[quote=9758]Your logic isn’t identical in the script and manual steps
<P></P>
<P>script:<BR>InactiveCount=@($members|?{$.lockedout -or $.Enabled -eq $false}).count</P>
<P>manual:<BR>$i=($m|?{$.lockedout -or $.enabled -like ‘false’}).count</P>
<P>As an aside don’t use aliases for cmdlets and parameters in scripts. if a puppy is killed every time you use write-host you don’t want to see what happens when aliases are used in scripts.</P>
<P>You don’t need to use -property * on Get-ADuser you can list the extra properties you need. It’ll cut down the data returned.</P>
<P>In this line<BR>InactiveCount=@($members|?{$.lockedout -or $.Enabled -eq $false}).count</P>
<P>why do you need the @</P>
<P>$members is already an array and you are just filtering the members</P>
<P>The errors are probably due to AD not understanding what you are trying to do. Piping the output of get-adgroupmember into get-aduser should work</P>[/quote]
It seems I pasted the wrong code into the post. Sorry.
I am using the following code:
Import-Module ActiveDirectory
$groups = Get-ADGroup -f * -searchbase 'My OU Here'
foreach ($group in $groups) {
$member=Get-ADGroupmember $group | Get-ADuser -property *
$props=@{
groupname=$group.name
Members=$member.count
Inactive=($member | Where {$_.Enabled -eq 'False'}).count
}
New-Object PsObject -property $props
}
This code seems to work. However, I have encountered some issues I am not knowledgeable enough to handle.
Specifically, My OUs are set up with Groups in a Resource container under my main OU and my Users are in a Users container. When the script pipes the Get-ADgroupmember to Get-ADUser and encounters someone’s account that resides in another OU (or even another domain in our forest) it throws errors for that user account (but does continue to run)
My Groups container is:
OU=Resource Groups,OU=Groups,OU=City,OU=state,DC=EastDomain,DC=Headquarters,DC=company,DC=com
My Users container is:
OU=USERS,OU=CITY,OU=STATE,DC=EastDomain,DC=Headquarters,DC=Company,DC=com
I guess my questions would be:
Is it possible to look for the groups in the Resource Groups container (for the initial get-adgroup command) and then, when get-adgroupmember is executed and starts listing the user names, look up those member accounts in the Users container?
In essence, the code would look something like: (if this were possible)
Import-Module ActiveDirectory
$groups = Get-ADGroup -f * -searchbase 'OU=Resource Groups,OU=Groups,OU=City,OU=state,DC=EastDomain,DC=Headquarters,DC=company,DC=com'
foreach ($group in $groups) {
$member=Get-ADGroupmember $group | Get-ADuser -f * OU=USERS,OU=CITY,OU=STATE,DC=EastDomain,DC=Headquarters,DC=Company,DC=com -property *
$props=@{
groupname=$group.name
Members=$member.count
Inactive=($member | Where {$_.Enabled -eq 'False'}).count
}
New-Object PsObject -property $props
}