Select and compare challenge

pba1211 · September 18, 2020, 2:13am

We have a security group, that has a 90 day pw policy.
In this group , all the accounts in Specific ou’s need to be a member

Currently there 299 Accounts in de ou’s and 42 members of the security group ($Adgroup

I am able to get the ADusers of the ou’s ($Users)
I can find oput , who is already a member ($Members)

I canNOt get powershell to tell me who needs to added to $Adgroup ( $Notmember)

With $Notmember I need powerhell to tell me, what ad account has a expired Password on <=today
Because the $notmember has now a 185 days Pw Policy , they are going to a 90 day PW Policy.
That means there might be accounts that will have there PassWord expired and do not know this in time.
We want them to recieve a mail and be able to change there PW in time.

This is my script, i look forward to some feedback

<#
Pieter Bakker
14-9-2020
Find users in a ou
Look if they are member of a specific adgroup
#>

$exportpath = "D:\Users\adpiebak1d\Documents\PS-script\Output\Password.csv"

# Hier staan de verschillende Ou's
$OUpathP01 = 'OU=P01,OU=ADM,OU=Admin,DC=groningen,DC=ad,DC=groningen,DC=nl'
$OUpathFuj = 'OU=Fujitsu,OU=Service Management,DC=groningen,DC=ad,DC=groningen,DC=nl'
$OupathDel = 'OU=ToDelete,OU=Admin,DC=groningen,DC=ad,DC=groningen,DC=nl'

# de Ou's samengevoegd is 1 variabele
$AdminOus = @()
$AdminOus += $OUpathP01
$AdminOus += $OUpathFuj
$AdminOus += $OupathDel

$Adgroup   = 'GG_TEMP_ROL_Password-Policy'

<#
- searchbase werkt (nog) niet wanneer de OU's in een @() staan
'OU=P01,OU=ADM,OU=Admin,DC=groningen,DC=ad,DC=groningen,DC=nl',
'OU=Fujitsu,OU=Service Management,DC=groningen,DC=ad,DC=groningen,DC=nl',
'OU=ToDelete,OU=Admin,DC=groningen,DC=ad,DC=groningen,DC=nl')
#>


<#
1. Haal de gebruikers op uit beide OU's
2. Kijk of ze al lid zijn van de $ADGroup.
3. Wanneer gebruikers al lid zijn van deze groep een melding tonen op het scherm" 
Bv. Er zijn xxxx accounts gevonden, xxx accounts zijn lid van de groep $Adgroup.
4. De gebruikers die nog geen lid zijn, exporteren en waarschuwen voor een pw change
5  Wanneer alle ontbrekende users zijn gewaarschuwd deze toevoegen.
6. Controleer of alle users uit de $OUPath.. nu toegevoegd zijn aan de $ADgroup
#>

# 1. Haal de gebruikers op uit de OU's, zet deze in een Variabele of export

$Users = @()
$Users += Get-ADUser -Filter * -SearchBase $OUpathP01 -Properties MemberOf
$Users += Get-ADUser -Filter * -SearchBase $OUpathFuj -Properties MemberOf
$Users += Get-ADUser -Filter * -SearchBase $OUpathDel -Properties MemberOf

$Samaccount = $users |select -Property SamAccountname #|export-csv "D:\Users\adpiebak1d\Documents\PS-script\Output\Allusers.csv"

#tel de $users 
Write-Host "Het totaalaantal gevonden accounts =" $Samaccount.count
 

#Wie zijn al lid van de ADGroup , export naar variabele
$Members = Get-ADGroupMember $Adgroup | select -Property SamAccountname | export-csv "D:\Users\adpiebak1d\Documents\PS-script\Output\members.csv"
Write-host $members.count "gebruikers zijn lid van de Adgroup $adgroup"

$NonMembers = Compare-Object -ReferenceObject $Samaccount.SamAccountName -DifferenceObject $Members.SamAccountname | Where-Object {  $_.Sideindicator -eq "<="} | out-gridview
select InputObject
Compare-Object -ReferenceObject $Samaccount.SamAccountName -DifferenceObject $Members.SamAccountname  

#Select the Users
$users = $Nonmembers.InputObject

#Set the passwordage
$PasswordAge = 90 

#Find $nonmembers Password expirationdate
$Users = Get-ADUser -Identity $_.SamAccountname ('Enabled -eq $true -and PasswordNeverExpires -eq $false') -Properties Mail,PasswordLastSet |
    Select-Object Name,Mail, @{n='PasswordExpiration';e={$_.PasswordLastSet.AddDays($PasswordAge)}} |export-csv "D:\users\adpiebak1d\Documents\PS-script\Pwpolicy\naam-expdate.csv" 

# Een overzicht gaan maken met de diverse variabelen

#Users uit admin\adm\p01
$admP01 = Get-ADUser -Filter * -SearchBase $OUpathP01 -Properties Displayname,Mail |select -property Displayname, mail |Out-GridView

#users uit Serv.mgmt\fujitsu 
$admFuj = -SearchBase $OUAdmFuj1 -Properties Displayname |select -property Displayname, mail

#Users uit de delted accounts ou
$admdel = -SearchBase $AdmDel -Properties Displayname |select -property Displayname, mail

#users welke na hun membership aan de $ADgroup een expired Passw. hebben
#$Pwexp  =

#Add $Nonmembers to $Adgroup
#Add-ADGroupMember $Adgroup -members $NonMembers

# Optional send email

adminofthings · September 18, 2020, 3:28am

Consider the following:

# ADUser objects of members
$Members = Get-ADGroupMember $Adgroup | select -Property SamAccountname

# ADUser objects of OU Users
$Samaccount = $users | select -Property SamAccountname

# SamAccountName values of nonmembers
$NonMembers = Compare-Object -ReferenceObject $Samaccount.SamAccountName -DifferenceObject $Members.SamAccountname |
     Where-Object {  $_.Sideindicator -eq "<="} | Select -Expand InputObject

# nonmember ADUser objects with passwordexpiration property
$NonMembersData = $NonMembers | Foreach-Object {
    Get-ADUser -Identity $_ -Properties Mail,PasswordLastSet |
        Select Name,Mail, @{n='PasswordExpiration';e={$_.PasswordLastSet.AddDays($PasswordAge)}}

# nonmember ADUser objects with expired passwords. $expiredUsers.Mail will contain email addresses
$ExpiredUsers = $NonMembersData | Where {$_.PasswordExpiration -le (Get-Date)}

When you pipe to Export-Csv, none of the output objects are returned to the success stream. Therefore, variables won’t be updated when using the syntax $variable = Export-Csv. The same applies when piping to Out-GridView.

Topic		Replies	Views
Compare then use PowerShell Help	7	156	April 9, 2019
query all users part of ad group NON_Company_employees PowerShell Help	0	138	December 31, 2011
Get-ADUser filter for users in a certain OU PowerShell Help	5	230	April 23, 2019
Help PowerShell Help	4	134	November 1, 2017
foreach that finds if Service Account is a memberOf PowerShell Help	2	132	July 31, 2018

Select and compare challenge

Related Topics