disable/delete AD Computer ignore exception group

PowerShell Help
1

For some reason the logic is not ignoring if a member of the exception group. Any ideas why? From what I have found it has to do with the scope change.

This works (uses a searchbase):

$ExceptionGroup = "DIV-ComputerLifeCycleManagementException-DL"

$compds=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -SearchBase "DC=1,DC=domain,DC=com" 

if($compds){ 
foreach ($compd in $compds){
# Delete all computer not in the exception group
if(!($compd.MemberOf -like "*"+ $ExceptionGroup +"*")){
$j=$j+1
$compd | Export-Csv -Append -path $fileDelete 
#$compd | Remove-ADcomputer -Confirm:$False
# Get-ADComputer -Identity $compd | Remove-ADObject -Recursive -Confirm:$False
}
}
}

This does not work (using a GC server for multidomain searching):

$ExceptionGroup = "DIV-ComputerLifeCycleManagementException-DL"

$compds=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -Server serv.domain.com:3268

if($compds){ 
foreach ($compd in $compds){
# Delete all computer not in the exception group
if(!($compd.MemberOf -like "*"+ $ExceptionGroup +"*")){
$j=$j+1
$compd | Export-Csv -Append -path $fileDelete 
#$compd | Remove-ADcomputer -Confirm:$False
# Get-ADComputer -Identity $compd | Remove-ADObject -Recursive -Confirm:$False
}
}
}

Any ideas to what is causing this change to cause the commands to ignore the line that says to not include if in exception group?

 

 

 

2

One solution is to use a calculated expression to identify the membership and then just exclude them with a filter:

Import-Module ActiveDirectory

$exclusionGrp = 'CN=Domain Admins*'

$users = Get-ADUser -Filter {Enabled -eq $True} -Properties MemberOf | 
         Select Name, 
                SamAccountName, 
                @{Name='InExclusionGrouup';Expression={[boolean]($_.MemberOf -like $exclusionGrp)}}


foreach ($user in $users | Where{$_.InExclusionGrouup -eq $false}) {
    $user
}

if you look $users, you would see something like this, then you are just doing a simple filter:

PS C:\Users\Administrator> $users

Name          SamAccountName InExclusionGrouup
----          -------------- -----------------
Administrator Administrator               True
Rob Simmers   rs                          True
Jack Smith    js                         False
Sally Smith   ss                         False
Angela Smith  as                         False
3

would this take you to the correct direction

[pre]

$exclustionroup = “DIV-ComputerLifeCycleManagementException-DL”
Get-ADComputer -Filter {enabled -eq $false} -Properties memberOf | where {$_.memberof -notmatch $exclustionroup}

[/pre]

4

[quote quote=178524][/quote]
I like the idea but something is not working correctly. It is no longer getting the computers in the exception group but it is missing a lot of other systems also.

PS C:\Scripts\ADCleanup> $compds=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -Server serv.domain.com:3268 | where-object {$_.memberof -notmatch $ExceptionGroup}
PS C:\Scripts\ADCleanup> $compds.count
59
PS C:\Scripts\ADCleanup> $compds1=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -Server serv.domain.com:3268
PS C:\Scripts\ADCleanup> $compds1.count
1164

There are 206 members of the exception group. So going from 1164 results down to 59 is not correct. I should be in the 958 or higher range.

5

seems so. Sorry, I didn’t have AD to play with. This is ugly as the scripter, but seems to get proper results. I had to drop those filters away to get some hits though.

[pre]
$exceptionGroup = ‘CG-some-old-crapz’
$exceptionGroupMembers = Get-ADGroupMember $exceptionGroup -Recursive
$exceptionGroupMembers.Count

$searchBase = ‘OU=Servers,DC=plop,DC=com’

$compds = Get-ADComputer -SearchBase $searchBase -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter *
$compds.Count

$compds = $compds | where {$_.name -notin $exceptionGroupMembers.name}
$compds.Count
[/pre]

6

So I’m getting an error when executing:

$exceptionGroupMembers = Get-ADGroupMember $exceptionGroup -Recursive

I have tried by manually putting in the group identity and get the same exception every time.

Get-ADGroupMember : An operations error occurred At line:2 char:26 + $exceptionGroupMembers = Get-ADGroupMember $ExceptionGroup -Recursive + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (DIV-ComputerLif...entException-DL:ADGroup) [Get-ADGroupMember], ADException + FullyQualifiedErrorId : ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
7

ok I think I have it by using this

 

Function Get-ADGroupMemberFix {
    [CmdletBinding()]
    param(
        [Parameter(
            Mandatory = $true,
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true,
            Position = 0
        )]
        [string[]]
        $Identity
    )
    process {
        foreach ($GroupIdentity in $Identity) {
            $Group = $null
            $Group = Get-ADGroup -Identity $GroupIdentity -Properties Member
            if (-not $Group) {
                continue
            }
            Foreach ($Member in $Group.Member) {
                Get-ADObject $Member -Server serv.domain.com:3268 
            }
        }
    }
}
 
 
$DaysInactive = (Get-Date).AddDays(-90) 
$DaysDisable = (Get-Date).AddDays(-7)
$Yesterday = (Get-Date).AddDays(-1)
$output = "C:\Scripts\ADCleanup\Output"
$ExceptionGroup = "DIV-ComputerLifeCycleManagementException-DL"
$exceptionGroupMembers = Get-ADGroupMemberFix $ExceptionGroup
$compds=Get-ADComputer -Property Name,lastLogonDate,Created,Description,MemberOf,Modified -Filter {(enabled -eq $False) -and (Modified -le $DaysDisable ) } -Server serv.domain.com:3268  | where-object {$_.name -notin $exceptionGroupMembers.name}
if($compds){ 
    foreach ($compd in $compds){
# Delete all computer not in the exception group
#        if(!($compd.MemberOf -like "*"+ $ExceptionGroup +"*")){
        $j=$j+1
        $compd | Export-Csv -Append -NoTypeInformation -path $fileDelete 
#       $compd | Remove-ADcomputer -Confirm:$False
#        Get-ADComputer -Identity $compd | Remove-ADObject -Recursive -Confirm:$False
#        }
    }
}

but getting strange results so let me keep looking at this. Basically my report keeps showing the items that would be in the exception group but when I run:

$compds | Select-Object name | Sort-Object name

It is not found in the $compds results… So I’m missing something.

8

So not sure what was going on with the reporting but all is well the above is working great for me. I did a vlookup to verify that it is not catching any systems in the exception group and it appears to be working perfectly!! Thanks for everyone’s help.