Reputation: 21
How to check if disabled samaccountnames are contained/part of an enabled samaccountname in AD (e.g. the disabled user has -adm or -tst account?_
I am able to export the disabled users, but then from that .csv I want to check if they have active accounts in AD, containing their samaccount name + -adm or -tst. The script runs but the second export is blank.
$users = import-csv C:\Users\....csv
$OU = 'OU=Disabled users ...'
Get-ADUser -Property Enabled -filter * -SearchBase $OU | Where {$_.Enabled -like "False"} | Select @{Name="samaccountname";Expression={$_.SamAccountName}} | Export-Csv C:\Users\... -notypeinformation -encoding UTF8
$data = foreach($line in $users){
$user = $line.samaccountname
Get-ADUser -Filter {(samaccountname -like $user) -and (samaccountname -like "*-adm") -and (samaccountname -like "*-tst")} -Properties Enabled | Where {$_.Enabled -like "True"} | select @{Name="SAPID";Expression={$_.samaccountname}}
} $data | export-csv C:\Users\... -notypeinformation -encoding UTF8
Upvotes: 1
Views: 309
Answers (1)
Reputation: 59782
If I understand correctly, you're looking to find all those Enabled Accounts ending in -adm OR -tst AND containing the SamAccountName of ANY disabled user found in $OU.
If my assumption is correct, one way to approach the problem is to first query all the Disabled users in $OU and have them in memory (Note that there is no need to export them to CSV and then import them back again - see inline comments).
Once we have the list of Disabled users, we can loop over them to construct an LDAP Filter which will be used to query all users at once, and lastly export to CSV if any user was found.
$users = Import-Csv C:\Users\....csv
$OU = 'OU=Disabled users ...'
# Hold disabled Users under `$OU` in memory, no reason to import the data from CSV
$disabledUsers = Get-ADUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)" -SearchBase $OU |
Select-Object SamAccountName
# Export Disabled Users
$disabledUsers | Export-Csv C:\Users\... -NoTypeInformation -Encoding utf8
# Construct an LDAP Filter to query al users at once
$filters = foreach($user in $disabledUsers) {
'(samAccountName=*{0}*-adm)(samAccountName=*{0}*-tst)' -f $user.SamAccountName
}
$ldapFilter = "(&(!userAccountControl:1.2.840.113556.1.4.803:=2)(|$(-join $filters)))"
# Query the users
$enabledUsers = Get-ADUser -LDAPFilter $ldapFilter
# Check if any user could be found
if(-not $enabledUsers) {
'No Enabled -adm or -tst Account Could be found...'
}
else {
$enabledUsers | Select-Object @{ N = "SAPID"; E = { $_.SamAccountName} } |
Export-Csv C:\Users\... -NoTypeInformation -Encoding utf8
}
This is an example of how the filter would look like, having user0 and user1 as example SamAccountName:
(&
(!userAccountControl:1.2.840.113556.1.4.803:=2)
(|
(samAccountName=*user0*-adm)
(samAccountName=*user0*-tst)
(samAccountName=*user1*-adm)
(samAccountName=*user1*-tst)
)
)
Upvotes: 2
Related Questions
- Find out if a Security Account Manager (SAM) name is a user or a group
- Powershell to show AD group with disabled account - count?
- How to validate if my user has an ADM account based on samaccountname
- How to retrieve only enabled users from the Active Directory
- PowerShell 2 Command To List Only Local Disabled User Accounts
- Trying to find enabled or disabled Users in AD with Powershell
- Disabled AD Users Based on List
- find if user account is enabled or disabled in AD
- Determine If Users Are In Active Directory With PowerShell
- i have array of users how to find what ones are Disabled