Page 1 of 1

Export list of AD Users account NOT in certain OU with specific criteria?

Posted: Sun Oct 13, 2019 11:42 pm
by ITEngineer
Hi All,

I need some help in modifying the AD OU filter belowto exclude the AD User accounts that are located in those OU in the lists.
This is the script that I have tried with, but the result is always containing User accounts in those OU.

Code: Select all

$filter = "(Enabled -eq 'true') -and ((mail -notlike '*') -or (company -notlike '*') -or (l -notlike '*') -or (physicalDeliveryOfficeName -notlike '*') -or (title -notlike '*') -or ( (telephoneNumber -notlike '*') -and (mobile -notlike '*')) )"
$properties = @('mail', 'physicalDeliveryOfficeName', 'Company', 'DisplayName', 'title', 'SamAccountName', 'CanonicalName', 'lastlogondate', 'mobile', 'telephoneNumber','l','Whencreated')
$domainDN = (Get-ADDomain).DistinguishedName

$excludeOUs = @(
	'OU=Disabled Users,DC=GlobalCorp,DC=com'
	'OU=GlobalCorp Testing,DC=GlobalCorp,DC=com'
	'OU=Admin Accounts,OU=GlobalCorp Global,DC=GlobalCorp,DC=com'
	'OU=Service Accounts,OU=GlobalCorp Global,DC=GlobalCorp,DC=com'
	'OU=Shared Mailboxes,OU=GlobalCorp Global,DC=GlobalCorp,DC=com'
)

Get-ADUser -Filter $filter -Properties $properties -SearchBase $domainDN |
	Select-Object -Property `
		DisplayName,
		Company,
		Title,
		TelephoneNumber,
		Mobile,
		PhysicalDeliveryOfficeName,
		SamAccountName,
		Mail,
		@{n = "OU"; e = { $_.CanonicalName.Remove($_.CanonicalName.LastIndexOf($_.Name) - 1) } },
		@{n = 'CN'; e = { Split-Path $_.CanonicalName -Parent } },
		@{n = 'ParentContainer'; e = { $_.DistinguishedName -replace '^CN=.*?(?=CN|OU)' } },
		LastLogondate,
		WhenCreated |
	Where-Object {
		($excludeOUs -notcontains $_.ParentContainer) -and
        ($_.SamAccountName -notmatch '^(Temp|Kiosk|HealthMailbox|SVC|Test|admin|\$') -and
        ($_.DisplayName -notmatch 'Admin|Calendar|Room')
	} |
	ConvertTo-HTML | Set-Variable HTMLBody

Send-MailMessage -SmtpServer SMTP.GlobalCo.com -From "$env:COMPUTERNAME@$env:userdnsdomain" -To Admin@MSP.com -Subject "AD User Incomplete report as at $((Get-Date).ToString('dd-MM-yyyy'))" -Body ($HTMLBody -join '`n') -BodyAsHTML
Any help would be greatly appreciated.

Thank you in advance.

Re: Export list of AD Users account NOT in certain OU with specific criteria?

Posted: Sun Oct 13, 2019 11:55 pm
by jvierra
Here is a simple trick to get only OU not in a collection

Code: Select all

Get-AdOrganizationalUnit  -Filter * -SearchScope Base|
	Where-Object{$_.Distinguishedname -notin $excludeOUs } |
	Get-AdUser -Filter $filter -properties $properties |
	.... etc ...

Re: Export list of AD Users account NOT in certain OU with specific criteria?

Posted: Mon Oct 14, 2019 12:48 am
by jvierra
Here is the best way to get users and exclude OUs.

Code: Select all

Get-AdOrganizationalUnit  -Filter *  -pipeline OU|
	Where-Object{$_.Distinguishedname -notin $excludeOUs } |
	ForEach-Object{
		Get-ChildItem -Path ('AD:\' + $_.DistinguishedName) -Filter '(&(objectClass=User)(!objectClass=computer))'
	} | 
	Select-Object name,@{n='ou';e={$ou}}

Re: Export list of AD Users account NOT in certain OU with specific criteria?

Posted: Mon Oct 14, 2019 10:09 pm
by ITEngineer
Thanks for the suggestion Mr Vierra,

Each smaller sub-company has its own Service Account, meeting rooms, SharedMailboxes.
'OU=GlobalCorp Testing,DC=GlobalCorp,DC=com',
'OU=HeadOffice,OU=Shared Mailboxes,DC=GlobalCorp,DC=com',

'OU=Branch1,OU=Shared Mailboxes,DC=GlobalCorp,DC=com',
'OU=Branch2,OU=Shared Mailboxes,DC=GlobalCorp,DC=com',
'OU=Branch3,OU=Shared Mailboxes,DC=GlobalCorp,DC=com',

'OU=Service Accounts,DC=GlobalCorp,DC=com',
'OU=Service Accounts,OU=Users,OU=Branch1,DC=GlobalCorp,DC=com',
'OU=Service Accounts,OU=Users,OU=Branch2,DC=GlobalCorp,DC=com',
'OU=Service Accounts,OU=Users,OU=Branch3,DC=GlobalCorp,DC=com',

'OU=Administrative Accounts,DC=GlobalCorp,DC=com',
'OU=Developer Accounts,DC=GlobalCorp,DC=com',
'OU=Disabled Users,DC=GlobalCorp,DC=com',
'OU=Domain Admin Accounts,DC=GlobalCorp,DC=com',
'OU=External Service Accounts,DC=GlobalCorp,DC=com'
Therefore the OU name is sometimes bit confusing to filter with PowerShell.

Re: Export list of AD Users account NOT in certain OU with specific criteria?

Posted: Mon Oct 14, 2019 11:11 pm
by jvierra
Any OU DN in the restricted list will be ignored. You have to take the time to understand the code and the method. Beyond that we cannot possibly help you.

Re: Export list of AD Users account NOT in certain OU with specific criteria?

Posted: Mon Oct 14, 2019 11:35 pm
by ITEngineer
jvierra wrote:
Mon Oct 14, 2019 12:48 am
Here is the best way to get users and exclude OUs.

Code: Select all

Get-AdOrganizationalUnit  -Filter *  -pipeline OU|
	Where-Object{$_.Distinguishedname -notin $excludeOUs } |
	ForEach-Object{
		Get-ChildItem -Path ('AD:\' + $_.DistinguishedName) -Filter '(&(objectClass=User)(!objectClass=computer))'
	} | 
	Select-Object name,@{n='ou';e={$ou}}
Thanks Mr. Vierra. :D