Nested Groups - User Properties

This topic contains 3 replies, has 2 voices, and was last updated by  Mike Kirkpatrick 3 years ago.

  • Author
  • #22750

    Mike Kirkpatrick

    Hello and thank you for your anticipated help with this.

    Pretty new at Powershell because I was good at the old ways.
    Doing my best to stop going back to the old, familiar out of date ways so here goes.

    Below is a script that I've put together from things found on the interwebs.
    It walks through a group and subgroups for members and displays as required.

    It's working as designed but new requirements from the client have come forth

    req 1: don't show disabled users
    req 2: don't show accounts with no defined expiration date

    When I attempt to have it skip disabled users with (below) I get an error.

    [i]`Get-ADUser -filter {enabled -eq $true} -Prop Description.......

    Any help with this as well as not displaying the hundreds of users accounts that don't have the account expiry set would be greatly appreciated.

    function Get-ADNestedGroupMembers {
    param (
    [String] $GroupName

    import-module activedirectory
    $Members = Get-ADGroupMember -Identity $GroupName
    $members | % {
    if($_.ObjectClass -eq "group") {
    Get-ADNestedGroupMembers -GroupName $_.distinguishedName
    } else {
    return $_.distinguishedname

    import-module activedirectory
    Get-ADNestedGroupMembers -groupname "group name here" |
    `Get-ADUser -Prop Description,samAccountName,AccountExpirationDate, mail, LastLogoff, lastLogonTimestamp, company |
    `Select-Object Name,samAccountName,AccountExpirationDate, mail, LastLogoff, @{N='LastLogonTimestamp'; E={[DateTime]::FromFileTime($_.LastLogonTimestamp)}}, company |
    `Sort-Object AccountExpirationDate -descending |
    #`Format-Table -property * -AutoSize |
    `ConvertTo-HTML | Out-File C:\Temp\working\AccountExpiry.htm

  • #22766

    Tim Pringle

    Hey Mike,

    What's the error you are getting? I ran the command on my DC a couple of seconds ago, and it worked okay.

  • #22790

    Mike Kirkpatrick

    Hi Tim,

    The code above is working well.
    My poorly requested assistance meant to ask for help filtering out the resultant data set

    I don't want to see users that are disabled nor do I want to see users that don't have the account expiry not set.

    I'm trying to use something like [i]Get-ADUser -filter {enabled -eq $true} -Prop Description…….[/i] with no luck.

    I'm thinking it's an issue with what is returned from the function (ADNestedGroupMembers)

    Thank you for your time!


  • #22791

    Mike Kirkpatrick

    And while we (ok you) are at it, I'd like to know what the path to their user object is (like when you view advanced features in AD and select the user\computer 'OBJECT' tab.

You must be logged in to reply to this topic.