VulakAerr
New Member
Posts:3
 |
| 03 Sep 2008 04:48 PM |
|
Hi all,
I've been trying to work out a script to export all of our expired users to a csv file with the output being the CN and lastLogonTimeStamp attributes. What I have so far has been greatly borrowed from one of Mow's scripts but as it was it didn't seem to quite work. The problem seemed to be that
@{e={[datetime]::FromFileTimeUtc($_.properties.lastlogontimestamp[0])};n='logon'}
appeared to fail. Apparently this is owing to the fact that PowerShell wouldn't return the lastLogonTimeStamp attribute. So I found another of Mow's script apparently showing that to retrieve the lastLogonTimeStamp attribute it needed its own seperate FindOne() search. I've tried to incorporate this but as you may or may not guess from the following script, all I get in my csv file is a list of DNs and propertynames.
Here's the script in its current form:
$Root
= New-Object DirectoryServices.DirectoryEntry 'LDAP://OU=ITWORLD,DC=ITWORLD,DC=MSFT'
$Searcher
= New-Object DirectoryServices.DirectorySearcher
$Searcher
.SearchRoot = $root
$searcher
.PageSize = 900
$searcher
.Filter = "(&(objectClass=user)(!objectClass=computer)(!displayName=*#*)(!userAccountControl:1.2.840.113556.1.4.803:=2))"
$PropList
= "CN","ObjectClass","ObjectCategory","distinguishedName","lastLogonTimestamp","description","adspath"
$PropList
| foreach {[void]$searcher.PropertiesToLoad.Add($_)}
$logon
= $searcher.findAll()
foreach
($user in $logon) {
$ds
= New-Object DirectoryServices.DirectorySearcher
$target
= $user.PSBase.properties.adspath
$ds
.searchRoot = "$target"
select
@{e
}
@{e={$user.properties.cn};n='name'},={[datetime]::FromFileTimeUtc($ds.findOne().properties.lastlogontimestamp[0])};n='logon'}
$logon
| export-csv -noTypeInformation -noClobber c:\CsvExample\ADActive.csv
As you can probably tell from the horrible code, I'm quite new to this. Any help would be greatly appreciated so thank you in advance.
John.
Edit: Removed brainfart.
|
|
|
|
|
slogick
New Member
Posts:23
|
| 23 Oct 2008 04:18 PM |
|
Does anyone have this using the Quest commandlets? |
|
|
|
|
bsonposh
Basic Member
Posts:388
|
| 23 Oct 2008 06:28 PM |
|
I am a little unclear as to exactly what you want.
You want all the expired user accounts export to csv with only the properties you specified? |
|
|
|
|
bsonposh
Basic Member
Posts:388
|
| 23 Oct 2008 06:28 PM |
|
and what do you consider expired? |
|
|
|
|
slogick
New Member
Posts:23
|
| 23 Oct 2008 06:31 PM |
|
Actually I would like to export all users from AD with the last logon time to a .csv file something like this
Displayname,samAccountname,LastLoginDate,Status(Enabled/Disabled)
Does that help? |
|
|
|
|
bsonposh
Basic Member
Posts:388
|
| 24 Oct 2008 03:24 PM |
|
perhaps something like (with Quest tools)
$users = Get-QADUser -SearchRoot $OU -IncludedProperties "lastLogonTimestamp"
@(foreach($user in $users)
{
$user | Select-Object DisplayName,
LogonName,
@{n="LastLogon";e={[System.DateTime]::FromFileTimeUtc($_.lastLogonTimestamp)}},
@{n="AccountDisabled";e={$_.DirectoryEntry.psbase.InvokeGet("AccountDisabled")}}
}) | export-Csv filename.csv -noType |
|
|
|
|
Shay
Basic Member
Posts:228
|
| 24 Oct 2008 03:32 PM |
|
> Get-QADUser -SearchRoot $OU -IncludedProperties "lastLogonTimestamp"
There is no need to include LastLogonTimestamp, it is included by default in the returned property set.
> @{n="AccountDisabled";e={$_.DirectoryEntry.psbase.InvokeGet("AccountDisabled")}}
You can add the AccountIsDisabled to select-object instead of the above ;-) |
|
|
|
|
bsonposh
Basic Member
Posts:388
|
| 24 Oct 2008 03:44 PM |
|
Perhaps it is my version of Quest tools, but I do not have AccountIsDisabled or lastLogonTimestamp (I tried that both first expecting them to be there) |
|
|
|
|
Shay
Basic Member
Posts:228
|
| 24 Oct 2008 03:50 PM |
|
It could be. I'm using the latest public release:
PS > Get-PSSnapin Quest.ActiveRoles.ADManagement | select Version
Version
-------
1.1.2.761
PS > Get-QADUser shay | fl AccountIsDisabled,LastLogonTimestamp
AccountIsDisabled : False
LastLogonTimestamp : Never |
|
|
|
|
slogick
New Member
Posts:23
|
| 24 Oct 2008 03:54 PM |
|
Select-Object : Cannot convert argument "0", with value: "Never", for "FromFileTimeUtc" to type "System.Int64": "Cannot
convert "Never" to "System.Int64"."
