Disabled AD users query with sAMAccountName and EmailAddress.

Welcome Forums General PowerShell Q&A Disabled AD users query with sAMAccountName and EmailAddress.

Viewing 7 reply threads
  • Author
    Posts
    • #191980
      Participant
      Topics: 1
      Replies: 3
      Points: 18
      Rank: Member

      Hello,

      I have a list of email addresses that I need to check against AD to see if they are disabled. I have not found a way to use PowerShell to check based on UPN or email, instead I have been converting the list to the sAMAccoutnName to find out. Is there a way to take this email list and check if the UPN is disabled and export to a CSV file with the sAMAccountName and Email?

      This is what I am using currently.

      Get-Content ".\Emails to Check.csv" |
      ForEach-Object { Get-ADUser -LDAPFilter "(mail=$_)" } |
      Select-Object -ExpandProperty sAMAccountName |
      Out-File .\Sam.csv
      
      Get-Content .\Sam.csv |
      Get-ADUser |
      select SamAccountName,Enabled |
      Export-Csv .\UserStatusResults.csv -NoTypeInformation
      
      Invoke-Item .\UserStatusResults.csv
      
      Remove-Item -Path .\Sam.csv -Recurse
      
    • #191995
      Participant
      Topics: 0
      Replies: 2
      Points: 49
      Rank: Member

      You could do something like this:

      $emails = Get-content .\emails.csv | Select-Object -skip 1
      
      foreach ($email in $emails) {
      
      $email = ($email -split "@")[0]; Get-aduser $email | Select SamAccountName, Enabled | Export-Csv .\UserStatusResults.csv -NoTypeInformation -Append
      
      }
      
      Invoke-item .\UserStatusResults.csv
    • #192013
      Participant
      Topics: 1
      Replies: 3
      Points: 18
      Rank: Member

      I get the following errors when running that script for each of the users and the exported CSV is incomplete.

      Get-aduser : Cannot find an object with identity: 'removed name' under: 'DC=corp,DC=REMOVEDCOMPANY,DC=com'.
      At line:5 char:34
      + $email = ($email -split "@")[0]; Get-aduser $email | Select SamAccoun ...
      + ~~~~~~~~~~~~~~~~~
      + CategoryInfo : ObjectNotFound: (REMOVEDNAME:ADUser) [Get-ADUser], ADIdentityNotFoundException
      + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADUser

       

      You could do something like this:

      PowerShell
      9 lines

      1
      2
      3
      4
      5
      6
      7
      8
      9
      $emails = Get-content .\emails.csv | Select-Object skip 1
      foreach ($email in $emails) {
      $email = ($email -split "@")[0]; Get-aduser $email | Select SamAccountName, Enabled | Export-Csv .\UserStatusResults.csv NoTypeInformation Append
      }
      Invoke-item .\UserStatusResults.csv
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    • #192037
      Participant
      Topics: 0
      Replies: 2
      Points: 49
      Rank: Member

      I looked through your initial script again, this may not work for you. This script will only work if your email address is formatted like samAccountName@company.com which I assumed was the case. It's just passing through the portion before the @ sign into Get-AdUser. If that doesn't correspond to an actual username it won't work.

    • #193072
      Participant
      Topics: 1
      Replies: 3
      Points: 18
      Rank: Member

      Good morning.

       

      I actually got it to work by using this script.

       

      Get-Content ".\(1) Emails to Check.csv" |
      ForEach-Object { Get-ADUser -LDAPFilter "(mail=$_)" } |
      Select-Object -ExpandProperty sAMAccountName |
      Out-File .\Sam.csv

      Get-Content .\Sam.csv |
      Get-ADUser -Properties * |
      select extensionAttribute11,Office,mail,SamAccountName,Enabled |

      Export-Csv .\UserStatusResults.csv -NoTypeInformation

      Invoke-Item .\UserStatusResults.csv

      Remove-Item -Path .\Sam.csv -Recurse

    • #193081
      Participant
      Topics: 4
      Replies: 105
      Points: 249
      Helping Hand
      Rank: Participant

      By the look of your code it seems that it's not actually a csv, but just a file which content is the email addresses.

