disable/delete AD Computer ignore exception group

Welcome Forums General PowerShell Q&A disable/delete AD Computer ignore exception group

Viewing 6 reply threads
  • Author
    Posts
    • #178395
      Participant
      Topics: 8
      Replies: 13
      Points: 111
      Rank: Participant

      For some reason the logic is not ignoring if a member of the exception group.  Any ideas why?  From what I have found it has to do with the scope change.

      This works (uses a searchbase):

      $ExceptionGroup = "DIV-ComputerLifeCycleManagementException-DL"
      
      $compds=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -SearchBase "DC=1,DC=domain,DC=com" 
      
      if($compds){ 
      foreach ($compd in $compds){
      # Delete all computer not in the exception group
      if(!($compd.MemberOf -like "*"+ $ExceptionGroup +"*")){
      $j=$j+1
      $compd | Export-Csv -Append -path $fileDelete 
      #$compd | Remove-ADcomputer -Confirm:$False
      # Get-ADComputer -Identity $compd | Remove-ADObject -Recursive -Confirm:$False
      }
      }
      }

      This does not work (using a GC server for multidomain searching):

      $ExceptionGroup = "DIV-ComputerLifeCycleManagementException-DL"
      
      $compds=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -Server serv.domain.com:3268
      
      if($compds){ 
      foreach ($compd in $compds){
      # Delete all computer not in the exception group
      if(!($compd.MemberOf -like "*"+ $ExceptionGroup +"*")){
      $j=$j+1
      $compd | Export-Csv -Append -path $fileDelete 
      #$compd | Remove-ADcomputer -Confirm:$False
      # Get-ADComputer -Identity $compd | Remove-ADObject -Recursive -Confirm:$False
      }
      }
      }

      Any ideas to what is causing this change to cause the commands to ignore the line that says to not include if in exception group?

       

       

       

    • #178419
      Participant
      Topics: 10
      Replies: 1375
      Points: 1,481
      Helping Hand
      Rank: Community Hero

      One solution is to use a calculated expression to identify the membership and then just exclude them with a filter:

      Import-Module ActiveDirectory
      
      $exclusionGrp = 'CN=Domain Admins*'
      
      $users = Get-ADUser -Filter {Enabled -eq $True} -Properties MemberOf | 
               Select Name, 
                      SamAccountName, 
                      @{Name='InExclusionGrouup';Expression={[boolean]($_.MemberOf -like $exclusionGrp)}}
      
      
      foreach ($user in $users | Where{$_.InExclusionGrouup -eq $false}) {
          $user
      }
      

      if you look $users, you would see something like this, then you are just doing a simple filter:

      PS C:\Users\Administrator> $users
      
      Name          SamAccountName InExclusionGrouup
      ----          -------------- -----------------
      Administrator Administrator               True
      Rob Simmers   rs                          True
      Jack Smith    js                         False
      Sally Smith   ss                         False
      Angela Smith  as                         False
      
    • #178524
      Participant
      Topics: 4
      Replies: 105
      Points: 249
      Helping Hand
      Rank: Participant

      would this take you to the correct direction

      
      $exclustionroup = "DIV-ComputerLifeCycleManagementException-DL"
      Get-ADComputer -Filter {enabled -eq $false} -Properties memberOf | where {$_.memberof -notmatch $exclustionroup}
      
      
    • #178647
      Participant
      Topics: 8
      Replies: 13
      Points: 111
      Rank: Participant

      I like the idea but something is not working correctly.  It is no longer getting the computers in the exception group but it is missing a lot of other systems also.

      PS C:\Scripts\ADCleanup> $compds=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -Server serv.domain.com:3268 | where-object {$_.memberof -notmatch $ExceptionGroup}
      PS C:\Scripts\ADCleanup> $compds.count
      59
      PS C:\Scripts\ADCleanup> $compds1=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -Server serv.domain.com:3268
      PS C:\Scripts\ADCleanup> $compds1.count
      1164

      There are 206 members of the exception group.  So going from 1164 results down to 59 is not correct.  I should be in the 958 or higher range.

