Getting Useful ADUser Information

Hello! I am trying to make a script I can quickly reference to pull some basic information for different users in our environment. I am running into an issue when I call the script and their are multiple people with the same First and Last Name. I call the function with, “.\MyFunction.ps1 John Smith”. Below in the code, when it my original ADUser query returns information in the 2 users, I am having trouble separating them, and putting them into their own location in the array, respectively. I marked the array of code below with ##.

Any help would be wonderful. Thank you!

param([String[]]$FullName)

#Calculating the expired date from the domain's default password policy.

$MaxPwdAge              = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

$ExpiredDate            = (Get-Date).addDays(-$MaxPwdAge)

$SAName                 = New-Object System.Collections.ArrayList

$index = 0

#Extract SamAccountName

foreach($Name in $FullName){

    try{

        $SplitName          = $Name.Split()

        $FirstName          = $SplitName[0]

        $LastName           = $SplitName[1]

        $SAName.Add((Get-Aduser -filter "surname -eq '$LastName' -and givenname -eq '$FirstName'").samaccountname) | Out-Null
##Unable to figure this part out below
        if($SAName[$index].length -gt 1){

            foreach($dup in $SAName[$index]){

                $SAName[$index] = $dup

                $index++

            }

        }

        $index++

    }catch{

        Write-Error $_.Exception.Message

    }

}

#Test output

$SAName[1]

foreach($User in $SAName){

    try{

        $ADObject = Get-Aduser -Identity $User -Properties DisplayName, EmailAddress, PasswordLastSet, LockedOut, LockoutTime, Enabled

        $DaysUntilExpired = $ADObject.PasswordLastSet - $ExpiredDate | Select-Object -ExpandProperty Days

        [PSCustomObject]@{

            DisplayName         = $ADObject.DisplayName

            SamAccountName      = $ADObject.SamAccountName

            EmailAddress        = $ADObject.EmailAddress

            PasswordLastSet     = $ADObject.PasswordLastSet

            DaysUntilExpired    = $DaysUntilExpired

            LockedOut           = $ADObject.LockedOut

            LockoutTime         = $ADObject.LockoutTime

            Enabled             = $ADObject.Enabled

        }  

    }catch{

        Write-Error $_.Exception.Message

    }

}

I was able to resolve this. However, if you see a way to optimize this, please feel free to let me know!

I’d do it this way:

function Get-BasicADuserInfo {
    Param(
        [Parameter(Mandatory = $true)]
        [string]
        $FirstName,
        [Parameter(Mandatory = $true)]
        [string]
        $LastName
    )
    $MaxPwdAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
    $ExpiredDate = (Get-Date).addDays(-$MaxPwdAge)

    $ADUserList = Get-ADUser -Filter "givenname -eq '$FirstName' -and surname -eq '$LastName'" -Properties DisplayName, EmailAddress, PasswordLastSet, LockedOut, LockoutTime

    foreach ($ADUser in $ADUserList) {
        $DaysUntilExpired = $ADUser.PasswordLastSet - $ExpiredDate
        [PSCustomObject]@{
            DisplayName      = $ADUser.DisplayName
            SamAccountName   = $ADUser.SamAccountName
            EmailAddress     = $ADUser.EmailAddress
            PasswordLastSet  = $ADUser.PasswordLastSet
            DaysUntilExpired = $DaysUntilExpired.Days
            LockedOut        = $ADUser.LockedOut
            LockoutTime      = $ADUser.LockoutTime
            Enabled          = $ADUser.Enabled
        }
    }
}

Get-BasicADuserInfo

This way it wouldn’t matter if someone like to provide the name as “John Smith” or “Smith, John”. If you do not provide a name at all you will be prompted for. :wink: … and because it is a function you can add it to your profile or a module and you don’t have to load the script file.

1 Like

Thanks a ton, Olaf! How would you change this to allow for multiple users being entered in? Say I have a list of users from department “A” and I want all this info for each user to be outputted. I ask because I originally made this script with the FirstName and LastName params, but I wasn’t sure how to adapt it for scalability, other than specifying FullName.

I wouldn’t. Since combination of first name and last name is not sufficient to uniquely identify someone I would require them to provide a unique attribute. That could be the sAMAccountName, the UserPrincipalName, the email address or an employee number if your company uses something like this. With this I would create another function for that purpose.

Hello Olaf,

I think he just want this function.
That he has a user list name user.csv with FirstName and LastName
Then use your code.

$user=Import-Csv C:\123\user.csv

function Get-BasicADuserInfo {
    Param(
        [Parameter(Mandatory = $true)]
        [string]
        $FirstName,
        [Parameter(Mandatory = $true)]
        [string]
        $LastName
    )
    $MaxPwdAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
    $ExpiredDate = (Get-Date).addDays(-$MaxPwdAge)

    $ADUserList = Get-ADUser -Filter "givenname -eq '$FirstName' -and surname -eq '$LastName'" -Properties DisplayName, EmailAddress, PasswordLastSet, LockedOut, LockoutTime

    foreach ($ADUser in $ADUserList) {
        $DaysUntilExpired = $ADUser.PasswordLastSet - $ExpiredDate
        [PSCustomObject]@{
            DisplayName      = $ADUser.DisplayName
            SamAccountName   = $ADUser.SamAccountName
            EmailAddress     = $ADUser.EmailAddress
            PasswordLastSet  = $ADUser.PasswordLastSet
            DaysUntilExpired = $DaysUntilExpired.Days
            LockedOut        = $ADUser.LockedOut
            LockoutTime      = $ADUser.LockoutTime
            Enabled          = $ADUser.Enabled
        }
    }
}

foreach($u in $user){
    Get-BasicADuserInfo -FirstName $u.firstname -LastName $u.lastname
}

@dshirkey Am I right?

That’s not my point actually. :smirk: I meant that when another department asks for some information about other employees you should provide you should make sure that you do not give away information they actually did not ask for and they’re maybe not supposed to get.

It’s nothing technical - it’s something “political”!! :point_up_2:t4: