Powershell AD用户带有ADPropertyValueCollection错误的CSV报告

时间:2014-04-07 02:13:03

标签: powershell csv

通过AD用户进行循环,将删除超过90天的用户。 我想将所有已删除用户的报告提取到CSV。 在CVS的几个字段中,我得到了Microsoft.ActiveDirectory.Management.ADPRopertyValueCollection

代码是这个

 Get all users in that have not logged on within 
# 60 days in "Active Directory" and Disable them 
# 
# Get the Current Date 
LogInfo("START OF LOG FILE")
LogInfo("Compare Date : Getting date")
$COMPAREDATE=GET-DATE

# Number of Days to check back.
LogInfo("Set Disable Time : Settings Number of days to Disable to 60")
$NumberDays=(get-date).addDays(-60)
#$then = (Get-Date).AddDays(-60)

# Number of Days to check for REALLY Stale accounts 
# Our sample here is taking "OldAccounts" and pumping up 
# 30 more days.  
#Therefore 90 days old accounts that haven't logged in should be purged 
# 
LogInfo("Set Delete Time : Setting number of days to Delete to 90")
$DeleteDate=$NumberDays+30

# We have certain "Override fields" that bypass a delete 
# happening.  If the "Notes" field in A/D contains the 
# EXACT Override phrase ANYWHERE (in this case it is the 
# word ***OVERRIDE*** and it IS case sensitive 
# The account will NEVER be deleted (unless of course you remove 
# Word from the Notes field 
#
LogInfo("Set Override key word")
#$OverRide='***OVERRIDE***' 

# The other override field is if 
# the OnLeave details are in the Description 
# Field in A/D.  this allows for a User who is 
# Not gone (IE: Contractor / Student) but may 
# Return to have the account disabled and 
# Left alone until they return.  The words here are 
# simple On Leave Until and can be ANYWHERE in the 
# Description Field in A/D 
# 
LogInfo("Set On Leave override key word")
$OnLeave='On Leave Until'

# Organizational Unit to search – This is in the fictional domain of 
# ‘Contoso.local’ in the OU of Users under the Business OU on the Root 
# of the Contoso A/D 
# 
LogInfo("Set OU Path : Setting OU path to Test OU")
$OU='OU=Users,OU=Test,DC=corporate,DC=nzpost,DC=co,DC=nz'

# Get all users not active within the specified range and disable the accounts in Active Directory 
# 
# We store them away as a variable since we're going to examine the list a few times. 
LogInfo("Listing User accounts that is 60 days old")
$LISTOFACCOUNTS=Get-ADUser -Property lastlogondate -SearchBase $OU -Filter {lastLogonDate -lt $NumberDays}
# 
# Any account not logged in within the short range gets Disabled in AD 
# 
LogInfo("Disabling user accounts 60 days old")
$LISTOFACCOUNTS | DISABLE-ADACCOUNT -WhatIf

# Pull up a new list.   Really old accounts 
# 
#$LISTOFPOTENTIALDELETES=$LISTOFACCOUNTS | where { $_.LastLogon.AddDays($DeleteDate) -gt $CURRENTDATE } 
$LISTOFPOTENTIALDELETES=Get-ADUser -SearchBase $OU -Property Lastlogondate -Filter {lastlogondate -lt $DeleteDate}

# Secondary compare is more interesting.  If the accounts are VERY stale, they get deleted UNLESS special keywords 
# are in place 
# 
FOREACH ($USER in $LISTOFPOTENTIALDELETES) { 


        Get-ADUser -Identity $USER -Properties * | Select @{ Name = 'ADsPath'; Expression = { $_.ADsPath -join ';'; }; },cn,givenName,lastLogonDate,description, profilePath, homeDirectory, `
            @{ Name = 'mail'; Expression = { $_.mail -join ';'; }; }, @{ Name = 'publicDelegates'; Expression = { $_.publicDelegates -join ';'; }; }, whenCreated, company, manager, employeeID, `
            @{ Name = 'memberof'; Expression = { $_.memberof -join ';'; }; }  | Export-CSV "E:\Damo\_UserList.csv" -Append  

