Select and compare challenge

pba1211 · September 18, 2020, 2:13am

We have a security group, that has a 90 day pw policy.
In this group , all the accounts in Specific ou’s need to be a member

Currently there 299 Accounts in de ou’s and 42 members of the security group ($Adgroup

I am able to get the ADusers of the ou’s ($Users)
I can find oput , who is already a member ($Members)

I canNOt get powershell to tell me who needs to added to $Adgroup ( $Notmember)

With $Notmember I need powerhell to tell me, what ad account has a expired Password on <=today
Because the $notmember has now a 185 days Pw Policy , they are going to a 90 day PW Policy.
That means there might be accounts that will have there PassWord expired and do not know this in time.
We want them to recieve a mail and be able to change there PW in time.

This is my script, i look forward to some feedback

<#
Pieter Bakker
14-9-2020
Find users in a ou
Look if they are member of a specific adgroup
#>

$exportpath = "D:\Users\adpiebak1d\Documents\PS-script\Output\Password.csv"

# Hier staan de verschillende Ou's
$OUpathP01 = 'OU=P01,OU=ADM,OU=Admin,DC=groningen,DC=ad,DC=groningen,DC=nl'
$OUpathFuj = 'OU=Fujitsu,OU=Service Management,DC=groningen,DC=ad,DC=groningen,DC=nl'
$OupathDel = 'OU=ToDelete,OU=Admin,DC=groningen,DC=ad,DC=groningen,DC=nl'

# de Ou's samengevoegd is 1 variabele
$AdminOus = @()
$AdminOus += $OUpathP01
$AdminOus += $OUpathFuj
$AdminOus += $OupathDel

$Adgroup   = 'GG_TEMP_ROL_Password-Policy'

<#
- searchbase werkt (nog) niet wanneer de OU's in een @() staan
'OU=P01,OU=ADM,OU=Admin,DC=groningen,DC=ad,DC=groningen,DC=nl',
'OU=Fujitsu,OU=Service Management,DC=groningen,DC=ad,DC=groningen,DC=nl',
'OU=ToDelete,OU=Admin,DC=groningen,DC=ad,DC=groningen,DC=nl')
#>


<#
1. Haal de gebruikers op uit beide OU's
2. Kijk of ze al lid zijn van de $ADGroup.
3. Wanneer gebruikers al lid zijn van deze groep een melding tonen op het scherm" 
Bv. Er zijn xxxx accounts gevonden, xxx accounts zijn lid van de groep $Adgroup.
4. De gebruikers die nog geen lid zijn, exporteren en waarschuwen voor een pw change
5  Wanneer alle ontbrekende users zijn gewaarschuwd deze toevoegen.
6. Controleer of alle users uit de $OUPath.. nu toegevoegd zijn aan de $ADgroup
#>

# 1. Haal de gebruikers op uit de OU's, zet deze in een Variabele of export

$Users = @()
$Users += Get-ADUser -Filter * -SearchBase $OUpathP01 -Properties MemberOf
$Users += Get-ADUser -Filter * -SearchBase $OUpathFuj -Properties MemberOf
$Users += Get-ADUser -Filter * -SearchBase $OUpathDel -Properties MemberOf

$Samaccount = $users |select -Property SamAccountname #|export-csv "D:\Users\adpiebak1d\Documents\PS-script\Output\Allusers.csv"

#tel de $users 
Write-Host "Het totaalaantal gevonden accounts =" $Samaccount.count
 

#Wie zijn al lid van de ADGroup , export naar variabele
$Members = Get-ADGroupMember $Adgroup | select -Property SamAccountname | export-csv "D:\Users\adpiebak1d\Documents\PS-script\Output\members.csv"
Write-host $members.count "gebruikers zijn lid van de Adgroup $adgroup"

$NonMembers = Compare-Object -ReferenceObject $Samaccount.SamAccountName -DifferenceObject $Members.SamAccountname | Where-Object {  $_.Sideindicator -eq "<="} | out-gridview
select InputObject
Compare-Object -ReferenceObject $Samaccount.SamAccountName -DifferenceObject $Members.SamAccountname  

#Select the Users
$users = $Nonmembers.InputObject

#Set the passwordage
$PasswordAge = 90 

#Find $nonmembers Password expirationdate
$Users = Get-ADUser -Identity $_.SamAccountname ('Enabled -eq $true -and PasswordNeverExpires -eq $false') -Properties Mail,PasswordLastSet |
    Select-Object Name,Mail, @{n='PasswordExpiration';e={$_.PasswordLastSet.AddDays($PasswordAge)}} |export-csv "D:\users\adpiebak1d\Documents\PS-script\Pwpolicy\naam-expdate.csv" 

# Een overzicht gaan maken met de diverse variabelen

#Users uit admin\adm\p01
$admP01 = Get-ADUser -Filter * -SearchBase $OUpathP01 -Properties Displayname,Mail |select -property Displayname, mail |Out-GridView

#users uit Serv.mgmt\fujitsu 
$admFuj = -SearchBase $OUAdmFuj1 -Properties Displayname |select -property Displayname, mail

#Users uit de delted accounts ou
$admdel = -SearchBase $AdmDel -Properties Displayname |select -property Displayname, mail

#users welke na hun membership aan de $ADgroup een expired Passw. hebben
#$Pwexp  =

#Add $Nonmembers to $Adgroup
#Add-ADGroupMember $Adgroup -members $NonMembers

# Optional send email

adminofthings · September 18, 2020, 3:28am

Consider the following:

# ADUser objects of members
$Members = Get-ADGroupMember $Adgroup | select -Property SamAccountname

# ADUser objects of OU Users
$Samaccount = $users | select -Property SamAccountname

# SamAccountName values of nonmembers
$NonMembers = Compare-Object -ReferenceObject $Samaccount.SamAccountName -DifferenceObject $Members.SamAccountname |
     Where-Object {  $_.Sideindicator -eq "<="} | Select -Expand InputObject

# nonmember ADUser objects with passwordexpiration property
$NonMembersData = $NonMembers | Foreach-Object {
    Get-ADUser -Identity $_ -Properties Mail,PasswordLastSet |
        Select Name,Mail, @{n='PasswordExpiration';e={$_.PasswordLastSet.AddDays($PasswordAge)}}

# nonmember ADUser objects with expired passwords. $expiredUsers.Mail will contain email addresses
$ExpiredUsers = $NonMembersData | Where {$_.PasswordExpiration -le (Get-Date)}

When you pipe to Export-Csv, none of the output objects are returned to the success stream. Therefore, variables won’t be updated when using the syntax $variable = Export-Csv. The same applies when piping to Out-GridView.

Topic		Replies	Views
query all users part of ad group NON_Company_employees PowerShell Help	1	169	May 16, 2024
Get-ADUser filter for users in a certain OU PowerShell Help	6	444	May 16, 2024
Request Help - Inactive ADUser Query and Manipulation Encountering Issues... PowerShell Help	15	220	May 16, 2024
Exporting Users From AD Security Groups and listing variables PowerShell Help	31	637	May 16, 2024
Compare then use PowerShell Help	8	232	May 16, 2024

Select and compare challenge

Related topics