Exclude OU groups in powershell script

Welcome Forums General PowerShell Q&A Exclude OU groups in powershell script

This topic contains 8 replies, has 4 voices, and was last updated by

 
Participant
4 weeks ago.

  • Author
    Posts
  • #112286
    av

    Participant
    Points: 0
    Rank: Member

    Hello,

    we have a powershell script that looks every day if users in the domain have a password that needs to be changed, if so the user receives a email for changing password)

    The script looks for every user in all ou's but we want to exclude some ou's in the script.

    The script/ import module we use is

    import-module ActiveDirectory

    $verbose = $true

    $notificationstartday = 14

    $sendermailaddress = "example@example.net"

    $SMTPserver = "example@example.nl"

    $DN = "OU=customers,DC=customerdomain,DC=local"

    under the OU=customers we want to exclude some OU's

    if we use

    $ExcludeGroup ="OU=users,OU=customer1,OU=customers,DC=customerdomain,DC=local"

    it does not exclude the accounts in the OU

     

    regards

  • #112294
    Jon

    Participant
    Points: 0
    Rank: Member

    Is this the full code? Because I do not see anything in there where you search, or how you're excluding.

  • #112295
    av

    Participant
    Points: 0
    Rank: Member

    Hello Jon, this is the hole script (i deleted some info), thanks for helping

    import-module ActiveDirectory

     

    ##############Variables#################

     

    $verbose = $true

     

    $notificationstartday = 14

     

    $sendermailaddress = "example@example.net"

     

    $SMTPserver = "servername"

     

    $DN = "OU=Customers,DC=Domain,DC=local"

     

    $ExcludeGroup = "OU=Users,OU=company1,OU=Customers,DC=Domain,DC=local"

     

     

    ########################################

     

    ##############Function##################

     

    function PreparePasswordPolicyMail ($ComplexityEnabled,$MaxPasswordAge,$MinPasswordAge,$MinPasswordLength,$PasswordHistoryCount)

     

    {

    $verbosemailBody = "`r`n`r`n"

     

    $verbosemailBody += "`r`n`r`n"

     

    $verbosemailBody += "`r`n"

    $verbosemailBody += "- `r`n"

    $verbosemailBody += "`r`n"

    $verbosemailBody += "`r`n`r`n"

     

    return $verbosemailBody

    }

     

    function SendMail ($SMTPserver,$sendermailaddress,$usermailaddress,$mailBody)

     

    {

     

    $smtpServer = $SMTPserver

     

    $msg = new-object Net.Mail.MailMessage

     

    $smtp = new-object Net.Mail.SmtpClient($smtpServer)

     

    $msg.From = $sendermailaddress

     

    $msg.To.Add($usermailaddress)

     

    $msg.Subject = "Password expires"

     

    $msg.Body = $mailBody

     

    $smtp.Send($msg)

     

    }

     

    ########################################

     

    ##############Main######################

     

    $domainPolicy = Get-ADDefaultDomainPasswordPolicy

     

    $passwordexpirydefaultdomainpolicy = $domainPolicy.MaxPasswordAge.Days -ne 0

     

    if ($passwordexpirydefaultdomainpolicy)

     

    {

     

    $defaultdomainpolicyMaxPasswordAge = $domainPolicy.MaxPasswordAge.Days

     

    if ($verbose)

     

    {

     

    $defaultdomainpolicyverbosemailBody = PreparePasswordPolicyMail $PSOpolicy.ComplexityEnabled $PSOpolicy.MaxPasswordAge.Days $PSOpolicy.MinPasswordAge.Days $PSOpolicy.MinPasswordLength $PSOpolicy.PasswordHistoryCount

     

    }

     

    }

     

    foreach ($user in (Get-ADUser -SearchBase $DN -Filter * -properties mail))

     

    {

     

    $samaccountname = $user.samaccountname

     

    $PSO= Get-ADUserResultantPasswordPolicy -Identity $samaccountname

     

    if ($PSO -ne $null)

     

    {

     

    $PSOpolicy = Get-ADUserResultantPasswordPolicy -Identity $samaccountname

     

    $PSOMaxPasswordAge = $PSOpolicy.MaxPasswordAge.days

     

    $pwdlastset = [datetime]::FromFileTime((Get-ADUser -LDAPFilter "(&(samaccountname=$samaccountname))" -properties pwdLastSet).pwdLastSet)

     

    $expirydate = ($pwdlastset).AddDays($PSOMaxPasswordAge)

     

    $delta = ($expirydate – (Get-Date)).Days

     

    $comparionresults = (($expirydate – (Get-Date)).Days -le $notificationstartday) -AND ($delta -ge 1)

     

    if ($comparionresults)

     

    {

     

    $mailBody = "Beste " + $user.GivenName + ",`r`n`r`n"

     

    $mailBody += "`r`n`r`n"

