Help - Combining Commands

I am brand new to using PowerShell and am having a bit of trouble attempting to pull some data. What I’m trying to do is grab some basic information from mailboxes and the license names associated with those mailboxes for users within a specific OU in AD. I can get the mailbox information and the license names but I’m not sure how to filter that only to those mailboxes within certain OUs in AD. I’d like to get the info only for those accounts that are in our disabled employees OU. Can someone help me please? This is what I have so far.

$datapath = “c:\DisabledAccountsInfo.csv”
$results = @()
$mailboxusers = get-mailbox -resultsize unlimited
foreach ($user in $mailboxusers)
{
$UPN = $user.userprincipalname
$license = get-msoluser -userprincipalname $UPN
$mailboxinfo = get-mailbox $upn
$properties = @{
ExchangeGUID = $user.exchangeguid
Name = $user.name
Userprincipalname = $UPN
License = $license.licenses[0].accountskuid
Enabled =
}
$results += new-object psobject -property $properties
}
$results | Select-Object Name, Userprincipalname, exchangeguid, license |
export-csv -path $datapath

At what point can I filter this to only those users who are in the specific OUs or who are disabled in AD?

Thanks in advance!

I don’t have an Exchange environment to test this, but according to Get-Mailbox’s documentation, there’s an -OrganizationalUnit parameter which can be used to set the search root. Try something like this (after modifying it to contain your actual OU distinguished name):

$mailboxusers = get-mailbox -resultsize unlimited -OrganizationalUnit 'OU=Disabled Employees,OU=Whatever,DC=contoso,DC=com'

I don’t see a license property on Exchange 2010, but maybe this will help you get started. For disabled users, filter on the ‘ExchangeUserAccountControl’ property:


Get-Mailbox -ResultSize unlimited -Filter {ExchangeUserAccountControl -eq 'AccountDisabled'} |
Sort-Object -Property OrganizationalUnit |
Select-Object -Property UserPrincipalName, ExchangeGuid, Database,OrganizationalUnit

You can also filter to a specific OU as Dave referenced in the previous comment.


Get-Mailbox -ResultSize unlimited -Filter {ExchangeUserAccountControl -eq 'AccountDisabled'} -OrganizationalUnit 'OU=Disabled Employees,OU=Whatever,DC=contoso,DC=com'

When I try using the organizationalunit parameter, though I follow the model, I continually get as error message that the OU cannot be found. Perhaps the problem is that we’re using Office 365 and are not hosting our own exchange server. However, O365 is tied into AD. I’ve tried referencing the different DCs to no avail. Hmmm.

Mike, referencing the ExchangeUserAccountControl is getting me in the right direction. I still have to figure out what’s preventing me from picking a specific OU. We have disabled accounts in multiple OUs as we have a number of templates setup that are all disabled. I’m getting a ton of errors and will have to filter out a lot of extra information. Thanks for your help Mike and Dave.

Give this syntax a try:

Get-Mailbox -ResultSize unlimited -Filter {ExchangeUserAccountControl -eq 'AccountDisabled'} -OrganizationalUnit 'contoso.com/Whatever/Disabled Employees'

Note the different formatting of the value provided for the OrganizationalUnit parameter. Either way works with an On-Premises Exchange 2010 Server.

I tried that as well. No luck.

well without asking you to share the full code you’re using (obviously you don’t need to share your OU), I would first confirm that the OU you’re specifying does actually exist. Load the ActiveDirectory module and do:

Get-ADOrganizationalUnit 'OU=Name,DC=domain,DC=com'

If it returns the OU you are trying to specify, then it does exist, and I’d then say perhaps there may be some missing link between O365 and your AD domain somehow. I do not have any experience with O365 at all unfortunately but hopefully this will at least get you on track to troubleshooting your issue.

If you know the name of one of the user accounts you’re looking at as well you could do:

Get-ADUser -Identity username | Select-Object -ExpandProperty distinguishedname

This will get you the full distinguished name of the full distinguished name of the user, then you can just remove the ‘CN=’ part of the dn to then have the OU that the user is in.

Have you tried turning it upside down? Query your own AD for the users you want, then query Office Online for their mailboxes using the AD user objects’ UserPrincipalNames.

$users = Get-ADUser -LDAPFilter '(&(UserPrincipalName=*)(objectClass=user))' -SearchBase 'OU=People I like, DC=Contoso, DC=Com' -SearchScope Subtree foreach($user in $users) { Get-Mailbox $user.UserPrincipalName | Write-Output }

Peter, the OU does in fact get returned. I also have AD open while I’m writing this script. Thanks for helping me confirm that I’m not crazy, though. As far as selecting the specific usernames, there are roughly 1,200 I’m working with. It would be a long process to go through to select one at a time. I appreciate your assistance.

Martin, I haven’t considered that and I’ll have to figure out how to incorporate that into what I’m doing. Thanks for the suggestion.