Send email for each user that has been disabled to their managers

PowerShell Help
1

Hi

I have a script that will search users that were disabled for the past 14 days + show their managers name and date when they were disabled and managers email.

$ou = "my_ou" $date = (Get-Date).AddDays(-14) $disabledAccounts = Get-aduser -filter {Enabled -eq $false -and Modified -ge $date } -SearchBase $ou -Properties Modified,manager | select samaccountname,Modified, @{Name="ManagerEmail";Expression={(get-aduser -property emailaddress $_.manager).emailaddress}}, @{Label='Manager';Expression={(Get-ADUser $_.Manager).sAMAccountName}} $ManagerName=$_.Displayname

$Body = "
<html>
<body>
<p>Dear $ManagerName,<br>
The user $userName has been disabled on .<br
</body>
</html>"

ForEach($disabledAccount in $disabledAccounts){
Send-MailMessage -To $disabledAccount.ManagerEmail -From ‘myemail@’ -Subject ‘Disabled account’ -Body $Body -SmtpServer ‘mysmtp server’ -BodyAsHtml -Priority High
}


Now my problem is that this is the email that I’m receiving:

Dear , The user has been disabled on .
After "Dear" i don't see any managers names and in the second line after "user" i don't see the specific user name that is disabled and after "on" i need a date.
any suggestions or help?
Thanks
2

you need to add a foreach loop.

and validate your “managername” variable contains what you believe it does
i’d start with
foreach ($item in $disabledaccounts)
{
write-host $item.managername
write-host $item.username
}

make sure you have the value you expect.
second, i don’t see anywhere that you actually set a date on, nor are you calling a value in your body is why you don’t see a date.

then you can put your send-mailmessage code within the scriptblock with the foreach.

3

Hi David,

 

Yes about the date i need to figure out how to add it to my script

And “foreach”, where you suggest i should add it in my script?

4

you have to add it after your $disabledAccounts section

step 1 you store all of the ad objects your disabledaccounts code retrieves in a collection
then you use the foreach to loop through the collection.

There isn’t going to be a value in ad to tell you the date the account itself was disabled.
the closest you can probably get is whenchanged

5

I have something like this:

$ou = “my_ou” $date = (Get-Date).AddDays(-14) $disabledAccounts = Get-aduser -filter {Enabled -eq $false -and Modified -ge $date } -SearchBase $ou -Properties Modified,manager | select samaccountname,Modified,manager $ManagerName = '' $Body = ” <html> <body> <p>Dear $ManagerName,<br> The user $userName has been disabled on .<br </body> </html>”

ForEach($disabledAccount in $disabledAccounts){

$manager = get-aduser -property emailaddress,DisplayName $disabledAccount.manager
$ManagerName= $manager.Displayname
$userName = $disabledAccount.samaccountname
Send-MailMessage -To $manager.UserPrincipalName -From ‘myemail@’ -Subject ‘Disabled account’ -Body $Body -SmtpServer ‘mysmtp server’ -BodyAsHtml -Priority High
}


And I’m receiving for some reason only 1 email for 1 employee, and the second command for Get-Aduser gives me only 1 manager and the first one provide me 2.

6

A manager can have more than one disabled account, so if they have 3 users in the report, it’s doubtful they want 3 separate emails. For this, you should do some grouping on the email. You’re building the email for each user, so the html content should be in the loop. This is untested, but should get you close:

$ou = “my_ou”
$date = (Get-Date).AddDays(-14)
$disabledAccounts = Get-AdUser -Filter {Enabled -eq $false -and Modified -ge $date } -SearchBase $ou -Properties Modified,Manager | 
                    Select-Object -Property Samaccountname,
                                            DisplayName,
                                            Modified,
                                            Enabled, 
                                            @{Name='ManagerEmail';Expression={Get-ADUser -Identity $_.Manager | Select-Object -ExpandProperty emailaddress}}, 
                                            @{Name='ManagerSamAccountName';Expression={Get-ADUser -Identity $_.Manager | Select-Object -ExpandProperty sAMAccountName}},
                                            @{Name='ManagerDisplayName';Expression={Get-ADUser -Identity $_.Manager | Select-Object -ExpandProperty displayName}},
                                            @{Name='ManagerFirstName';Expression={Get-ADUser -Identity $_.Manager | Select-Object -ExpandProperty givenName}}

$groupedManagers = $disabledAccounts | Group-Object -Property ManagerEmail

foreach ($manager in $groupedManagers) {
#Here string - cannot indent the starting or ending string, but it allows multiple lines within
#To resolve variables in a here-string, they need to wrapped with a subexpression $( ) 
$body = @"
    <html>
        <body>
            <p>Dear $($manager.ManagerName),
            <br/>
            <p>The users have been disabled:</p>
            <br/>
            $($manager.Group | ConvertTo-Html -Property DisplayName,SamAccountName,Enabled,Modified)

        </body>
    </html>
"@

    #Splatting
    $mailParams = @{
        To         = $manager.Name
        From       =  'do_not_reply@myemail.com'
        Subject    = 'Disabled accounts' 
        Body       = $Body 
        SmtpServer = 'mysmtp server' 
        BodyAsHtml = $true 
        Priority   = 'High'
    }

    Send-MailMessage @mailParams
}
7

Rob’s got a point, only thing I would change is the multiple calls to AD and Select-Object -Expand to get manager details

$ou = “my_ou”
$date = (Get-Date).AddDays(-14)
$disabledAccounts = Get-AdUser -Filter {Enabled -eq $false -and Modified -ge $date } -SearchBase $ou -Properties Modified,Manager | 
                    Foreach-Object {
                        $manager = Get-ADUser -Identity $_.Manager -Properties displayname,mail

                        [PSCustomObject]@{
                            Samaccountname        = $_.Samaccountname
                            DisplayName           = $_.DisplayName
                            Modified              = $_.Modified
                            Enabled               = $_.Enabled
                            ManagerEmail          = $manager.mail
                            ManagerSamAccountname = $manager.samaccountname
                            ManagerDisplayName    = $manager.displayname
                            ManagerFirstName      = $manager.givenname
                        }
                    }
 
$groupedManagers = $disabledAccounts | Group-Object -Property ManagerEmail
 
foreach ($manager in $groupedManagers) {
#Here string - cannot indent the starting or ending string, but it allows multiple lines within
#To resolve variables in a here-string, they need to wrapped with a subexpression $( ) 
$body = @"
    <html>
        <body>
            <p>Dear $($manager.ManagerName),
            <br/>
            <p>The users have been disabled:</p>
            <br/>
            $($manager.Group | ConvertTo-Html -Property DisplayName,SamAccountName,Enabled,Modified)
 
        </body>
    </html>
"@
 
    #Splatting
    $mailParams = @{
        To         = $manager.Name
        From       =  'do_not_reply@myemail.com'
        Subject    = 'Disabled accounts' 
        Body       = $Body 
        SmtpServer = 'mysmtp server' 
        BodyAsHtml = $true 
        Priority   = 'High'
    }
 
    Send-MailMessage @mailParams
}
8

Thanks guys,

the multiple email sending works but when I’m getting the email, I’m getting it without Manager name:

Dear ,

The users have been disabled:

DisplayName SamAccountName Enabled Modified
test False 11/16/2020 5:45:18 PM
 

----------------------------

Solved it.

 

 

9

Appears it should be $manager.group.ManagerDisplayName instead of $manager.name