通过AD用户进行循环,将删除超过90天的用户。 我想将所有已删除用户的报告提取到CSV。 在CVS的几个字段中,我得到了Microsoft.ActiveDirectory.Management.ADPRopertyValueCollection
代码是这个
Get all users in that have not logged on within
# 60 days in "Active Directory" and Disable them
#
# Get the Current Date
LogInfo("START OF LOG FILE")
LogInfo("Compare Date : Getting date")
$COMPAREDATE=GET-DATE
# Number of Days to check back.
LogInfo("Set Disable Time : Settings Number of days to Disable to 60")
$NumberDays=(get-date).addDays(-60)
#$then = (Get-Date).AddDays(-60)
# Number of Days to check for REALLY Stale accounts
# Our sample here is taking "OldAccounts" and pumping up
# 30 more days.
#Therefore 90 days old accounts that haven't logged in should be purged
#
LogInfo("Set Delete Time : Setting number of days to Delete to 90")
$DeleteDate=$NumberDays+30
# We have certain "Override fields" that bypass a delete
# happening. If the "Notes" field in A/D contains the
# EXACT Override phrase ANYWHERE (in this case it is the
# word ***OVERRIDE*** and it IS case sensitive
# The account will NEVER be deleted (unless of course you remove
# Word from the Notes field
#
LogInfo("Set Override key word")
#$OverRide='***OVERRIDE***'
# The other override field is if
# the OnLeave details are in the Description
# Field in A/D. this allows for a User who is
# Not gone (IE: Contractor / Student) but may
# Return to have the account disabled and
# Left alone until they return. The words here are
# simple On Leave Until and can be ANYWHERE in the
# Description Field in A/D
#
LogInfo("Set On Leave override key word")
$OnLeave='On Leave Until'
# Organizational Unit to search – This is in the fictional domain of
# ‘Contoso.local’ in the OU of Users under the Business OU on the Root
# of the Contoso A/D
#
LogInfo("Set OU Path : Setting OU path to Test OU")
$OU='OU=Users,OU=Test,DC=corporate,DC=nzpost,DC=co,DC=nz'
# Get all users not active within the specified range and disable the accounts in Active Directory
#
# We store them away as a variable since we're going to examine the list a few times.
LogInfo("Listing User accounts that is 60 days old")
$LISTOFACCOUNTS=Get-ADUser -Property lastlogondate -SearchBase $OU -Filter {lastLogonDate -lt $NumberDays}
#
# Any account not logged in within the short range gets Disabled in AD
#
LogInfo("Disabling user accounts 60 days old")
$LISTOFACCOUNTS | DISABLE-ADACCOUNT -WhatIf
# Pull up a new list. Really old accounts
#
#$LISTOFPOTENTIALDELETES=$LISTOFACCOUNTS | where { $_.LastLogon.AddDays($DeleteDate) -gt $CURRENTDATE }
$LISTOFPOTENTIALDELETES=Get-ADUser -SearchBase $OU -Property Lastlogondate -Filter {lastlogondate -lt $DeleteDate}
# Secondary compare is more interesting. If the accounts are VERY stale, they get deleted UNLESS special keywords
# are in place
#
FOREACH ($USER in $LISTOFPOTENTIALDELETES) {
Get-ADUser -Identity $USER -Properties * | Select @{ Name = 'ADsPath'; Expression = { $_.ADsPath -join ';'; }; },cn,givenName,lastLogonDate,description, profilePath, homeDirectory, `
@{ Name = 'mail'; Expression = { $_.mail -join ';'; }; }, @{ Name = 'publicDelegates'; Expression = { $_.publicDelegates -join ';'; }; }, whenCreated, company, manager, employeeID, `
@{ Name = 'memberof'; Expression = { $_.memberof -join ';'; }; } | Export-CSV "E:\Damo\_UserList.csv" -Append
IF (($USER.Notes -notlike '*'+$OVERRIDE+'*') -and ($USER.Description -notlike '*'+$OnLeave+'*'))
{
LogInfo("$USER.SamAccountName Deleted")
WRITE-HOST $USER.SamAccountName 'Deleted'
REMOVE-ADOBJECT $USER.SamAccountName -whatif
}
ELSEIF ($USER.Notes -like '*'+$OVERRIDE+'*')
{
LogInfo("$USER.SamAccountName Not removed due to Administrative Override")
WRITE-HOST $USER.SamAccountName 'Not removed due to Administrative Override'
}
ELSE
{
LogInfo("$USER.SamAccountName Not removed - Presently on Leave")
WRITE-HOST $USER.SamAccountName 'Not removed - Presently on Leave'
}
#Get-ADUser -Identity $USER -Properties * | Select ADsPath,cn,givenName,lastLogonDate,description, profilePath, homeDirectory, @{ Name = 'mail'; Expression = { $_.mail -join ';'; }; },
#publicDelegates, whenCreated, company, manager, employeeID, memberof | Export-CSV "E:\Folder\_UserList.csv" -Append
}
$users = get-aduser -SearchBase $OU -Properties userPrincipalName,lastlogonDate,description,mail,profilePath,HomeDirectory -filter {userPrincipalName -like "*"}
$csv = foreach($user in $users){
$grp = get-adprincipalgroupmembership $user
Foreach($group in $grp){
New-Object -TypeName PSObject -Property @{
#MemberOf = $user.memberof[0]
Group = $group.Name
User = $user.SamAccountName
GivenName = $user.givenName
Surname = $User.Surname
LastLogon = $user.lastlogondate
Description = $User.Description
Mail = $User.Mail
ProfilePath = $User.profilePath
HomeDir = $User.homeDirectory
}
}
}
$csv | Export-csv E:\Folder\DeletedUsersInfo.csv
如何在CSV中填充MemberOf,以便显示该用户的所有组
我有两个循环,因为我试图让一个循环工作,所以它只显示没有完整OU路径的组成员。
任何帮助都会很棒。
提前干杯
答案 0 :(得分:1)
问题是某些Active Directory属性是集合/数组。例如,用户可以在mail
属性中拥有多个电子邮件别名。要在CSV文件中显示此信息,您必须预先处理信息,然后才能将其表示为单个字符串。
演示"问题"使用一个简单的例子,考虑以下内容:
$arr = @(1,2,3);
$arr.ToString();
结果如下:
System.Object[]
要解决此问题,您需要在将对象传递到Export-Csv
cmdlet之前对其进行扩充。幸运的是,您可以使用Select-Object
轻松修改!
考虑这个简单的例子,它建立在前一个例子上,通过在一个字符上加入数组:
$arr = @(1,2,3);
$arr -join ';'
结果如下:
1;2;3
现在,将此应用于您的示例,我们将加入一个字符上的项目数组(例如,分号)。这是它的样子:
Get-ADUser -Identity $USER -Properties * | Select ADsPath,cn,givenName,lastLogonDate,description, profilePath, homeDirectory, @{ Name = 'mail'; Expression = { $_.mail -join ';'; }; }, publicDelegates, whenCreated, company, manager, employeeID, memberof | Export-CSV "E:\Damo\_UserList.csv" -Append
在上面的代码中,生成的mail
属性如下所示:
email1@domain.com;email2@domain.com;email3@domain.com
由于数组数据现在表示为单个字符串,因此它将正常导出到电子表格(CSV文件)。