List disabled AD account outside certain OU only and Export to .CSV

Welcome Forums General PowerShell Q&A List disabled AD account outside certain OU only and Export to .CSV

This topic contains 5 replies, has 4 voices, and was last updated by

 
Participant
3 weeks, 5 days ago.

  • Author
    Posts
  • #125730

    Participant
    Points: 65
    Rank: Member

    Hi All,

    I have created the below PowerShell script, but the result is not always correct or still not perfectly filtering the result:

    $filter = '(Enabled -eq $false)'
    $ResultDirectory = 'C:\Disabled-ADAccountOutsideOU.csv'
    $domainDN = (Get-ADDomain).DistinguishedName
    $excludeOUs = @(
    'OU=Site1,OU=Disabled Users'
    'OU=Site2,OU=Disabled Users'
    'OU=SiteX,OU=Disabled Users'
    ) | ForEach-Object { $_ + ',' + $domainDN }
    Get-ADUser -Filter $filter -Properties * |
    Where-Object { ($_.SamAccountName.Length-eq7) -and ($excludeOUs-notcontains$_.ParentContainer) } |
    Select-Object-Property SamAccountName, Enabled,@{ n='ParentContainer'; e= { $_.DistinguishedName-replace'\A.*?,(?=(CN|OU|DC)=)' } }, CanonicalName, lastlogondate |
    Export-Csv-NoTypeInformation -Path $ResultDirectory

    Expected: Only export the Disabled AD account outside the Excluded OU lists to .CSV file.
    Result:
    Some OU like CN=Users, DC=Domain, DC=com which also have some Disabled AD accounts are skipped or not even checked?
    The exported.CSV also still contains the Disabled AD account from OU=SiteX, OU=Disabled Users and some other in the Excluded OU?

    Thank you in advance.

  • #125735

    Participant
    Points: 66
    Rank: Member

    Check out search-adaccount there should be an disable parameter. I'll search disable users export that to a CSV then just remove the filter OU out.

  • #125745

    Participant
    Points: 268
    Helping Hand
    Rank: Contributor

    Search-ADAccount has a -SearchBase – parameter, just as most of the other AD cmdlets. So you can search for disabled accounts and specify the OU you're after.
    Edit: Ooops ... stupid me ... "Outside cetrain OU" ... ignore my post ... follow Jefferys recommendation! 😉

  • #125786

    Participant
    Points: 333
    Helping Hand
    Rank: Contributor

    The biggest issue is that you are building 'ParentContainer' AFTER you are trying to filter on it. Maybe try segregating the code into a more modular approach so that you can step through it easier.

    $ResultDirectory = 'C:\Disabled-ADAccountOutsideOU.csv'
    
    
    #Create you filter
    $domainDN = (Get-ADDomain).DistinguishedName
    $excludeOUs = @(
        'OU=Site1,OU=Disabled Users'
        'OU=Site2,OU=Disabled Users'
        'OU=SiteX,OU=Disabled Users'
    ) | ForEach-Object { $_ + ',' + $domainDN }
    
    
    #Get all disabled users
    $disabledUsers = Get-ADUser -Filter {Enabled -eq $false} -Properties SamAccountName, Enabled, DistinguishedName, CanonicalName, LastLogonDate |
                     Select-Object -Property SamAccountName, Enabled,@{ n='ParentContainer'; e= { $_.DistinguishedName-replace'\A.*?,(?=(CN|OU|DC)=)' } }, CanonicalName, lastlogondate 
    
    #Attempt to filter users
    $filteredUsers = $disabledUsers | Where-Object { ($_.SamAccountName.Length -eq 7) -and ($excludeOUs -notcontains $_.ParentContainer) }
    
    #Now before you create a CSV, I would do some basic analysis.
    $disabledUsers.Count
    $filteredUsers.Count
    $filteredUsers | Group-Object -Property ParentContainer -NoElement
    
    #Once I know I have what I want, then I would send it to a CSV
    $filteredUsers | Export-Csv -Path $ResultDirectory -NoTypeInformation
    
    • #125897

      Participant
      Points: 65
      Rank: Member

      Yes, @Rob code does the trick. 🙂

      @Olaf, yes that's right.

      @jeff, That's cool, I will learn about that cmdlet.

       

      Thanks all for participating.

  • #125801

    Participant
    Points: 268
    Helping Hand
    Rank: Contributor

You must be logged in to reply to this topic.