How to filter out which users are allowed to log in to a computer?

Question

I am needing to parse through user information to find which computers a specific user has access to, and then filter that out to generate txt docs for each computer listing the allowed users for that machine. However, my script isn't returning expected results and is creating incomplete lists.

Get-Content c:\temp\computers.txt | ForEach-Object {
    $computername = $_
    Get-ADUser -Filter "LogonWorkstations -like '*$computername'" -Properties LogonWorkstations |
        Format-Table SamAccountName, Enabled |
        Out-File -FilePath c:\temp\Accounts\"$computername-$fileDate".txt
}

I am fairly certain the issue lies in my filtering, because some of the files are returning info, however only ones where the username matches the computer name in some regard. Rather than listing users whose "LogonWorkstation" includes said computer, which is what I am looking to do. (If I pull a user's "LogonWorkstation" separately, that information is correct.)

Answer 1

I believe the issue is that the logonworkstations property stores the list of computers as a string rather than a collection. Since the -Filter parameter has limited operators, you will need to use -like in order to introduce wildcards. Then you can use whatever method to build your computer name string to include surrounding asterisks.

Get-Content c:\temp\computers.txt |

ForEach-Object {    
    Get-ADUser -Filter "LogonWorkstations -like '*$_*'" -Properties LogonWorkstations |
        Format-Table SamAccountName, Enabled |
        Out-File -FilePath c:\temp\Accounts\"$_-$fileDate".txt
}