Nested Groups - User Properties

This topic contains 3 replies, has 2 voices, and was last updated by Profile photo of Mike Kirkpatrick Mike Kirkpatrick 1 year, 9 months ago.

  • Author
    Posts
  • #22750
    Profile photo of Mike Kirkpatrick
    Mike Kirkpatrick
    Participant

    Hello and thank you for your anticipated help with this.

    Pretty new at Powershell because I was good at the old ways.
    Doing my best to stop going back to the old, familiar out of date ways so here goes.

    Below is a script that I've put together from things found on the interwebs.
    It walks through a group and subgroups for members and displays as required.

    It's working as designed but new requirements from the client have come forth

    req 1: don't show disabled users
    req 2: don't show accounts with no defined expiration date

    When I attempt to have it skip disabled users with (below) I get an error.

    [i]`Get-ADUser -filter {enabled -eq $true} -Prop Description.......
    [/i]

    Any help with this as well as not displaying the hundreds of users accounts that don't have the account expiry set would be greatly appreciated.

    function Get-ADNestedGroupMembers {
    [cmdletbinding()]
    param (
    [String] $GroupName
    )

    import-module activedirectory
    $Members = Get-ADGroupMember -Identity $GroupName
    $members | % {
    if($_.ObjectClass -eq "group") {
    Get-ADNestedGroupMembers -GroupName $_.distinguishedName
    } else {
    return $_.distinguishedname
    }
    }

    }
    import-module activedirectory
    Get-ADNestedGroupMembers -groupname "group name here" |
    `Get-ADUser -Prop Description,samAccountName,AccountExpirationDate, mail, LastLogoff, lastLogonTimestamp, company |
    `Select-Object Name,samAccountName,AccountExpirationDate, mail, LastLogoff, @{N='LastLogonTimestamp'; E={[DateTime]::FromFileTime($_.LastLogonTimestamp)}}, company |
    `Sort-Object AccountExpirationDate -descending |
    #`Format-Table -property * -AutoSize |
    `ConvertTo-HTML | Out-File C:\Temp\working\AccountExpiry.htm

  • #22766
    Profile photo of Tim Pringle
    Tim Pringle
    Participant

    Hey Mike,

    What's the error you are getting? I ran the command on my DC a couple of seconds ago, and it worked okay.

  • #22790
    Profile photo of Mike Kirkpatrick
    Mike Kirkpatrick
    Participant

    Hi Tim,

    The code above is working well.
    My poorly requested assistance meant to ask for help filtering out the resultant data set

    I don't want to see users that are disabled nor do I want to see users that don't have the account expiry not set.

    I'm trying to use something like [i]Get-ADUser -filter {enabled -eq $true} -Prop Description…….[/i] with no luck.

    I'm thinking it's an issue with what is returned from the function (ADNestedGroupMembers)

    Thank you for your time!

    Mike

  • #22791
    Profile photo of Mike Kirkpatrick
    Mike Kirkpatrick
    Participant

    And while we (ok you) are at it, I'd like to know what the path to their user object is (like when you view advanced features in AD and select the user\computer 'OBJECT' tab.

You must be logged in to reply to this topic.