Getting Useful ADUser Information

dshirkey · November 23, 2021, 12:26pm

Hello! I am trying to make a script I can quickly reference to pull some basic information for different users in our environment. I am running into an issue when I call the script and their are multiple people with the same First and Last Name. I call the function with, “.\MyFunction.ps1 John Smith”. Below in the code, when it my original ADUser query returns information in the 2 users, I am having trouble separating them, and putting them into their own location in the array, respectively. I marked the array of code below with ##.

Any help would be wonderful. Thank you!

param([String[]]$FullName)

#Calculating the expired date from the domain's default password policy.

$MaxPwdAge              = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

$ExpiredDate            = (Get-Date).addDays(-$MaxPwdAge)

$SAName                 = New-Object System.Collections.ArrayList

$index = 0

#Extract SamAccountName

foreach($Name in $FullName){

    try{

        $SplitName          = $Name.Split()

        $FirstName          = $SplitName[0]

        $LastName           = $SplitName[1]

        $SAName.Add((Get-Aduser -filter "surname -eq '$LastName' -and givenname -eq '$FirstName'").samaccountname) | Out-Null
##Unable to figure this part out below
        if($SAName[$index].length -gt 1){

            foreach($dup in $SAName[$index]){

                $SAName[$index] = $dup

                $index++

            }

        }

        $index++

    }catch{

        Write-Error $_.Exception.Message

    }

}

#Test output

$SAName[1]

foreach($User in $SAName){

    try{

        $ADObject = Get-Aduser -Identity $User -Properties DisplayName, EmailAddress, PasswordLastSet, LockedOut, LockoutTime, Enabled

        $DaysUntilExpired = $ADObject.PasswordLastSet - $ExpiredDate | Select-Object -ExpandProperty Days

        [PSCustomObject]@{

            DisplayName         = $ADObject.DisplayName

            SamAccountName      = $ADObject.SamAccountName

            EmailAddress        = $ADObject.EmailAddress

            PasswordLastSet     = $ADObject.PasswordLastSet

            DaysUntilExpired    = $DaysUntilExpired

            LockedOut           = $ADObject.LockedOut

            LockoutTime         = $ADObject.LockoutTime

            Enabled             = $ADObject.Enabled

        }  

    }catch{

        Write-Error $_.Exception.Message

    }

}

dshirkey · November 23, 2021, 2:03pm

I was able to resolve this. However, if you see a way to optimize this, please feel free to let me know!

Olaf · November 23, 2021, 4:51pm

I’d do it this way:

function Get-BasicADuserInfo {
    Param(
        [Parameter(Mandatory = $true)]
        [string]
        $FirstName,
        [Parameter(Mandatory = $true)]
        [string]
        $LastName
    )
    $MaxPwdAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
    $ExpiredDate = (Get-Date).addDays(-$MaxPwdAge)

    $ADUserList = Get-ADUser -Filter "givenname -eq '$FirstName' -and surname -eq '$LastName'" -Properties DisplayName, EmailAddress, PasswordLastSet, LockedOut, LockoutTime

    foreach ($ADUser in $ADUserList) {
        $DaysUntilExpired = $ADUser.PasswordLastSet - $ExpiredDate
        [PSCustomObject]@{
            DisplayName      = $ADUser.DisplayName
            SamAccountName   = $ADUser.SamAccountName
            EmailAddress     = $ADUser.EmailAddress
            PasswordLastSet  = $ADUser.PasswordLastSet
            DaysUntilExpired = $DaysUntilExpired.Days
            LockedOut        = $ADUser.LockedOut
            LockoutTime      = $ADUser.LockoutTime
            Enabled          = $ADUser.Enabled
        }
    }
}

Get-BasicADuserInfo

This way it wouldn’t matter if someone like to provide the name as “John Smith” or “Smith, John”. If you do not provide a name at all you will be prompted for. … and because it is a function you can add it to your profile or a module and you don’t have to load the script file.

