disable/delete AD Computer ignore exception group

Welcome Forums General PowerShell Q&A disable/delete AD Computer ignore exception group

This topic contains 7 replies, has 3 voices, and was last updated by

 
Participant
3 weeks, 4 days ago.

  • Author
    Posts
  • #178395

    Participant
    Topics: 7
    Replies: 11
    Points: 92
    Rank: Member

    For some reason the logic is not ignoring if a member of the exception group.  Any ideas why?  From what I have found it has to do with the scope change.

    This works (uses a searchbase):

    $ExceptionGroup = "DIV-ComputerLifeCycleManagementException-DL"
    
    $compds=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -SearchBase "DC=1,DC=domain,DC=com" 
    
    if($compds){ 
    foreach ($compd in $compds){
    # Delete all computer not in the exception group
    if(!($compd.MemberOf -like "*"+ $ExceptionGroup +"*")){
    $j=$j+1
    $compd | Export-Csv -Append -path $fileDelete 
    #$compd | Remove-ADcomputer -Confirm:$False
    # Get-ADComputer -Identity $compd | Remove-ADObject -Recursive -Confirm:$False
    }
    }
    }

    This does not work (using a GC server for multidomain searching):

    $ExceptionGroup = "DIV-ComputerLifeCycleManagementException-DL"
    
    $compds=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -Server serv.domain.com:3268
    
    if($compds){ 
    foreach ($compd in $compds){
    # Delete all computer not in the exception group
    if(!($compd.MemberOf -like "*"+ $ExceptionGroup +"*")){
    $j=$j+1
    $compd | Export-Csv -Append -path $fileDelete 
    #$compd | Remove-ADcomputer -Confirm:$False
    # Get-ADComputer -Identity $compd | Remove-ADObject -Recursive -Confirm:$False
    }
    }
    }

    Any ideas to what is causing this change to cause the commands to ignore the line that says to not include if in exception group?

     

     

     

  • #178419

    Participant
    Topics: 8
    Replies: 1213
    Points: 756
    Helping Hand
    Rank: Major Contributor

    One solution is to use a calculated expression to identify the membership and then just exclude them with a filter:

    Import-Module ActiveDirectory
    
    $exclusionGrp = 'CN=Domain Admins*'
    
    $users = Get-ADUser -Filter {Enabled -eq $True} -Properties MemberOf | 
             Select Name, 
                    SamAccountName, 
                    @{Name='InExclusionGrouup';Expression={[boolean]($_.MemberOf -like $exclusionGrp)}}
    
    
    foreach ($user in $users | Where{$_.InExclusionGrouup -eq $false}) {
        $user
    }
    

    if you look $users, you would see something like this, then you are just doing a simple filter:

    PS C:\Users\Administrator> $users
    
    Name          SamAccountName InExclusionGrouup
    ----          -------------- -----------------
    Administrator Administrator               True
    Rob Simmers   rs                          True
    Jack Smith    js                         False
    Sally Smith   ss                         False
    Angela Smith  as                         False
    
  • #178524

    Participant
    Topics: 4
    Replies: 76
    Points: 91
    Helping Hand
    Rank: Member

    would this take you to the correct direction

    
    $exclustionroup = "DIV-ComputerLifeCycleManagementException-DL"
    Get-ADComputer -Filter {enabled -eq $false} -Properties memberOf | where {$_.memberof -notmatch $exclustionroup}
    
    
  • #178647

    Participant
    Topics: 7
    Replies: 11
    Points: 92
    Rank: Member

    I like the idea but something is not working correctly.  It is no longer getting the computers in the exception group but it is missing a lot of other systems also.

    PS C:\Scripts\ADCleanup> $compds=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -Server serv.domain.com:3268 | where-object {$_.memberof -notmatch $ExceptionGroup}
    PS C:\Scripts\ADCleanup> $compds.count
    59
    PS C:\Scripts\ADCleanup> $compds1=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -Server serv.domain.com:3268
    PS C:\Scripts\ADCleanup> $compds1.count
    1164

    There are 206 members of the exception group.  So going from 1164 results down to 59 is not correct.  I should be in the 958 or higher range.

