oldDescription"
    #53546
    Profile photo of Joel Daigle
    Joel Daigle
    Participant

    Sorry for making this so difficult. I have updated but still not working for me. This part of the script is where it is prompting.

    $staleUsers | ForEach {
    Set-ADUser -Description $newDescription -Enabled $false
    #Move Account
    Move-ADObject $_ -TargetPath "OU=Disabled accounts,OU=Users,DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM"
    }

    The prompt I receive
    cmdlet Set-ADUser at command pipeline position 1
    Supply values for the following parameters:
    Identity:

    Also, here are the variables in play for this section of the code. I'm thinking that maybe I have the old description variable wrong?

    $newDescription = "*** Disabled and moved $Today ***; $oldDescription"
    $Today = Get-Date -format d
    $oldDescription = $Query.Description
    $Query = $staleUsers
    $staleUsers = Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp -SearchBase "DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM" | Where-Object { `
    $_.DistinguishedName -notmatch 'OU=Users,DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM' `
    -and $_.DistinguishedName -notmatch 'OU=IT,DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM' `
    -and $_.SamAccountName -notlike "*IWAM*" `
    -and $_.SamAccountName -notlike "*SRV**" `
    -and $_.SamAccountName -notlike "*IUSR*" `
    -and $_.SamAccountName -notlike "*WMUS*" `
    -and $_.SamAccountName -notlike "*Mailbox*" ` }

    #53554
    Profile photo of Edmond Yee
    Edmond Yee
    Participant

    I believe it is asking for the identity because there is nothing specified after Set-ADUser. You should be able to just add the $_ same as you did to the Move-ADObject.

    $staleUsers | ForEach {
    Set-ADUser $_ -Description $newDescription -Enabled $false
    #Move Account
    Move-ADObject $_ -TargetPath "OU=Disabled accounts,OU=Users,DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM"
    }

    Another way to construct your foreach statement to better understand it is

    ForEach ($user in $staleUsers) {
    Set-ADUser $user -Description $newDescription -Enabled $false
    #Move Account
    Move-ADObject $user -TargetPath "OU=Disabled accounts,OU=Users,DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM"
    }

    As far as the declaration of $oldDescription, you are pulling the description of everyone in the whole query and the declaration is in the wrong order. You need to make sure that the variable definitions are looking for variables that already exist. Forget about using $Query and try something like this:

    $Today = Get-Date -format d
    ForEach ($user in $staleUsers) {
    $oldDescription = $user.Description
    $newDescription = "*** Disabled and moved $Today ***; $oldDescription"
    Set-ADUser $user -Description $newDescription -Enabled $false
    #Move Account
    Move-ADObject $user -TargetPath "OU=Disabled accounts,OU=Users,DC=CBI,DC=CH1B,DC=CBIEPC,DC=COM"
    }
Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.