Export list of AD Users account NOT in certain OU with specific criteria?

Ask your PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Locked
User avatar
ITEngineer
Posts: 193
Joined: Wed Oct 12, 2011 10:52 am

Export list of AD Users account NOT in certain OU with specific criteria?

Post by ITEngineer »

Hi All,

I need some help in modifying the AD OU filter belowto exclude the AD User accounts that are located in those OU in the lists.
This is the script that I have tried with, but the result is always containing User accounts in those OU.

Code: Select all

$filter = "(Enabled -eq 'true') -and ((mail -notlike '*') -or (company -notlike '*') -or (l -notlike '*') -or (physicalDeliveryOfficeName -notlike '*') -or (title -notlike '*') -or ( (telephoneNumber -notlike '*') -and (mobile -notlike '*')) )"
$properties = @('mail', 'physicalDeliveryOfficeName', 'Company', 'DisplayName', 'title', 'SamAccountName', 'CanonicalName', 'lastlogondate', 'mobile', 'telephoneNumber','l','Whencreated')
$domainDN = (Get-ADDomain).DistinguishedName

$excludeOUs = @(
	'OU=Disabled Users,DC=GlobalCorp,DC=com'
	'OU=GlobalCorp Testing,DC=GlobalCorp,DC=com'
	'OU=Admin Accounts,OU=GlobalCorp Global,DC=GlobalCorp,DC=com'
	'OU=Service Accounts,OU=GlobalCorp Global,DC=GlobalCorp,DC=com'
	'OU=Shared Mailboxes,OU=GlobalCorp Global,DC=GlobalCorp,DC=com'
)

Get-ADUser -Filter $filter -Properties $properties -SearchBase $domainDN |
	Select-Object -Property `
		DisplayName,
		Company,
		Title,
		TelephoneNumber,
		Mobile,
		PhysicalDeliveryOfficeName,
		SamAccountName,
		Mail,
		@{n = "OU"; e = { $_.CanonicalName.Remove($_.CanonicalName.LastIndexOf($_.Name) - 1) } },
		@{n = 'CN'; e = { Split-Path $_.CanonicalName -Parent } },
		@{n = 'ParentContainer'; e = { $_.DistinguishedName -replace '^CN=.*?(?=CN|OU)' } },
		LastLogondate,
		WhenCreated |
	Where-Object {
		($excludeOUs -notcontains $_.ParentContainer) -and
        ($_.SamAccountName -notmatch '^(Temp|Kiosk|HealthMailbox|SVC|Test|admin|\$') -and
        ($_.DisplayName -notmatch 'Admin|Calendar|Room')
	} |
	ConvertTo-HTML | Set-Variable HTMLBody

Send-MailMessage -SmtpServer SMTP.GlobalCo.com -From "$env:COMPUTERNAME@$env:userdnsdomain" -To Admin@MSP.com -Subject "AD User Incomplete report as at $((Get-Date).ToString('dd-MM-yyyy'))" -Body ($HTMLBody -join '`n') -BodyAsHTML
Any help would be greatly appreciated.

Thank you in advance.
/* IT Engineer */

jvierra
Posts: 14458
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Export list of AD Users account NOT in certain OU with specific criteria?

Post by jvierra »

Here is a simple trick to get only OU not in a collection

Code: Select all

Get-AdOrganizationalUnit  -Filter * -SearchScope Base|
	Where-Object{$_.Distinguishedname -notin $excludeOUs } |
	Get-AdUser -Filter $filter -properties $properties |
	.... etc ...

jvierra
Posts: 14458
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Export list of AD Users account NOT in certain OU with specific criteria?

Post by jvierra »

Here is the best way to get users and exclude OUs.

Code: Select all

Get-AdOrganizationalUnit  -Filter *  -pipeline OU|
	Where-Object{$_.Distinguishedname -notin $excludeOUs } |
	ForEach-Object{
		Get-ChildItem -Path ('AD:\' + $_.DistinguishedName) -Filter '(&(objectClass=User)(!objectClass=computer))'
	} | 
	Select-Object name,@{n='ou';e={$ou}}

User avatar
ITEngineer
Posts: 193
Joined: Wed Oct 12, 2011 10:52 am

Re: Export list of AD Users account NOT in certain OU with specific criteria?

Post by ITEngineer »

Thanks for the suggestion Mr Vierra,

Each smaller sub-company has its own Service Account, meeting rooms, SharedMailboxes.
'OU=GlobalCorp Testing,DC=GlobalCorp,DC=com',
'OU=HeadOffice,OU=Shared Mailboxes,DC=GlobalCorp,DC=com',

'OU=Branch1,OU=Shared Mailboxes,DC=GlobalCorp,DC=com',
'OU=Branch2,OU=Shared Mailboxes,DC=GlobalCorp,DC=com',
'OU=Branch3,OU=Shared Mailboxes,DC=GlobalCorp,DC=com',

'OU=Service Accounts,DC=GlobalCorp,DC=com',
'OU=Service Accounts,OU=Users,OU=Branch1,DC=GlobalCorp,DC=com',
'OU=Service Accounts,OU=Users,OU=Branch2,DC=GlobalCorp,DC=com',
'OU=Service Accounts,OU=Users,OU=Branch3,DC=GlobalCorp,DC=com',

'OU=Administrative Accounts,DC=GlobalCorp,DC=com',
'OU=Developer Accounts,DC=GlobalCorp,DC=com',
'OU=Disabled Users,DC=GlobalCorp,DC=com',
'OU=Domain Admin Accounts,DC=GlobalCorp,DC=com',
'OU=External Service Accounts,DC=GlobalCorp,DC=com'
Therefore the OU name is sometimes bit confusing to filter with PowerShell.
/* IT Engineer */

jvierra
Posts: 14458
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Export list of AD Users account NOT in certain OU with specific criteria?

Post by jvierra »

Any OU DN in the restricted list will be ignored. You have to take the time to understand the code and the method. Beyond that we cannot possibly help you.

User avatar
ITEngineer
Posts: 193
Joined: Wed Oct 12, 2011 10:52 am

Re: Export list of AD Users account NOT in certain OU with specific criteria?

Post by ITEngineer »

jvierra wrote:
Mon Oct 14, 2019 12:48 am
Here is the best way to get users and exclude OUs.

Code: Select all

Get-AdOrganizationalUnit  -Filter *  -pipeline OU|
	Where-Object{$_.Distinguishedname -notin $excludeOUs } |
	ForEach-Object{
		Get-ChildItem -Path ('AD:\' + $_.DistinguishedName) -Filter '(&(objectClass=User)(!objectClass=computer))'
	} | 
	Select-Object name,@{n='ou';e={$ou}}
Thanks Mr. Vierra. :D
/* IT Engineer */

Locked