      What is the first row in the file?

      This is not tested, just written out from spine 🙂

      $emails = import-csv .\emails.csv
      
      foreach ($email in $emails){
      
      get-aduser -filter "userprincipalname -eq '$email'"  -prop enabled | select userprincipalname,enabled
      
      }

      You might want to look also to attribute expiration date

    • #193084
      Participant
      Topics: 10
      Replies: 1375
      Points: 1,481
      Helping Hand
      Rank: Community Hero

      Glad you have your script working, but it's doing some unnecessary steps. There is no reason to run a search on email (Get-ADUser), only get the SAM and then run another search (Get-ADUser) on the SAM. If the search found the user on email, you can get everything you need from that search. Additionally, the script is only getting matches, so then you need to look at the other CSV to see who was not found. This is a more standard Powershelly way to do what you want:

      $emails = Get-Content -Path ".\(1) Emails to Check.csv"
      
      $results = foreach ($email in $emails) {
      
          $user = Get-ADUser -LDAPFilter "(mail=$email)" -Properties extensionAttribute11,Office,mail,SamAccountName,Enabled |
                  Select extensionAttribute11,Office,mail,SamAccountName,Enabled
      
          if ( $user ) {
              $user
          }
          else {
              [pscustomobject]@{
                  extensionAttribute11 = $null
                  Office               = $null
                  mail                 = $email
                  SamAccountName       = $null
                  Enabled              = $null 
              }
          }
      
      }
      
      $results = Export-Csv .\UserStatusResults.csv -NoTypeInformation
      
      Invoke-Item .\UserStatusResults.csv
      

      Also, another note, your emails are coming from a CSV which insinuates there is a header (e.g. Email). Using Get-Content, your first search would be for "Email". You can use the -Skip 1 as @ShawnTheAdmin had in his script to skip that line or if you use Import-CSV, then you would need to reference the email like -LDAPFilter "(mail=$email.Email)"

    • #193102
      Participant
      Topics: 1
      Replies: 3
      Points: 18
      Rank: Member

      Glad you have your script working, but it's doing some unnecessary steps. There is no reason to run a search on email (Get-ADUser), only get the SAM and then run another search (Get-ADUser) on the SAM. If the search found the user on email, you can get everything you need from that search. Additionally, the script is only getting matches, so then you need to look at the other CSV to see who was not found. This is a more standard Powershelly way to do what you want:

      PowerShell
      26 lines

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      $emails = Get-Content Path ".\(1) Emails to Check.csv"
      $results = foreach ($email in $emails) {
      $user = Get-ADUser LDAPFilter "(mail=$email)" Properties extensionAttribute11,Office,mail,SamAccountName,Enabled |
      Select extensionAttribute11,Office,mail,SamAccountName,Enabled
      if ( $user ) {
      $user
      }
      else {
      [pscustomobject]@{
      extensionAttribute11 = $null
      Office = $null
      mail = $email
      SamAccountName = $null
      Enabled = $null
      }
      }
      }
      $results = Export-Csv .\UserStatusResults.csv NoTypeInformation
      Invoke-Item .\UserStatusResults.csv
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

      Also, another note, your emails are coming from a CSV which insinuates there is a header (e.g. Email). Using Get-Content, your first search would be for "Email". You can use the -Skip 1 as @ShawnTheAdmin had in his script to skip that line or if you use Import-CSV, then you would need to reference the email like -LDAPFilter "(mail=$email.Email)"

      The list of emails are actually in a CSV file with no headers and it's pulling without issues. I tried your script and it's prompting me for "InputObject".

      The goal is to only pull from the list of users I provide so that we can check for disabled accounts for a specific department or system we're using. I did manually compared against AD and all of the users that came back as disabled are actually shown disabled with our proper term requests. So as of right now accuracy rate is 100%. I do not know if there will ever be a user who's not in AD that does not return a result but this will work for now.

      I'm still new to Powershell and actually haven't done any proper training. I wrote that script based off different search results I have found online, kinda put 2 and 2 together and got it working the way I want it. If you guys have any sites or recommend any courses for advanced learning i'm all ears.

Viewing 7 reply threads
  • You must be logged in to reply to this topic.