  • #178674

    Participant
    Topics: 4
    Replies: 76
    Points: 91
    Helping Hand
    Rank: Member

    seems so. Sorry, I didn't have AD to play with. This is ugly as the scripter, but seems to get proper results. I had to drop those filters away to get some hits though.

    $exceptionGroup = 'CG-some-old-crapz'
    $exceptionGroupMembers = Get-ADGroupMember $exceptionGroup -Recursive
    $exceptionGroupMembers.Count
    
    $searchBase = 'OU=Servers,DC=plop,DC=com'
    
    $compds = Get-ADComputer -SearchBase $searchBase -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter *
    $compds.Count
    
    $compds = $compds | where {$_.name -notin $exceptionGroupMembers.name}
    $compds.Count
    
    • #179478

      Participant
      Topics: 7
      Replies: 11
      Points: 92
      Rank: Member

      So I'm getting an error when executing:

      $exceptionGroupMembers = Get-ADGroupMember $exceptionGroup -Recursive

      I have tried by manually putting in the group identity and get the same exception every time.

      Get-ADGroupMember : An operations error occurred
      At line:2 char:26
      + $exceptionGroupMembers = Get-ADGroupMember $ExceptionGroup -Recursive
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : NotSpecified: (DIV-ComputerLif...entException-DL:ADGroup) [Get-ADGroupMember], ADException
      + FullyQualifiedErrorId : ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

  • #179481

    Participant
    Topics: 7
    Replies: 11
    Points: 92
    Rank: Member

    ok I think I have it by using this

     

    Function Get-ADGroupMemberFix {
        [CmdletBinding()]
        param(
            [Parameter(
                Mandatory = $true,
                ValueFromPipeline = $true,
                ValueFromPipelineByPropertyName = $true,
                Position = 0
            )]
            [string[]]
            $Identity
        )
        process {
            foreach ($GroupIdentity in $Identity) {
                $Group = $null
                $Group = Get-ADGroup -Identity $GroupIdentity -Properties Member
                if (-not $Group) {
                    continue
                }
                Foreach ($Member in $Group.Member) {
                    Get-ADObject $Member -Server serv.domain.com:3268 
                }
            }
        }
    }
     
     
    $DaysInactive = (Get-Date).AddDays(-90) 
    $DaysDisable = (Get-Date).AddDays(-7)
    $Yesterday = (Get-Date).AddDays(-1)
    $output = "C:\Scripts\ADCleanup\Output"
    $ExceptionGroup = "DIV-ComputerLifeCycleManagementException-DL"
    $exceptionGroupMembers = Get-ADGroupMemberFix $ExceptionGroup
    $compds=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -Server serv.domain.com:3268  | where-object {$_.name -notin $exceptionGroupMembers.name}
    if($compds){ 
        foreach ($compd in $compds){
    # Delete all computer not in the exception group
    #        if(!($compd.MemberOf -like "*"+ $ExceptionGroup +"*")){
            $j=$j+1
            $compd | Export-Csv -Append -NoTypeInformation -path $fileDelete 
    #       $compd | Remove-ADcomputer -Confirm:$False
    #        Get-ADComputer -Identity $compd | Remove-ADObject -Recursive -Confirm:$False
    #        }
        }
    }
    

    but getting strange results so let me keep looking at this.  Basically my report keeps showing the items that would be in the exception group but when I run:

    $compds | Select-Object name | Sort-Object name

    It is not found in the $compds results... So I'm missing something.

  • #179658

    Participant
    Topics: 7
    Replies: 11
    Points: 92
    Rank: Member

    So not sure what was going on with the reporting but all is well the above is working great for me.  I did a vlookup to verify that it is not catching any systems in the exception group and it appears to be working perfectly!!  Thanks for everyone's help.

You must be logged in to reply to this topic.