dshirkey · November 23, 2021, 5:15pm

Olaf:

function Get-BasicADuserInfo {
    Param(
        [Parameter(Mandatory = $true)]
        [string]
        $FirstName,
        [Parameter(Mandatory = $true)]
        [string]
        $LastName
    )
    $MaxPwdAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
    $ExpiredDate = (Get-Date).addDays(-$MaxPwdAge)

    $ADUserList = Get-ADUser -Filter "givenname -eq '$FirstName' -and surname -eq '$LastName'" -Properties DisplayName, EmailAddress, PasswordLastSet, LockedOut, LockoutTime

    foreach ($ADUser in $ADUserList) {
        $DaysUntilExpired = $ADUser.PasswordLastSet - $ExpiredDate
        [PSCustomObject]@{
            DisplayName      = $ADUser.DisplayName
            SamAccountName   = $ADUser.SamAccountName
            EmailAddress     = $ADUser.EmailAddress
            PasswordLastSet  = $ADUser.PasswordLastSet
            DaysUntilExpired = $DaysUntilExpired.Days
            LockedOut        = $ADUser.LockedOut
            LockoutTime      = $ADUser.LockoutTime
            Enabled          = $ADUser.Enabled
        }
    }
}

Get-BasicADuserInfo

Thanks a ton, Olaf! How would you change this to allow for multiple users being entered in? Say I have a list of users from department “A” and I want all this info for each user to be outputted. I ask because I originally made this script with the FirstName and LastName params, but I wasn’t sure how to adapt it for scalability, other than specifying FullName.

Olaf · November 23, 2021, 7:39pm

I wouldn’t. Since combination of first name and last name is not sufficient to uniquely identify someone I would require them to provide a unique attribute. That could be the sAMAccountName, the UserPrincipalName, the email address or an employee number if your company uses something like this. With this I would create another function for that purpose.

Chen.Chen · November 24, 2021, 2:42am

Hello Olaf,

I think he just want this function.
That he has a user list name user.csv with FirstName and LastName
Then use your code.

$user=Import-Csv C:\123\user.csv

function Get-BasicADuserInfo {
    Param(
        [Parameter(Mandatory = $true)]
        [string]
        $FirstName,
        [Parameter(Mandatory = $true)]
        [string]
        $LastName
    )
    $MaxPwdAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
    $ExpiredDate = (Get-Date).addDays(-$MaxPwdAge)

    $ADUserList = Get-ADUser -Filter "givenname -eq '$FirstName' -and surname -eq '$LastName'" -Properties DisplayName, EmailAddress, PasswordLastSet, LockedOut, LockoutTime

    foreach ($ADUser in $ADUserList) {
        $DaysUntilExpired = $ADUser.PasswordLastSet - $ExpiredDate
        [PSCustomObject]@{
            DisplayName      = $ADUser.DisplayName
            SamAccountName   = $ADUser.SamAccountName
            EmailAddress     = $ADUser.EmailAddress
            PasswordLastSet  = $ADUser.PasswordLastSet
            DaysUntilExpired = $DaysUntilExpired.Days
            LockedOut        = $ADUser.LockedOut
            LockoutTime      = $ADUser.LockoutTime
            Enabled          = $ADUser.Enabled
        }
    }
}

foreach($u in $user){
    Get-BasicADuserInfo -FirstName $u.firstname -LastName $u.lastname
}

@dshirkey Am I right?

Olaf · November 24, 2021, 7:29am

That’s not my point actually. I meant that when another department asks for some information about other employees you should provide you should make sure that you do not give away information they actually did not ask for and they’re maybe not supposed to get.

It’s nothing technical - it’s something “political”!!

Topic		Replies	Views
Extract USers BAsed on SamAccountname (Secondary Accounts) PowerShell Help	7	341	May 16, 2024
How to create 2 AD user with same first and last name PowerShell Help	15	901	May 16, 2024
get-aduser samaccountname from first name and last name PowerShell Help	8	851	May 16, 2024
Finding Unused AD Name PowerShell Help	8	254	May 16, 2024
Duplicate names in csv PowerShell Help	9	382	May 16, 2024

Getting Useful ADUser Information

Related topics