DistinguishedName and Get-ADUser (Help?)

PowerShell Help
1

Hello everyone. It’s been a while since I’ve posted. I’m back - and this time I need help! (Again).
Below is the idea I’m going with for my code, which I will also post below.

  1. Import a CSV with the header “DistinguishedName” that contains my list of DistinguishedNames that I want to string and search for.
  2. Search all of the listed names and return any which have a value of CannotChangePassword -eq $true
  3. Export all $true values to a separate csv with the properties of Name, DistringuishedName and CannotChangePassword.

Here’s my code. I appreciate you gods ahead of time. I have a hunch that I need the -Identity of Get-ADUser in here somewhere however I’ve exhausted myself and I’m resorting for help. Help me fix my script!

cd C:\users\tuser\desktop\ADCLEANUP
Import-CSV "Userlist.csv" | %{if ((Get-ADUser -filter {DistinguishedName -eq $_.DistinguishedName }).CannotChangePassword -eq $true) 
{Select Name,DistinguishedName,CannotChangePassword}} | export-csv -append -path C:\Users\tuser\Desktop\ADCLEANUP\wheretrue.csv

note - I’m getting the following error message when I run this code.

'DistinguishedName' not found in object of type: 'system.management.automation.pscustomobject'
2

Eric,

I took a look at your segment above and cleaned it up a little to make it easier to work with. I have provided a working version of what you were attempting to do below. I would use the identity field instead of the filter for the distinguishedname. If you wanted to do it on other things (office, phone, etc) then using the filter is a good idea. You also will need to specifically state that you want the cannotchangepassword property since that is not returned by default. You will also need to output this value to a variable due to needing the script to know exactly what to select from.

Import-CSV "Userlist.csv" | ForEach-Object{
	if ((Get-ADUser -identity $_.DistinguishedName -Properties cannotchangepassword -OutVariable user).CannotChangePassword -eq $true)
	{
		 $user | Select-Object Name, DistinguishedName, CannotChangePassword
	}	
}
3

Thank you Paul. I will have to try this tomorrow when I get back to the office

-Eric

4

I tested this and I am receiving an error. Please see below.

Get-ADUser : Directory object not found
At line:2 char:7
+     if ((Get-ADUser -identity $_.DistinguishedName -Properties cannot ...
+          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (CN=Denea Ridley...s,DC=lys,DC=org:ADUser) [Get-ADUser], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Manage 
   ment.Commands.GetADUser
5

I would validate the input data. Run get-aduser against one line of your list of DNs manually (specifically the one in the error above) and validate it comes back correctly. That would be the first step. I re-ran the snippet against our environment at work just to validate everything returned correctly and it does which is leading me towards issues with the input.

6

Thank you - I have resolved this issue and have confirmed that your code works perfectly. Appciaiate your help.