Exclude OU groups in powershell script

PowerShell Help
1

Hello,

we have a powershell script that looks every day if users in the domain have a password that needs to be changed, if so the user receives a email for changing password)

The script looks for every user in all ou’s but we want to exclude some ou’s in the script.

The script/ import module we use is

import-module ActiveDirectory

$verbose = $true

$notificationstartday = 14

$sendermailaddress = “example@example.net

$SMTPserver = “example@example.nl”

$DN = “OU=customers,DC=customerdomain,DC=local”

under the OU=customers we want to exclude some OU’s

if we use

$ExcludeGroup =“OU=users,OU=customer1,OU=customers,DC=customerdomain,DC=local”

it does not exclude the accounts in the OU

 

regards

2

Is this the full code? Because I do not see anything in there where you search, or how you’re excluding.

3

Hello Jon, this is the hole script (i deleted some info), thanks for helping

import-module ActiveDirectory

 

##############Variables#################

 

$verbose = $true

 

$notificationstartday = 14

 

$sendermailaddress = “example@example.net

 

$SMTPserver = “servername”

 

$DN = “OU=Customers,DC=Domain,DC=local”

 

$ExcludeGroup = “OU=Users,OU=company1,OU=Customers,DC=Domain,DC=local”

 

 

########################################

 

##############Function##################

 

function PreparePasswordPolicyMail ($ComplexityEnabled,$MaxPasswordAge,$MinPasswordAge,$MinPasswordLength,$PasswordHistoryCount)

 

{

$verbosemailBody = “`r`n`r`n”

 

$verbosemailBody += “`r`n`r`n”

 

$verbosemailBody += “`r`n”

$verbosemailBody += “- `r`n”

$verbosemailBody += “`r`n”

$verbosemailBody += “`r`n`r`n”

 

return $verbosemailBody

}

 

function SendMail ($SMTPserver,$sendermailaddress,$usermailaddress,$mailBody)

 

{

 

$smtpServer = $SMTPserver

 

$msg = new-object Net.Mail.MailMessage

 

$smtp = new-object Net.Mail.SmtpClient($smtpServer)

 

$msg.From = $sendermailaddress

 

$msg.To.Add($usermailaddress)

 

$msg.Subject = “Password expires”

 

$msg.Body = $mailBody

 

$smtp.Send($msg)

 

}

 

########################################

 

##############Main######################

 

$domainPolicy = Get-ADDefaultDomainPasswordPolicy

 

$passwordexpirydefaultdomainpolicy = $domainPolicy.MaxPasswordAge.Days -ne 0

 

if ($passwordexpirydefaultdomainpolicy)

 

{

 

$defaultdomainpolicyMaxPasswordAge = $domainPolicy.MaxPasswordAge.Days

 

if ($verbose)

 

{

 

$defaultdomainpolicyverbosemailBody = PreparePasswordPolicyMail $PSOpolicy.ComplexityEnabled $PSOpolicy.MaxPasswordAge.Days $PSOpolicy.MinPasswordAge.Days $PSOpolicy.MinPasswordLength $PSOpolicy.PasswordHistoryCount

 

}

 

}

 

foreach ($user in (Get-ADUser -SearchBase $DN -Filter * -properties mail))

 

{

 

$samaccountname = $user.samaccountname

 

$PSO= Get-ADUserResultantPasswordPolicy -Identity $samaccountname

 

if ($PSO -ne $null)

 

{

 

$PSOpolicy = Get-ADUserResultantPasswordPolicy -Identity $samaccountname

 

$PSOMaxPasswordAge = $PSOpolicy.MaxPasswordAge.days

 

$pwdlastset = [datetime]::FromFileTime((Get-ADUser -LDAPFilter “(&(samaccountname=$samaccountname))” -properties pwdLastSet).pwdLastSet)

 

$expirydate = ($pwdlastset).AddDays($PSOMaxPasswordAge)

 

$delta = ($expirydate - (Get-Date)).Days

 

$comparionresults = (($expirydate - (Get-Date)).Days -le $notificationstartday) -AND ($delta -ge 1)

 

if ($comparionresults)

 

{

 

$mailBody = "Beste " + $user.GivenName + “,`r`n`r`n”

