DistinguishedName and Get-ADUser (Help?)

This topic contains 5 replies, has 2 voices, and was last updated by Profile photo of Eric Bronnert Eric Bronnert 2 months, 3 weeks ago.

  • Author
    Posts
  • #67815
    Profile photo of Eric Bronnert
    Eric Bronnert
    Participant

    Hello everyone. It's been a while since I've posted. I'm back – and this time I need help! (Again).
    Below is the idea I'm going with for my code, which I will also post below.

    1. Import a CSV with the header "DistinguishedName" that contains my list of DistinguishedNames that I want to string and search for.
    2. Search all of the listed names and return any which have a value of CannotChangePassword -eq $true
    3. Export all $true values to a separate csv with the properties of Name, DistringuishedName and CannotChangePassword.

    Here's my code. I appreciate you gods ahead of time. I have a hunch that I need the -Identity of Get-ADUser in here somewhere however I've exhausted myself and I'm resorting for help. Help me fix my script!

    cd C:\users\tuser\desktop\ADCLEANUP
    Import-CSV "Userlist.csv" | %{if ((Get-ADUser -filter {DistinguishedName -eq $_.DistinguishedName }).CannotChangePassword -eq $true) 
    {Select Name,DistinguishedName,CannotChangePassword}} | export-csv -append -path C:\Users\tuser\Desktop\ADCLEANUP\wheretrue.csv

    *note* – I'm getting the following error message when I run this code.

    'DistinguishedName' not found in object of type: 'system.management.automation.pscustomobject'
  • #67824
    Profile photo of Paul DeArment Jr
    Paul DeArment Jr
    Participant

    Eric,

    I took a look at your segment above and cleaned it up a little to make it easier to work with. I have provided a working version of what you were attempting to do below. I would use the identity field instead of the filter for the distinguishedname. If you wanted to do it on other things (office, phone, etc) then using the filter is a good idea. You also will need to specifically state that you want the cannotchangepassword property since that is not returned by default. You will also need to output this value to a variable due to needing the script to know exactly what to select from.

    Import-CSV "Userlist.csv" | ForEach-Object{
    	if ((Get-ADUser -identity $_.DistinguishedName -Properties cannotchangepassword -OutVariable user).CannotChangePassword -eq $true)
    	{
    		 $user | Select-Object Name, DistinguishedName, CannotChangePassword
    	}	
    } 
    
  • #67828
    Profile photo of Eric Bronnert
    Eric Bronnert
    Participant

    Thank you Paul. I will have to try this tomorrow when I get back to the office

    -Eric

  • #67869
    Profile photo of Eric Bronnert
    Eric Bronnert
    Participant

    I tested this and I am receiving an error. Please see below.

    Get-ADUser : Directory object not found
    At line:2 char:7
    +     if ((Get-ADUser -identity $_.DistinguishedName -Properties cannot ...
    +          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (CN=Denea Ridley...s,DC=lys,DC=org:ADUser) [Get-ADUser], ADIdentityNotFoundException
        + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Manage 
       ment.Commands.GetADUser
  • #67885
    Profile photo of Paul DeArment Jr
    Paul DeArment Jr
    Participant

    I would validate the input data. Run get-aduser against one line of your list of DNs manually (specifically the one in the error above) and validate it comes back correctly. That would be the first step. I re-ran the snippet against our environment at work just to validate everything returned correctly and it does which is leading me towards issues with the input.

  • #67911
    Profile photo of Eric Bronnert
    Eric Bronnert
    Participant

    Thank you – I have resolved this issue and have confirmed that your code works perfectly. Appciaiate your help.

You must be logged in to reply to this topic.