     

    if ($verbose)

     

    {

    $mailBody += PreparePasswordPolicyMail $PSOpolicy.ComplexityEnabled $PSOpolicy.MaxPasswordAge.Days $PSOpolicy.MinPasswordAge.Days $PSOpolicy.MinPasswordLength $PSOpolicy.PasswordHistoryCount

    }

    $mailBody += "`r`n`r`n"

     

    $mailBody += "`r`n`r`n"

     

    $usermailaddress = $user.mail

     

    SendMail $SMTPserver $sendermailaddress $usermailaddress $mailBody

     

    }

     

    }

     

    else

     

    {

     

    if ($passwordexpirydefaultdomainpolicy)

     

    {

     

    $pwdlastset = [datetime]::FromFileTime((Get-ADUser -LDAPFilter "(&(samaccountname=$samaccountname))" -properties pwdLastSet).pwdLastSet)

     

    $expirydate = ($pwdlastset).AddDays($defaultdomainpolicyMaxPasswordAge)

     

    $delta = ($expirydate – (Get-Date)).Days

     

    $comparionresults = (($expirydate – (Get-Date)).Days -le $notificationstartday) -AND ($delta -ge 1)

     

    if ($comparionresults)

     

    {

     

    $mailBody = "Beste " + $user.GivenName + ",`r`n`r`n"

     

    $delta = ($expirydate – (Get-Date)).Days

     

    $mailBody += "`r`n`r`n"

     

    if ($verbose)

     

    {

    $mailBody += $defaultdomainpolicyverbosemailBody

    }

     

    $mailBody += "`r`n`r`n"

     

    $mailBody += "`r`n`r`n"

     

    $usermailaddress = $user.mail

     

    SendMail $SMTPserver $sendermailaddress $usermailaddress $mailBody

     

    }

     

    }

     

    }

     

    }

  • #112298
    Jon

    Participant
    Points: 0
    Rank: Member

    Please see the text in bold at the top of every post on how to format code for the forums " To format code..."

  • #112331
    av

    Participant
    Points: 0
    Rank: Member
     import-module ActiveDirectory
    
    ##############Variables#################
    
    $verbose = $true
    
    $notificationstartday = 14
    
    $sendermailaddress = "example@example.net"
    
    $SMTPserver = "servername"
    
    $DN = "OU=Customers,DC=Domain,DC=local"
    
    $ExcludeGroup = "OU=Users,OU=company1,OU=Customers,DC=Domain,DC=local"
    
    
    
    ########################################
    
    ##############Function##################
    
    function PreparePasswordPolicyMail ($ComplexityEnabled,$MaxPasswordAge,$MinPasswordAge,$MinPasswordLength,$PasswordHistoryCount)
    
    {
                    $verbosemailBody = "`r`n`r`n"
    
    		$verbosemailBody += "`r`n`r`n"
    
    		$verbosemailBody += "`r`n"
    		$verbosemailBody += "- `r`n"
    		$verbosemailBody += "`r`n"
    		$verbosemailBody += "`r`n`r`n"
    		
    		return $verbosemailBody
    }
    
    function SendMail ($SMTPserver,$sendermailaddress,$usermailaddress,$mailBody)
    
    {
    
            $smtpServer = $SMTPserver
    
            $msg = new-object Net.Mail.MailMessage
    
            $smtp = new-object Net.Mail.SmtpClient($smtpServer)
    
            $msg.From = $sendermailaddress
    
            $msg.To.Add($usermailaddress)
    
                    $msg.Subject = "Password expires"
    
            $msg.Body = $mailBody
    
            $smtp.Send($msg)
    
    }
    
    ########################################
    
    ##############Main######################
    
    $domainPolicy = Get-ADDefaultDomainPasswordPolicy
    
    $passwordexpirydefaultdomainpolicy = $domainPolicy.MaxPasswordAge.Days -ne 0
    
    if ($passwordexpirydefaultdomainpolicy)
    
    {
    
                    $defaultdomainpolicyMaxPasswordAge = $domainPolicy.MaxPasswordAge.Days
    
                    if ($verbose)
    
                    {
    
                                    $defaultdomainpolicyverbosemailBody = PreparePasswordPolicyMail $PSOpolicy.ComplexityEnabled $PSOpolicy.MaxPasswordAge.Days $PSOpolicy.MinPasswordAge.Days $PSOpolicy.MinPasswordLength $PSOpolicy.PasswordHistoryCount
    
                    }
    
    }
    
    foreach ($user in (Get-ADUser -SearchBase $DN -Filter * -properties mail))
    
    {
    
                    $samaccountname = $user.samaccountname
    
                    $PSO= Get-ADUserResultantPasswordPolicy -Identity $samaccountname
    
                    if ($PSO -ne $null)
    
