Get-ADUser filter for users in a certain OU

PowerShell Help
1

Hi all,

 

I am working on a PS script to send all the users in our AD, who will need to reset their password in the upcoming days, an info e-mail. The script does the job quite good, but i want to limit the target users to members of a certain security group.

 

This is my script part to get the target users:

$users = Get-ADUser -SearchBase “OU=XXX,OU=user,OU=XXX,DC=XXXX,DC=local” -SearchScope OneLevel -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False -and PasswordLastSet -gt 0 } `
-Properties “Name”, “EmailAddress”, “msDS-UserPasswordExpiryTimeComputed” | Select-Object -Property “Name”, “EmailAddress”, `
@{Name = “PasswordExpiry”; Expression = {[datetime]::FromFileTime($_.“msDS-UserPasswordExpiryTimeComputed”).tolongdatestring() }}

 

I would like to additionally filter to only get users from the security group “SendMail”. I tried it with get-ADGroupMember but i was not able to add this additional cmdlet to the current script and get it to work.

 

I would really be glad to find some help or hints :slight_smile:

 

Thanks and BR

Dom

 

2

Instead of using backticks you should use splatting. That’d make your code easier to read and to maintain. :wink:

$Params = @{

SearchBase = ‘OU=XXX,OU=user,OU=XXX,DC=XXXX,DC=local’

SearchScope = ‘OneLevel’

filter      = { Enabled -eq $True -and PasswordNeverExpires -eq $False -and PasswordLastSet -gt 0 }

Properties  = ‘Name’, ‘EmailAddress’, ‘msDS-UserPasswordExpiryTimeComputed’ , ‘MemberOf’

}

$users = Get-ADUser @Params |

Where-Object { $.MemberOf -contains ‘Here you should insert the exact distinguished name of your security group “SendMail”’ } |

Select-Object -Property “Name”, “EmailAddress”,

@{Name = “PasswordExpiry”; Expression = { [datetime]::FromFileTime($.“msDS-UserPasswordExpiryTimeComputed”).tolongdatestring() } }

3

Hi Olaf and thank you very much for your fast and useful response! I will keep that splatting thing in mind. Since i am quite new to powershell (and scripting as a whole) i can really use tips like that.

 

It is now possible to fill the array with the members of the group. However, this brings me to a new problem. After filling the $users the next part is this:

 

foreach ($user in $users) {
if ($user.PasswordExpiry -eq $SevenDayWarnDate) {
$days = 7
$EmailBody = $EmailDE1, $days, $EmailDE3, $SevenDayWarnDate, $EmailDE4 -join ’ ’

Send-MailMessage -To $user.EmailAddress -From $MailSender -SmtpServer $SMTPServer -Subject $Subject -Body $EmailBody

 

This worked with my old code but does not seem to work now. Suddenly, the $user.PasswordExpiry cannot be used to compare the two dates.

I tried to write the $user.PasswordExpiry into a txt file and it remains empty.

 

PS:

$SevenDayWarnDate = (get-date).adddays(7).ToLongDateString()

 

Best regards,

Dom

 

4

Edit: I think i found it:

 

$users | Select-Object -Property “Name”, “EmailAddress”,
@{Name = “PasswordExpiry”; Expression = {[datetime]::FromFileTime($_.“msDS-UserPasswordExpiryTimeComputed”).tolongdatestring() }}

 

just outputed the info but did not add it to the $users.

i tried this:

 

$users2 = Get-ADUser @Params | Where-Object { $.MemberOf -contains ‘CN=***’ }
$users = $users2 | Select-Object -Property “Name”, “EmailAddress”,
@{Name = “PasswordExpiry”; Expression = { [datetime]::FromFileTime($.“msDS-UserPasswordExpiryTimeComputed”).tolongdatestring() } }

 

and it seems to work. Just not beautiful :slight_smile:

5

Oooops … my mistake … I didn’t pay attention to that at first … I updated my code example above. :wink:

You could do me a favor: Try to reduce the use of white space while posting and format code as code using the code tag button (“pre”) on the icon bar of the post editor. That makes it more readable and in case of code it prevents unwnated line breaks and makes it easier to copy and puts a little syntax highlighting to it.

Thanks.

6

Hello Olaf,

yes i will do that, thank you very much for your help!

best regards,

Dom