For some reason the logic is not ignoring if a member of the exception group. Any ideas why? From what I have found it has to do with the scope change.
This works (uses a searchbase):
$ExceptionGroup = "DIV-ComputerLifeCycleManagementException-DL"
$compds=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -SearchBase "DC=1,DC=domain,DC=com"
if($compds){
foreach ($compd in $compds){
# Delete all computer not in the exception group
if(!($compd.MemberOf -like "*"+ $ExceptionGroup +"*")){
$j=$j+1
$compd | Export-Csv -Append -path $fileDelete
#$compd | Remove-ADcomputer -Confirm:$False
# Get-ADComputer -Identity $compd | Remove-ADObject -Recursive -Confirm:$False
}
}
}
This does not work (using a GC server for multidomain searching):
$ExceptionGroup = "DIV-ComputerLifeCycleManagementException-DL"
$compds=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -Server serv.domain.com:3268
if($compds){
foreach ($compd in $compds){
# Delete all computer not in the exception group
if(!($compd.MemberOf -like "*"+ $ExceptionGroup +"*")){
$j=$j+1
$compd | Export-Csv -Append -path $fileDelete
#$compd | Remove-ADcomputer -Confirm:$False
# Get-ADComputer -Identity $compd | Remove-ADObject -Recursive -Confirm:$False
}
}
}
Any ideas to what is causing this change to cause the commands to ignore the line that says to not include if in exception group?
One solution is to use a calculated expression to identify the membership and then just exclude them with a filter:
Import-Module ActiveDirectory
$exclusionGrp = 'CN=Domain Admins*'
$users = Get-ADUser -Filter {Enabled -eq $True} -Properties MemberOf |
Select Name,
SamAccountName,
@{Name='InExclusionGrouup';Expression={[boolean]($_.MemberOf -like $exclusionGrp)}}
foreach ($user in $users | Where{$_.InExclusionGrouup -eq $false}) {
$user
}
if you look $users, you would see something like this, then you are just doing a simple filter:
PS C:\Users\Administrator> $users
Name SamAccountName InExclusionGrouup
---- -------------- -----------------
Administrator Administrator True
Rob Simmers rs True
Jack Smith js False
Sally Smith ss False
Angela Smith as False
would this take you to the correct direction
[pre]
$exclustionroup = “DIV-ComputerLifeCycleManagementException-DL”
Get-ADComputer -Filter {enabled -eq $false} -Properties memberOf | where {$_.memberof -notmatch $exclustionroup}
[/pre]
[quote quote=178524][/quote]
I like the idea but something is not working correctly. It is no longer getting the computers in the exception group but it is missing a lot of other systems also.
PS C:\Scripts\ADCleanup> $compds=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -Server serv.domain.com:3268 | where-object {$_.memberof -notmatch $ExceptionGroup}
PS C:\Scripts\ADCleanup> $compds.count
59
PS C:\Scripts\ADCleanup> $compds1=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -Server serv.domain.com:3268
PS C:\Scripts\ADCleanup> $compds1.count
1164
There are 206 members of the exception group. So going from 1164 results down to 59 is not correct. I should be in the 958 or higher range.
seems so. Sorry, I didn’t have AD to play with. This is ugly as the scripter, but seems to get proper results. I had to drop those filters away to get some hits though.
[pre]
$exceptionGroup = ‘CG-some-old-crapz’
$exceptionGroupMembers = Get-ADGroupMember $exceptionGroup -Recursive
$exceptionGroupMembers.Count
$searchBase = ‘OU=Servers,DC=plop,DC=com’
$compds = Get-ADComputer -SearchBase $searchBase -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter *
$compds.Count
$compds = $compds | where {$_.name -notin $exceptionGroupMembers.name}
$compds.Count
[/pre]
So I’m getting an error when executing:
$exceptionGroupMembers = Get-ADGroupMember $exceptionGroup -Recursive
I have tried by manually putting in the group identity and get the same exception every time.
Get-ADGroupMember : An operations error occurred
At line:2 char:26
+ $exceptionGroupMembers = Get-ADGroupMember $ExceptionGroup -Recursive
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (DIV-ComputerLif...entException-DL:ADGroup) [Get-ADGroupMember], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
ok I think I have it by using this
Function Get-ADGroupMemberFix {
[CmdletBinding()]
param(
[Parameter(
Mandatory = $true,
ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true,
Position = 0
)]
[string[]]
$Identity
)
process {
foreach ($GroupIdentity in $Identity) {
$Group = $null
$Group = Get-ADGroup -Identity $GroupIdentity -Properties Member
if (-not $Group) {
continue
}
Foreach ($Member in $Group.Member) {
Get-ADObject $Member -Server serv.domain.com:3268
}
}
}
}
$DaysInactive = (Get-Date).AddDays(-90)
$DaysDisable = (Get-Date).AddDays(-7)
$Yesterday = (Get-Date).AddDays(-1)
$output = "C:\Scripts\ADCleanup\Output"
$ExceptionGroup = "DIV-ComputerLifeCycleManagementException-DL"
$exceptionGroupMembers = Get-ADGroupMemberFix $ExceptionGroup
$compds=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -Server serv.domain.com:3268 | where-object {$_.name -notin $exceptionGroupMembers.name}
if($compds){
foreach ($compd in $compds){
# Delete all computer not in the exception group
# if(!($compd.MemberOf -like "*"+ $ExceptionGroup +"*")){
$j=$j+1
$compd | Export-Csv -Append -NoTypeInformation -path $fileDelete
# $compd | Remove-ADcomputer -Confirm:$False
# Get-ADComputer -Identity $compd | Remove-ADObject -Recursive -Confirm:$False
# }
}
}
but getting strange results so let me keep looking at this. Basically my report keeps showing the items that would be in the exception group but when I run:
$compds | Select-Object name | Sort-Object name
It is not found in the $compds results… So I’m missing something.
So not sure what was going on with the reporting but all is well the above is working great for me. I did a vlookup to verify that it is not catching any systems in the exception group and it appears to be working perfectly!! Thanks for everyone’s help.