 

$mailBody += “`r`n`r`n”

 

if ($verbose)

 

{

$mailBody += PreparePasswordPolicyMail $PSOpolicy.ComplexityEnabled $PSOpolicy.MaxPasswordAge.Days $PSOpolicy.MinPasswordAge.Days $PSOpolicy.MinPasswordLength $PSOpolicy.PasswordHistoryCount

}

$mailBody += “`r`n`r`n”

 

$mailBody += “`r`n`r`n”

 

$usermailaddress = $user.mail

 

SendMail $SMTPserver $sendermailaddress $usermailaddress $mailBody

 

}

 

}

 

else

 

{

 

if ($passwordexpirydefaultdomainpolicy)

 

{

 

$pwdlastset = [datetime]::FromFileTime((Get-ADUser -LDAPFilter “(&(samaccountname=$samaccountname))” -properties pwdLastSet).pwdLastSet)

 

$expirydate = ($pwdlastset).AddDays($defaultdomainpolicyMaxPasswordAge)

 

$delta = ($expirydate - (Get-Date)).Days

 

$comparionresults = (($expirydate - (Get-Date)).Days -le $notificationstartday) -AND ($delta -ge 1)

 

if ($comparionresults)

 

{

 

$mailBody = "Beste " + $user.GivenName + “,`r`n`r`n”

 

$delta = ($expirydate - (Get-Date)).Days

 

$mailBody += “`r`n`r`n”

 

if ($verbose)

 

{

$mailBody += $defaultdomainpolicyverbosemailBody

}

 

$mailBody += “`r`n`r`n”

 

$mailBody += “`r`n`r`n”

 

$usermailaddress = $user.mail

 

SendMail $SMTPserver $sendermailaddress $usermailaddress $mailBody

 

}

 

}

 

}

 

}

4

Please see the text in bold at the top of every post on how to format code for the forums " To format code…"

5 
 import-module ActiveDirectory

##############Variables#################

$verbose = $true

$notificationstartday = 14

$sendermailaddress = "example@example.net"

$SMTPserver = "servername"

$DN = "OU=Customers,DC=Domain,DC=local"

$ExcludeGroup = "OU=Users,OU=company1,OU=Customers,DC=Domain,DC=local"



########################################

##############Function##################

function PreparePasswordPolicyMail ($ComplexityEnabled,$MaxPasswordAge,$MinPasswordAge,$MinPasswordLength,$PasswordHistoryCount)

{
                $verbosemailBody = "`r`n`r`n"

		$verbosemailBody += "`r`n`r`n"

		$verbosemailBody += "`r`n"
		$verbosemailBody += "- `r`n"
		$verbosemailBody += "`r`n"
		$verbosemailBody += "`r`n`r`n"
		
		return $verbosemailBody
}

function SendMail ($SMTPserver,$sendermailaddress,$usermailaddress,$mailBody)

{

        $smtpServer = $SMTPserver

        $msg = new-object Net.Mail.MailMessage

        $smtp = new-object Net.Mail.SmtpClient($smtpServer)

        $msg.From = $sendermailaddress

        $msg.To.Add($usermailaddress)

                $msg.Subject = "Password expires"

        $msg.Body = $mailBody

        $smtp.Send($msg)

}

########################################

##############Main######################

$domainPolicy = Get-ADDefaultDomainPasswordPolicy

$passwordexpirydefaultdomainpolicy = $domainPolicy.MaxPasswordAge.Days -ne 0

if ($passwordexpirydefaultdomainpolicy)

{

                $defaultdomainpolicyMaxPasswordAge = $domainPolicy.MaxPasswordAge.Days

                if ($verbose)

                {

                                $defaultdomainpolicyverbosemailBody = PreparePasswordPolicyMail $PSOpolicy.ComplexityEnabled $PSOpolicy.MaxPasswordAge.Days $PSOpolicy.MinPasswordAge.Days $PSOpolicy.MinPasswordLength $PSOpolicy.PasswordHistoryCount

                }

}

foreach ($user in (Get-ADUser -SearchBase $DN -Filter * -properties mail))

{

                $samaccountname = $user.samaccountname

                $PSO= Get-ADUserResultantPasswordPolicy -Identity $samaccountname

                if ($PSO -ne $null)

