Author Posts

March 20, 2018 at 4:45 pm

Good morning!
Attempting to delete AD accounts via the following script:
foreach ($user in get-content d:\powershell_temp\svcfwsqlstg_accounts_bad.out) {
Get-ADUser -Filter {Name -eq "$user"} -SearchBase “OU=ServiceAccts,DC=cheri,DC=org” | Remove-ADUser
"Removing $user" | Out-file -FilePath d:\powershell_temp\remove_invalid_sql_svc_accts.txt -Append
}

Run the script but the accounts do not delete

Here is the contents of the file
svcSQLStg400Agent
svcSQLStg400DBEng
svcSQLStg400Int
svcSQLStg450Agent
svcSQLStg450DBENg
svcSQLStg450SSRS
svcSQLStg450SSRSAgent
svcSQLStg450SSRSEng

Thank you in advance

Norm

March 20, 2018 at 4:46 pm

I'd start by just running the Get-ADUser part. Is it returning users? Because if that's not working, then the Remove won't work, either.

For example, "Get-ADUser -Filter {Name -eq "$user"}" seems odd to me. I'm wondering why you wouldn't just use "Get-ADUser -Identity $user"" instead.

March 20, 2018 at 7:14 pm

Hello Don;
Thank you for your response, perhaps I'm not following you here is what I get:
$list = Get-Content d:\powershell_temp\svcfwsqlstg_accounts_bad.out
echo $list
svcFWSQLStg400Agent
svcFWSQLStg400DBEng
svcFWSQLStg400Int
svcFWSQLStg450Agent
svcFWSQLStg450DBENg
svcFWSQLStg450SSRS
svcFWSQLStg450SSRSAgent
svcFWSQLStg450SSRSEng

Get-Aduser -Identity $list
Get-ADUser : Cannot convert 'System.Object[]' to the type 'Microsoft.ActiveDirectory.Management.ADUser' required by parameter 'Identity'. Specified
method is not supported.
At line:1 char:22
+ Get-Aduser -Identity $list
+ ~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADUser], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgument,Microsoft.ActiveDirectory.Management.Commands.GetADUser

Thanks for the help
Norm

March 20, 2018 at 7:16 pm

Sure, but that's not what I suggested :). You gave -Identity an array. So, just re-using your original code:

foreach ($user in (get-content d:\powershell_temp\svcfwsqlstg_accounts_bad.out)) {
  Get-ADUser -Identity $user
}

Is what I was asking.

March 20, 2018 at 7:21 pm

Hello Don;
Had a senior moment forgot the foreach loop. Still having a small shall we say opportunity: Get-Aduser : Cannot find an object with identity: 'svcFWSQLStg450SSRSAgent' under: 'DC=cheri,DC=org'. This svc account is in AD doubled checked.

Norm

March 20, 2018 at 8:14 pm

Hello Don;

Please note the following, I do not understand why Get-ADUser does not work for svcFWSQLStg450SSRSAgent It does work when I do the following Get-ADUser -Filter {Name -eq 'svcFWSQLStg450SSRSAgent' } -SearchBase “OU=ServiceAccts,DC=cheri,DC=org”. This is why I was trying to use Remove-ADUser -Filter {Name -eq "$user"} -SearchBase “OU=ServiceAccts,DC=wvus,DC=org” Didn't seem I had any other options

Here is the output:

$ foreach ($user in (get-content d:\powershell_temp\svcfwsqlstg_accounts_bad.out )) {
Get-Aduser -Identity $user -Properties DistinguishedName | Select-Object -ExpandProperty DistinguishedName
#"Removing $user"
}
CN=svcFWSQLStg400Agent,OU=ServiceAccts,DC=cheri,DC=org
CN=svcFWSQLStg400DBEng,OU=ServiceAccts,DC=cheri,DC=org
CN=svcFWSQLStg400Int,OU=ServiceAccts,DC=cheri,DC=org
CN=svcFWSQLStg450Agent,OU=ServiceAccts,DC=cheri,DC=org
CN=svcFWSQLStg450DBENg,OU=ServiceAccts,DC=cheri,DC=org
CN=svcFWSQLStg450SSRS,OU=ServiceAccts,DC=cheri,DC=org
Get-Aduser : Cannot find an object with identity: 'svcFWSQLStg450SSRSAgent' under: 'DC=cheri,DC=org'.
At line:2 char:1
+ Get-Aduser -Identity $user -Properties DistinguishedName | Select-Obj ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (svcFWSQLStg450SSRSAgent:ADUser) [Get-ADUser], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Manageme
nt.Commands.GetADUser

Get-Aduser : Cannot find an object with identity: 'svcFWSQLStg450SSRSEng' under: 'DC=cheri,DC=org'.
At line:2 char:1
+ Get-Aduser -Identity $user -Properties DistinguishedName | Select-Obj ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (svcFWSQLStg450SSRSEng:ADUser) [Get-ADUser], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Manageme
nt.Commands.GetADUser

[1:03 PM]ndl@FWTS012:Powershell_Test $ Get-ADUser -Filter {Name -eq 'svcFWSQLStg450SSRSAgent' } -SearchBase “OU=ServiceAccts,DC=cheri,DC=org”

DistinguishedName : CN=svcFWSQLStg450SSRSAgent,OU=ServiceAccts,DC=cheri,DC=org
Enabled : True
GivenName :
Name : svcFWSQLStg450SSRSAgent
ObjectClass : user
ObjectGUID : b5013a82-daf5-4926-bd27-d5eba4d2a2b2
SamAccountName : svcFWSQLStg450SSRSAg
SID : S-1-5-21-2000478354-1229272821-682003330-40899
Surname :
UserPrincipalName : svcFWSQLStg450SSRSAgent@cheri.org

[1:06 PM]ndl@FWTS012:Powershell_Test $ Get-ADUser -Identity svcFWSQLStg450SSRSAgent
Get-ADUser : Cannot find an object with identity: 'svcFWSQLStg450SSRSAgent' under: 'DC=cheri,DC=org'.
At line:1 char:1
+ Get-ADUser -Identity svcFWSQLStg450SSRSAgent
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (svcFWSQLStg450SSRSAgent:ADUser) [Get-ADUser], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Mi

Thank you for your help!

Norm

March 20, 2018 at 8:18 pm

I'd manually look up that user and find out why. The -Identity parameter should run against:

A distinguished name
A GUID (objectGUID)
A security identifier (objectSid)
A SAM account name (sAMAccountName)

So check those properties of the user(s) not working. For example, I note that the samAccountName isn't what you listed, it's "svcFWSQLStg450SSRSAg". The Name property isn't in the list of things searched by -Identity. So the "account name" is "svcFWSQLStg450SSRSAg".

But, it looks like this:

foreach ($user in (get-content d:\powershell_temp\svcfwsqlstg_accounts_bad.out)) {
  Get-ADUser -Identity $user | Remove-ADUser -WhatIf
}

Should list the users it's willing to remove. Delete "-WhatIf" and it should remove them.

March 20, 2018 at 9:24 pm

Hello Don;
Great catch!! Yes indeed some the failing AD entries SamAccountName was different than the AD Name and DN. Since Get-ADuser -Identity goes after the SamAccountName and my input files contained the Name value hence the problem. Modified my input files and all is well.

Thanks again!!

Norm