Reputation: 91
If Get-ADGroupMember does not find disable users .. say
Sorry for this dumb question, it is late at night and my brain does not work. The following script find the disable users from a specific account, and put them in a HTML page table (Name and SamAccountName). I just want to say, if the group does not have a disable account say.... "Not disable accounts in this group" instead of showing an empty area.
$NuixAdmins = Get-ADGroupMember “NUIX-ADMIN” |
Where { -not ((Get-ADUser $_.samAccountName).Enabled) } |
ConvertTo-Html -Property SamAccountName, Name -Fragment -PreContent "<h2>Nuix Admins</h2>"
I was thinking a....
If ($NuixAdmins.Count -eq 0) {Write-Host 'No Disable Users'}
I dont think this works because when i say $NuixAdmin.Count, it shows 3, but all of those users are ENABLE.
Upvotes: 0
Views: 594
Answers (1)
Reputation: 60315
I would advice you against Get-ADGroupMember, it's slow and sometimes prone to errors.
Note, I'm assuming you want to find only those members that are user objects, hence why Get-ADUser -LDAPFilter if you want to find all object class use Get-ADObject
Try with this:
$groupDN = (Get-ADGroup “NUIX-ADMIN”).distinguishedName
$members = Get-ADUser -LDAPFilter "(&(memberof=$groupDN)(userAccountControl:1.2.840.113556.1.4.803:=2))"
if(-not $members)
{
Write-Host 'No Disabled Users'
}
else
{
$members | ConvertTo-Html -Property SamAccountName, Name -Fragment -PreContent "<h2>Nuix Admins</h2>"
}
Edit
To explain the LDAPFilter:
(userAccountControl:1.2.840.113556.1.4.803:=2): Refers to Disabled objects.(memberOf=cn=Test,ou=East,dc=Domain,dc=com): All direct members of specified group.&: AND, all conditions must be met.
To know more about this please read: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
This is what I would personally do using Get-ADGroupMember:
$members = Get-ADGroupMember “NUIX-ADMIN” | Where-Object { $_.ObjectClass -eq 'User' }
$result = foreach($member in $members)
{
$user = Get-ADUser $member
if(-not $user.Enaled)
{
$user
}
}
if($result)
{
$result | ConvertTo-Html -Property SamAccountName, Name -Fragment -PreContent "<h2>Nuix Admins</h2>"
}
else
{
Write-Host 'No Disabled Users'
}
Upvotes: 1
Related Questions
- Get-ADGroup/Get-ADGroupMember and then select group
- Get AD Groups where the Owner is disabled with Powershell
- Trying to find enabled or disabled Users in AD with Powershell
- Disable ADuser if the user still has the check change password at next logon
- Remove member from AD group without using modules
- Check if user is a member and remove
- Exclude disable user Get-aduser
- Get-ADGroupMembers with User account Enabled status
- Removing AD Group Membership (PowerShell)
- Remove users from AD group using Powershell