<# Created by LocalTechRepair
Website: http://localtechrepair.blogsplot.com
Date: version: .01
requires the activedirectory modele please run
import-module ActiveDirectory -WarningAction silentlyContinue
takes a group name and finds all the disabled users in the group. #>
#gather input and assing varable.
[CmdletBinding()]
param (
[Parameter( Mandatory=$true)]
[string]$Mailbox
)
#start timeer
$date1 = Get-Date -Date "01/01/1970"
$date2 = Get-Date
$start = (New-TimeSpan -Start $date1 -End $date2).TotalSeconds
#creates blank file
Write-Output "" | out-file .\users.csv -Append
#pulls the group distinguishedname
$server = "domaincontroleraddress"
$root = [ADSI]"LDAP://DC=local,DC=com"
$search = [adsisearcher]$root
$Search.Filter = "(&(objectCategory=group)(cn=$Mailbox))"
$colResults = $Search.FindAll()
#this part is very poorly designed but it works.
foreach ($i in $colResults)
{
$distinguishedname = [string]$i.Properties.Item('distinguishedName')
write-output $distinguishedname
write-output $distinguishedname | out-file .\users.csv -append
Write-Output "first_name,last_name,email_address,Employee #" | out-file .\users.csv -Append
#pulls the disabled users
$root = [ADSI]"LDAP://DC=local,DC=com"
$search = [adsisearcher]$root
$Search.Filter = "(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2)(memberOf:1.2.840.113556.1.4.1941:=$distinguishedname))"
$colResults = $Search.FindAll()
#outputs to a common formated csv file.
foreach ($i in $colResults)
{
[string]$i.Properties.Item('givenName'),[string]$i.Properties.Item('sn'),[string]$i.Properties.Item('mail'),[string]$i.Properties.Item('samaccountname') -join "," | out-file .\users.csv -append
}
}
#cleanup code
$date1 = Get-Date -Date "01/01/1970"
$date2 = Get-Date
$end = (New-TimeSpan -Start $date1 -End $date2).TotalSeconds
$completed = $end - $start
Write-Output "Done in seconds" $completed
The main parts of this script that do the work are the 2 different LDAP queries.
the First one is (&(objectCategory=group)(cn=$Mailbox))
this finds the objects that are groups and with the configurationName of the group your searching for.
the second query is
(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2)(memberOf:1.2.840.113556.1.4.1941:=$distinguishedname))
this finds object type person though i use sAMAccountType=805306368 since its faster. then i query the user account control to find the disabled status and then check if they are a member of the group.
Hope that helps you guys clean your AD groups out there of all those disabled members.
I will later add a way to search for users who have not logged on to a computer in a year. which could be modified to this script though probably less useful than running it in its own script.
share if you find this useful.
Thanks,
Local Tech Repair Admin
No comments:
Post a Comment