    • #178674
      Participant
      Topics: 4
      Replies: 105
      Points: 249
      Helping Hand
      Rank: Participant

      seems so. Sorry, I didn't have AD to play with. This is ugly as the scripter, but seems to get proper results. I had to drop those filters away to get some hits though.

      $exceptionGroup = 'CG-some-old-crapz'
      $exceptionGroupMembers = Get-ADGroupMember $exceptionGroup -Recursive
      $exceptionGroupMembers.Count
      
      $searchBase = 'OU=Servers,DC=plop,DC=com'
      
      $compds = Get-ADComputer -SearchBase $searchBase -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter *
      $compds.Count
      
      $compds = $compds | where {$_.name -notin $exceptionGroupMembers.name}
      $compds.Count
      
      • #179478
        Participant
        Topics: 8
        Replies: 13
        Points: 111
        Rank: Participant

        So I'm getting an error when executing:

        $exceptionGroupMembers = Get-ADGroupMember $exceptionGroup -Recursive

        I have tried by manually putting in the group identity and get the same exception every time.

        Get-ADGroupMember : An operations error occurred
        At line:2 char:26
        + $exceptionGroupMembers = Get-ADGroupMember $ExceptionGroup -Recursive
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : NotSpecified: (DIV-ComputerLif...entException-DL:ADGroup) [Get-ADGroupMember], ADException
        + FullyQualifiedErrorId : ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

    • #179481
      Participant
      Topics: 8
      Replies: 13
      Points: 111
      Rank: Participant

      ok I think I have it by using this

       

      Function Get-ADGroupMemberFix {
          [CmdletBinding()]
          param(
              [Parameter(
                  Mandatory = $true,
                  ValueFromPipeline = $true,
                  ValueFromPipelineByPropertyName = $true,
                  Position = 0
              )]
              [string[]]
              $Identity
          )
          process {
              foreach ($GroupIdentity in $Identity) {
                  $Group = $null
                  $Group = Get-ADGroup -Identity $GroupIdentity -Properties Member
                  if (-not $Group) {
                      continue
                  }
                  Foreach ($Member in $Group.Member) {
                      Get-ADObject $Member -Server serv.domain.com:3268 
                  }
              }
          }
      }
       
       
      $DaysInactive = (Get-Date).AddDays(-90) 
      $DaysDisable = (Get-Date).AddDays(-7)
      $Yesterday = (Get-Date).AddDays(-1)
      $output = "C:\Scripts\ADCleanup\Output"
      $ExceptionGroup = "DIV-ComputerLifeCycleManagementException-DL"
      $exceptionGroupMembers = Get-ADGroupMemberFix $ExceptionGroup
      $compds=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -Server serv.domain.com:3268  | where-object {$_.name -notin $exceptionGroupMembers.name}
      if($compds){ 
          foreach ($compd in $compds){
      # Delete all computer not in the exception group
      #        if(!($compd.MemberOf -like "*"+ $ExceptionGroup +"*")){
              $j=$j+1
              $compd | Export-Csv -Append -NoTypeInformation -path $fileDelete 
      #       $compd | Remove-ADcomputer -Confirm:$False
      #        Get-ADComputer -Identity $compd | Remove-ADObject -Recursive -Confirm:$False
      #        }
          }
      }
      

      but getting strange results so let me keep looking at this.  Basically my report keeps showing the items that would be in the exception group but when I run:

      $compds | Select-Object name | Sort-Object name

      It is not found in the $compds results... So I'm missing something.

    • #179658
      Participant
      Topics: 8
      Replies: 13
      Points: 111
      Rank: Participant

      So not sure what was going on with the reporting but all is well the above is working great for me.  I did a vlookup to verify that it is not catching any systems in the exception group and it appears to be working perfectly!!  Thanks for everyone's help.

Viewing 6 reply threads
  • The topic ‘disable/delete AD Computer ignore exception group’ is closed to new replies.