Nested Groups - User Properties

Hello and thank you for your anticipated help with this.

Pretty new at Powershell because I was good at the old ways.
Doing my best to stop going back to the old, familiar out of date ways so here goes.

Below is a script that I’ve put together from things found on the interwebs.
It walks through a group and subgroups for members and displays as required.

It’s working as designed but new requirements from the client have come forth

req 1: don’t show disabled users
req 2: don’t show accounts with no defined expiration date

When I attempt to have it skip disabled users with (below) I get an error.

`Get-ADUser -filter {enabled -eq $true} -Prop Description…

Any help with this as well as not displaying the hundreds of users accounts that don’t have the account expiry set would be greatly appreciated.

function Get-ADNestedGroupMembers {
param (
[String] $GroupName

import-module activedirectory
$Members = Get-ADGroupMember -Identity $GroupName
$members | % {
if($.ObjectClass -eq “group”) {
Get-ADNestedGroupMembers -GroupName $
} else {
return $_.distinguishedname

import-module activedirectory
Get-ADNestedGroupMembers -groupname “group name here” |
`Get-ADUser -Prop Description,samAccountName,AccountExpirationDate, mail, LastLogoff, lastLogonTimestamp, company |
`Select-Object Name,samAccountName,AccountExpirationDate, mail, LastLogoff, @{N=‘LastLogonTimestamp’; E={[DateTime]::FromFileTime($_.LastLogonTimestamp)}}, company |
`Sort-Object AccountExpirationDate -descending |
#`Format-Table -property * -AutoSize |
`ConvertTo-HTML | Out-File C:\Temp\working\AccountExpiry.htm

Hey Mike,

What’s the error you are getting? I ran the command on my DC a couple of seconds ago, and it worked okay.

Hi Tim,

The code above is working well.
My poorly requested assistance meant to ask for help filtering out the resultant data set

I don’t want to see users that are disabled nor do I want to see users that don’t have the account expiry not set.

I’m trying to use something like Get-ADUser -filter {enabled -eq $true} -Prop Description……. with no luck.

I’m thinking it’s an issue with what is returned from the function (ADNestedGroupMembers)

Thank you for your time!


And while we (ok you) are at it, I’d like to know what the path to their user object is (like when you view advanced features in AD and select the user\computer ‘OBJECT’ tab.