PowerShell script that should find disabled users that are not in a specific OU outputs users from that OU as well

active-directoryorganizational-unitpowershelluser-management

Hey I've got this cmdlet here:

Get-ADUser -filter {(distinguishedName -notlike "Disabled Users") -and (enabled -eq $false)} -searchBase "ou=FirstOU,dc=domain,dc=com"

I've built it to find disabled users that are not in the "Disabled Users" OU. (an OU within an OU)

But for some reason it returns not only the disabled users that are not in "Disabled Users", but the disabled users that are in it as well.

Why doesn't (distinguishedName -notlike "Disabled Users") work?

To make my structure clear:

Forest
    FirstOU
       users,groups,etc..
       Disabled Users OU
.
.
.

Best Answer

Brackets and wildcards. Try

PS C:\Users\BigHomie> Get-ADUser -SearchBase "OU=Users,dc=eng,dc=mit,dc=edu" -SearchScope Subtree -Filter {distinguishedname -notlike "*Disabled*"}

Proper Syntax was found here

Related Solutions

Windows – Active Directory Housekeeping – Remove groups from disabled users

This sample batch file will do what you're asking. You'll need to edit the dsquery command to use your specific StartNode OU -- The OU=SomeOU,DC=example,DC=com bit:

@ECHO OFF
REM Get list of disabled users in the domain
FOR /F "usebackq delims=;" %%A IN (`dsquery user "OU=SomeOU,DC=example,DC=com" -disabled -limit 0`) DO ( 
    echo User: %%A
    REM Enumerate user's group memberOf, exclude "Domain Users" group
    FOR /F "usebackq delims=;" %%B IN (`dsget user %%A -memberof ^| find /V "Domain Users"`) DO (
        ECHO Group: %%B
        REM Remove user %%A from Group %%B
        dsmod group %%B -rmmbr %%A
    )
)

Powershell – check if all users in a specific OU are disabled, disable if not

Something like this:

Get-ADUser -Filter * -SearchBase "ou=TheOU,dc=contoso,dc=com" | Disable-ADAccount

You might need to upgrade your Powershell version if it doesn't have the commands.

Try/Catch example:

$users = Get-ADUser -Filter * -SearchBase "ou=TheOU,dc=contoso,dc=com"    

ForEach ($user in $users) {
    Try {
        Disable-Account
    }
    Catch {
        Write-Output "$($user) is already disabled."
    }
    Finally {
        # Cleanup tasks, etc.
    }
}

Best Answer

Related Solutions

Windows – Active Directory Housekeeping – Remove groups from disabled users

Powershell – check if all users in a specific OU are disabled, disable if not

Related Topic