    IF (($USER.Notes -notlike '*'+$OVERRIDE+'*') -and ($USER.Description -notlike '*'+$OnLeave+'*')) 
    { 

        LogInfo("$USER.SamAccountName Deleted") 
        WRITE-HOST $USER.SamAccountName 'Deleted' 
        REMOVE-ADOBJECT $USER.SamAccountName -whatif 

    } 
    ELSEIF ($USER.Notes -like '*'+$OVERRIDE+'*') 
        { 
            LogInfo("$USER.SamAccountName Not removed due to Administrative Override")
            WRITE-HOST $USER.SamAccountName 'Not removed due to Administrative Override'  
         } 
        ELSE 
        { 
            LogInfo("$USER.SamAccountName Not removed - Presently on Leave")
            WRITE-HOST $USER.SamAccountName 'Not removed - Presently on Leave' 
        } 

#Get-ADUser -Identity $USER -Properties * | Select ADsPath,cn,givenName,lastLogonDate,description, profilePath, homeDirectory, @{ Name = 'mail'; Expression = { $_.mail -join ';'; }; }, 
    #publicDelegates, whenCreated, company, manager, employeeID, memberof | Export-CSV "E:\Folder\_UserList.csv" -Append
} 

$users = get-aduser -SearchBase $OU -Properties userPrincipalName,lastlogonDate,description,mail,profilePath,HomeDirectory -filter {userPrincipalName -like "*"} 
$csv = foreach($user in $users){ 

    $grp = get-adprincipalgroupmembership $user 
    Foreach($group in $grp){ 
        New-Object -TypeName PSObject -Property @{ 
            #MemberOf = $user.memberof[0]
            Group = $group.Name 
            User = $user.SamAccountName 
            GivenName = $user.givenName
            Surname = $User.Surname
            LastLogon = $user.lastlogondate
            Description = $User.Description
            Mail = $User.Mail
            ProfilePath = $User.profilePath
            HomeDir = $User.homeDirectory
            } 
        } 
} 

$csv | Export-csv E:\Folder\DeletedUsersInfo.csv

如何在CSV中填充MemberOf,以便显示该用户的所有组

我有两个循环,因为我试图让一个循环工作,所以它只显示没有完整OU路径的组成员。

任何帮助都会很棒。

提前干杯

1 个答案:

答案 0 :(得分:1)

问题是某些Active Directory属性是集合/数组。例如,用户可以在mail属性中拥有多个电子邮件别名。要在CSV文件中显示此信息,您必须预先处理信息,然后才能将其表示为单个字符串。

演示"问题"使用一个简单的例子,考虑以下内容:

$arr = @(1,2,3);
$arr.ToString();

结果如下:

System.Object[]

要解决此问题,您需要在将对象传递到Export-Csv cmdlet之前对其进行扩充。幸运的是,您可以使用Select-Object轻松修改!

考虑这个简单的例子,它建立在前一个例子上,通过在一个字符上加入数组:

$arr = @(1,2,3);
$arr -join ';'

结果如下:

1;2;3

现在,将此应用于您的示例,我们将加入一个字符上的项目数组(例如,分号)。这是它的样子:

Get-ADUser -Identity $USER -Properties * | Select ADsPath,cn,givenName,lastLogonDate,description, profilePath, homeDirectory, @{ Name = 'mail'; Expression = { $_.mail -join ';'; }; }, publicDelegates, whenCreated, company, manager, employeeID, memberof | Export-CSV "E:\Damo\_UserList.csv" -Append

在上面的代码中,生成的mail属性如下所示:

email1@domain.com;email2@domain.com;email3@domain.com

由于数组数据现在表示为单个字符串,因此它将正常导出到电子表格(CSV文件)。