                {             

                                $PSOpolicy = Get-ADUserResultantPasswordPolicy -Identity $samaccountname

                                $PSOMaxPasswordAge = $PSOpolicy.MaxPasswordAge.days

                                $pwdlastset = [datetime]::FromFileTime((Get-ADUser -LDAPFilter "(&(samaccountname=$samaccountname))" -properties pwdLastSet).pwdLastSet)

                                $expirydate = ($pwdlastset).AddDays($PSOMaxPasswordAge)

                                $delta = ($expirydate - (Get-Date)).Days

                                $comparionresults = (($expirydate - (Get-Date)).Days -le $notificationstartday) -AND ($delta -ge 1)

                                if ($comparionresults)

                                {

                                                $mailBody = "Beste " + $user.GivenName + ",`r`n`r`n"

                                                $mailBody += "`r`n`r`n"

                                                if ($verbose)

                                                {
                                                                $mailBody += PreparePasswordPolicyMail $PSOpolicy.ComplexityEnabled $PSOpolicy.MaxPasswordAge.Days $PSOpolicy.MinPasswordAge.Days $PSOpolicy.MinPasswordLength $PSOpolicy.PasswordHistoryCount
                                                }
						$mailBody += "`r`n`r`n"

                                                $mailBody += "`r`n`r`n"

                                                $usermailaddress = $user.mail

                                                SendMail $SMTPserver $sendermailaddress $usermailaddress $mailBody

                                }

                }

                else

                {

                                if ($passwordexpirydefaultdomainpolicy)

                                {

                                                $pwdlastset = [datetime]::FromFileTime((Get-ADUser -LDAPFilter "(&(samaccountname=$samaccountname))" -properties pwdLastSet).pwdLastSet)

                                                $expirydate = ($pwdlastset).AddDays($defaultdomainpolicyMaxPasswordAge)

                                                $delta = ($expirydate - (Get-Date)).Days

                                                $comparionresults = (($expirydate - (Get-Date)).Days -le $notificationstartday) -AND ($delta -ge 1)

                                                if ($comparionresults)

                                                {

                                                                $mailBody = "Beste " + $user.GivenName + ",`r`n`r`n"

                                                                $delta = ($expirydate - (Get-Date)).Days

                                                                $mailBody += "`r`n`r`n"

                                                                if ($verbose)

                                                                {
                                                                                $mailBody += $defaultdomainpolicyverbosemailBody
                                                                }

                                                                $mailBody += "`r`n`r`n"
								
								$mailBody += "`r`n`r`n"

                                                                $usermailaddress = $user.mail

                                                                SendMail $SMTPserver $sendermailaddress $usermailaddress $mailBody

                                                }

                                }

                }

}
6

How are you attempting to exclude them? You have the variable defined, but you aren’t implementing it anywhere else in the code.

7

i dont have a lott knowledge about powershell, do you know what code i can use and where to put it in the script? takes for your time!

8

Unfortunately, I’m not aware of a “reverse” searchbase…

and to make things more annoying, you can’t use distinguishedname as a filter.

so when I need to exclude users in specific OU’s from a script, I generally perform an if statement on the users distinguished name.

ie something like:

foreach ($user in (Get-ADUser -SearchBase $DN -Filter * -properties mail))

{

if ($user.distinguishedname -notlike "*company1*")

{

do something

}

else

{

do nothing

}
9

My first thought would be to gather all the OUs in the environment and then loop through them with foreach. You could then use an If statement to exclude OUs. Something like the below.

$OUs = Get-ADOrganizationalUnit -Filter *

foreach($OU in $OUs){
    if($OU.DistinguishedName -ne "OU=EXCLUDE,OU=Contoso,DC=Contoso,DC=com"){
        $Users = Get-ADUser -Filter 'Enabled -eq $true' -SearchBase $OU.DistinguishedName
        foreach($User in $Users){
            if($User.PasswordLastSet -lt (Get-Date).AddDays(-60)){
                Send-MailMessage -To user@contoso.com -From administrator@contoso.com -Subject 'Password Expiry' -SmtpServer relay.contoso.com
            }
        }
    }
}