                    {             
    
                                    $PSOpolicy = Get-ADUserResultantPasswordPolicy -Identity $samaccountname
    
                                    $PSOMaxPasswordAge = $PSOpolicy.MaxPasswordAge.days
    
                                    $pwdlastset = [datetime]::FromFileTime((Get-ADUser -LDAPFilter "(&(samaccountname=$samaccountname))" -properties pwdLastSet).pwdLastSet)
    
                                    $expirydate = ($pwdlastset).AddDays($PSOMaxPasswordAge)
    
                                    $delta = ($expirydate - (Get-Date)).Days
    
                                    $comparionresults = (($expirydate - (Get-Date)).Days -le $notificationstartday) -AND ($delta -ge 1)
    
                                    if ($comparionresults)
    
                                    {
    
                                                    $mailBody = "Beste " + $user.GivenName + ",`r`n`r`n"
    
                                                    $mailBody += "`r`n`r`n"
    
                                                    if ($verbose)
    
                                                    {
                                                                    $mailBody += PreparePasswordPolicyMail $PSOpolicy.ComplexityEnabled $PSOpolicy.MaxPasswordAge.Days $PSOpolicy.MinPasswordAge.Days $PSOpolicy.MinPasswordLength $PSOpolicy.PasswordHistoryCount
                                                    }
    						$mailBody += "`r`n`r`n"
    
                                                    $mailBody += "`r`n`r`n"
    
                                                    $usermailaddress = $user.mail
    
                                                    SendMail $SMTPserver $sendermailaddress $usermailaddress $mailBody
    
                                    }
    
                    }
    
                    else
    
                    {
    
                                    if ($passwordexpirydefaultdomainpolicy)
    
                                    {
    
                                                    $pwdlastset = [datetime]::FromFileTime((Get-ADUser -LDAPFilter "(&(samaccountname=$samaccountname))" -properties pwdLastSet).pwdLastSet)
    
                                                    $expirydate = ($pwdlastset).AddDays($defaultdomainpolicyMaxPasswordAge)
    
                                                    $delta = ($expirydate - (Get-Date)).Days
    
                                                    $comparionresults = (($expirydate - (Get-Date)).Days -le $notificationstartday) -AND ($delta -ge 1)
    
                                                    if ($comparionresults)
    
                                                    {
    
                                                                    $mailBody = "Beste " + $user.GivenName + ",`r`n`r`n"
    
                                                                    $delta = ($expirydate - (Get-Date)).Days
    
                                                                    $mailBody += "`r`n`r`n"
    
                                                                    if ($verbose)
    
                                                                    {
                                                                                    $mailBody += $defaultdomainpolicyverbosemailBody
                                                                    }
    
                                                                    $mailBody += "`r`n`r`n"
    								
    								$mailBody += "`r`n`r`n"
    
                                                                    $usermailaddress = $user.mail
    
                                                                    SendMail $SMTPserver $sendermailaddress $usermailaddress $mailBody
    
                                                    }
    
                                    }
    
                    }
    
    }
    
  • #112336
    Jon

    Participant
    Points: 0
    Rank: Member

    How are you attempting to exclude them? You have the variable defined, but you aren't implementing it anywhere else in the code.

  • #112345
    av

    Participant
    Points: 0
    Rank: Member

    i dont have a lott knowledge about powershell, do you know what code i can use and where to put it in the script? takes for your time!

  • #112397

    Participant
    Points: 0
    Rank: Member

    Unfortunately, I'm not aware of a "reverse" searchbase..

    and to make things more annoying, you can't use distinguishedname as a filter.

    so when I need to exclude users in specific OU's from a script, I generally perform an if statement on the users distinguished name.

    ie something like:

    foreach ($user in (Get-ADUser -SearchBase $DN -Filter * -properties mail))
    
    {
    
    if ($user.distinguishedname -notlike "*company1*")
    
    {
    
    do something
    
    }
    
    else
    
    {
    
    do nothing
    
    }
    
    
  • #112408

    Participant
    Points: 0
    Rank: Member

    My first thought would be to gather all the OUs in the environment and then loop through them with foreach. You could then use an If statement to exclude OUs. Something like the below.

    
    $OUs = Get-ADOrganizationalUnit -Filter *
    
    foreach($OU in $OUs){
        if($OU.DistinguishedName -ne "OU=EXCLUDE,OU=Contoso,DC=Contoso,DC=com"){
            $Users = Get-ADUser -Filter 'Enabled -eq $true' -SearchBase $OU.DistinguishedName
            foreach($User in $Users){
                if($User.PasswordLastSet -lt (Get-Date).AddDays(-60)){
                    Send-MailMessage -To user@contoso.com -From administrator@contoso.com -Subject 'Password Expiry' -SmtpServer relay.contoso.com
                }
            }
        }
    }
    
    

You must be logged in to reply to this topic.