我目前正在创建PowerShell脚本,以便为去年未登录的用户扫描Active Directory。
Import-Module ActiveDirectory
$DaysInactive = 365
$InactiveDate = (Get-Date).AddDays(-($DaysInactive))
$Users = Get-ADUser -SearchScope OneLevel -SearchBase "ou=staff,ou=brummitt,dc=DUNELAND,dc=LOCAL" -Filter { LastLogonDate -lt $InactiveDate } -Properties LastLogonDate |
Select-Object @{Name="Username";Expression={$_.SamAccountName}},
Name, LastLogonDate, DistinguishedName
$Users | Export-Csv C:\Temp\InactiveUsers.csv -NoTypeInformation
如果您看到用户变量,您会看到我们有一个学校名称和一名员工。我们在我们区的所有建筑都有这样的惯例。如何扫描所有第一级OU并将人员OU作为第二级?
我尝试将搜索库更改为此-SearchBase "ou=staff,ou=*,dc=DUNELAND,dc=LOCAL"但我收到此错误:
Get-ADUser : Directory object not found
At line:6 char:10
+ $Users = Get-ADUser -SearchScope OneLevel -SearchBase "ou=staff,ou=*,dc=DUNELAND ...
+ > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-ADUser], ADIdentityNotFoundException
+ FullyQualifiedErrorId : Directory object not found,Microsoft.ActiveDirectory.Management.Commands.GetADUser
答案 0 :(得分:1)
您无法在SearchBase DN中指定通配符,但您可以这样做:
类似的东西:
# 1. Find the first-level OU's
$LevelOne = Get-ADOrganizationalUnit -Filter * -SearchScope OneLevel
# 2. Find the staff OU's
$StaffOUs = $LevelOne |ForEach-Object {
Get-ADOrganizationalUnit -Filter "Name -like 'Staff'" -SearchBase $_.DistinguishedName -SearchScope OneLevel -ErrorAction SilentlyContinue
}
# 3. Query each staff OU
$StaffOUs |ForEach-Object {
Get-ADUser -SearchScope OneLevel -SearchBase $_.DistinguishedName -Filter { LastLogonDate -lt $InactiveDate } -Properties LastLogonDate |
Select-Object @{Name="Username";Expression={$_.SamAccountName}},
Name, LastLogonDate, DistinguishedName
} |Export-Csv C:\Temp\InactiveUsers.csv -NoTypeInformation