Disabled AD users query with sAMAccountName and EmailAddress.

PowerShell Help
1

Hello,

I have a list of email addresses that I need to check against AD to see if they are disabled. I have not found a way to use PowerShell to check based on UPN or email, instead I have been converting the list to the sAMAccoutnName to find out. Is there a way to take this email list and check if the UPN is disabled and export to a CSV file with the sAMAccountName and Email?

This is what I am using currently.

Get-Content ".\Emails to Check.csv" |
ForEach-Object { Get-ADUser -LDAPFilter "(mail=$_)" } |
Select-Object -ExpandProperty sAMAccountName |
Out-File .\Sam.csv

Get-Content .\Sam.csv |
Get-ADUser |
select SamAccountName,Enabled |
Export-Csv .\UserStatusResults.csv -NoTypeInformation

Invoke-Item .\UserStatusResults.csv

Remove-Item -Path .\Sam.csv -Recurse
2

You could do something like this:

$emails = Get-content .\emails.csv | Select-Object -skip 1

foreach ($email in $emails) {

$email = ($email -split "@")[0]; Get-aduser $email | Select SamAccountName, Enabled | Export-Csv .\UserStatusResults.csv -NoTypeInformation -Append

}

Invoke-item .\UserStatusResults.csv
3

I get the following errors when running that script for each of the users and the exported CSV is incomplete.

Get-aduser : Cannot find an object with identity: ‘removed name’ under: ‘DC=corp,DC=REMOVEDCOMPANY,DC=com’.
At line:5 char:34

  • $email = ($email -split “@”)[0]; Get-aduser $email | Select SamAccoun …
  • CategoryInfo : ObjectNotFound: (REMOVEDNAME:ADUser) [Get-ADUser], ADIdentityNotFoundException
  • FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADUser

 

[quote quote=191995]You could do something like this:

PowerShell
9 lines
<textarea class="ace_text-input" style="opacity: 0; height: 17.7778px; width: 6.59167px; left: 44px; top: 0px;" spellcheck="false" wrap="off"></textarea>
1
2
3
4
5
6
7
8
9
$emails = Get-content .\emails.csv | Select-Object -skip 1
foreach ($email in $emails) {
$email = ($email -split "@")[0]; Get-aduser $email | Select SamAccountName, Enabled | Export-Csv .\UserStatusResults.csv -NoTypeInformation -Append
}
Invoke-item .\UserStatusResults.csv
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[/quote]
4

I looked through your initial script again, this may not work for you. This script will only work if your email address is formatted like samAccountName@company.com which I assumed was the case. It’s just passing through the portion before the @ sign into Get-AdUser. If that doesn’t correspond to an actual username it won’t work.

5

Good morning.

 

I actually got it to work by using this script.

 

<p>Get-Content “.(1) Emails to Check.csv” |
ForEach-Object { Get-ADUser -LDAPFilter “(mail=$_)” } |
Select-Object -ExpandProperty sAMAccountName |
Out-File .\Sam.csv

Get-Content .\Sam.csv |
Get-ADUser -Properties * |
select extensionAttribute11,Office,mail,SamAccountName,Enabled |

Export-Csv .\UserStatusResults.csv -NoTypeInformation

Invoke-Item .\UserStatusResults.csv

Remove-Item -Path .\Sam.csv -Recurse</p>

6

By the look of your code it seems that it’s not actually a csv, but just a file which content is the email addresses.

What is the first row in the file?

This is not tested, just written out from spine :slight_smile:
[pre]
$emails = import-csv .\emails.csv

foreach ($email in $emails){

get-aduser -filter “userprincipalname -eq ‘$email’” -prop enabled | select userprincipalname,enabled

}[/pre]

You might want to look also to attribute expiration date

7

Glad you have your script working, but it’s doing some unnecessary steps. There is no reason to run a search on email (Get-ADUser), only get the SAM and then run another search (Get-ADUser) on the SAM. If the search found the user on email, you can get everything you need from that search. Additionally, the script is only getting matches, so then you need to look at the other CSV to see who was not found. This is a more standard Powershelly way to do what you want:

$emails = Get-Content -Path ".\(1) Emails to Check.csv"

$results = foreach ($email in $emails) {

    $user = Get-ADUser -LDAPFilter "(mail=$email)" -Properties extensionAttribute11,Office,mail,SamAccountName,Enabled |
            Select extensionAttribute11,Office,mail,SamAccountName,Enabled

    if ( $user ) {
        $user
    }
    else {
        [pscustomobject]@{
            extensionAttribute11 = $null
            Office               = $null
            mail                 = $email
            SamAccountName       = $null
            Enabled              = $null 
        }
    }

}

$results = Export-Csv .\UserStatusResults.csv -NoTypeInformation

Invoke-Item .\UserStatusResults.csv

Also, another note, your emails are coming from a CSV which insinuates there is a header (e.g. Email). Using Get-Content, your first search would be for “Email”. You can use the -Skip 1 as @ShawnTheAdmin had in his script to skip that line or if you use Import-CSV, then you would need to reference the email like -LDAPFilter “(mail=$email.Email)”

8

[quote quote=193084]Glad you have your script working, but it’s doing some unnecessary steps. There is no reason to run a search on email (Get-ADUser), only get the SAM and then run another search (Get-ADUser) on the SAM. If the search found the user on email, you can get everything you need from that search. Additionally, the script is only getting matches, so then you need to look at the other CSV to see who was not found. This is a more standard Powershelly way to do what you want:

PowerShell
26 lines
<textarea class="ace_text-input" style="opacity: 0; height: 17.7778px; width: 6.59167px; left: 51px; top: 0px;" spellcheck="false" wrap="off"></textarea>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$emails = Get-Content -Path ".\(1) Emails to Check.csv"
$results = foreach ($email in $emails) {
$user = Get-ADUser -LDAPFilter "(mail=$email)" -Properties extensionAttribute11,Office,mail,SamAccountName,Enabled |
Select extensionAttribute11,Office,mail,SamAccountName,Enabled
if ( $user ) {
$user
}
else {
[pscustomobject]@{
extensionAttribute11 = $null
Office = $null
mail = $email
SamAccountName = $null
Enabled = $null
}
}
}
$results = Export-Csv .\UserStatusResults.csv -NoTypeInformation
Invoke-Item .\UserStatusResults.csv
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Also, another note, your emails are coming from a CSV which insinuates there is a header (e.g. Email). Using Get-Content, your first search would be for "Email". You can use the -Skip 1 as @ShawnTheAdmin had in his script to skip that line or if you use Import-CSV, then you would need to reference the email like -LDAPFilter "(mail=$email.Email)"

[/quote]

The list of emails are actually in a CSV file with no headers and it’s pulling without issues. I tried your script and it’s prompting me for “InputObject”.

The goal is to only pull from the list of users I provide so that we can check for disabled accounts for a specific department or system we’re using. I did manually compared against AD and all of the users that came back as disabled are actually shown disabled with our proper term requests. So as of right now accuracy rate is 100%. I do not know if there will ever be a user who’s not in AD that does not return a result but this will work for now.

I’m still new to Powershell and actually haven’t done any proper training. I wrote that script based off different search results I have found online, kinda put 2 and 2 together and got it working the way I want it. If you guys have any sites or recommend any courses for advanced learning i’m all ears.