At C:\Documents and Settings\Administrator\My Documents\PowerShell\UserExport.ps1:5 char:26
+ $user | Select-Object <<<< DisplayName,
Select-Object : Cannot convert argument "0", with value: "Never", for "FromFileTimeUtc" to type "System.Int64": "Cannot
convert "Never" to "System.Int64"."
At C:\Documents and Settings\Administrator\My Documents\PowerShell\UserExport.ps1:5 char:26
+ $user | Select-Object <<<< DisplayName,
Select-Object : Cannot convert argument "0", with value: "Never", for "FromFileTimeUtc" to type "System.Int64": "Cannot
convert "Never" to "System.Int64"."
At C:\Documents and Settings\Administrator\My Documents\PowerShell\UserExport.ps1:5 char:26
+ $user | Select-Object <<<< DisplayName,
Select-Object : Cannot convert argument "0", with value: "Never", for "FromFileTimeUtc" to type "System.Int64": "Cannot
convert "Never" to "System.Int64"."
At C:\Documents and Settings\Administrator\My Documents\PowerShell\UserExport.ps1:5 char:26
+ $user | Select-Object <<<< DisplayName,
When I tried to run it I get this....does this make any sense? |
|
|
|
|
bsonposh
Basic Member
Posts:388
|
| 24 Oct 2008 04:03 PM |
|
slogick, you can not use both what I gave you and what Shay gave you.
I recommend downloading the latest Quest cmdlets and use what Shay provided... it is much cleaner than mine. |
|
|
|
|
slogick
New Member
Posts:23
|
| 24 Oct 2008 04:34 PM |
|
here is what i tried to run
$users = Get-QADUser -SearchRoot 'timslogick.com/users' -IncludedProperties "lastLogonTimestamp"
@(foreach($user in $users)
{
$user | Select-Object DisplayName,
LogonName,
@{n="LastLogon";e={[System.DateTime]::FromFileTimeUtc($_.lastLogonTimestamp)}},
@{n="AccountDisabled";e={$_.DirectoryEntry.psbase.InvokeGet("AccountDisabled")}}
}) | export-Csv filename.csv -noType |
|
|
|
|
Shay
Basic Member
Posts:228
|
| 24 Oct 2008 04:39 PM |
|
Slogick,
Upgrade to the last version of QAD (http://www.quest.com/powershell/activeroles-server.aspx) and you'll be able to run this:
PS > Get-QADUser -SearchRoot 'timslogick.com/users' -sizeLimit 0 | Select DisplayName,LogonName,lastLogonTimestamp,AccountISDisabled | export-Csv filename.csv -noType |
|
|
|
|
slogick
New Member
Posts:23
|
| 24 Oct 2008 04:52 PM |
|
One more question...in the searchroot parameter...do you have to specify an OU or is there a way to search the entire directory. Most of my users are there, but there are users in other OU's. |
|
|
|
|
bsonposh
Basic Member
Posts:388
|
| 24 Oct 2008 04:57 PM |
|
You do not... I do it because I have ~380k users, not what I want to test against :) |
|
|
|
|
slogick
New Member
Posts:23
|
| 24 Oct 2008 05:16 PM |
|
Shay,
I ran that script but for the lastlogon all it is saying is "never" for every account? I have upgraded the latest version of the quest tools...Any thoughts? Is there something in my domain that my be wrong?
[PS] C:\Documents and Settings\08188>Get-PSSnapin Quest.ActiveRoles.ADManagement | select Version
Version
-------
1.1.2.761 |
|
|
|
|
Shay
Basic Member
Posts:228
|
| 24 Oct 2008 05:56 PM |
|
What do you get when you run this:
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainMode |
|
|
|
|
slogick
New Member
Posts:23
|
| 24 Oct 2008 06:35 PM |
|
Windows2000NativeDomain |
|
|
|
|
bsonposh
Basic Member
Posts:388
|
| 24 Oct 2008 06:39 PM |
|
That would be your problem. This is a 2k3 native mode thing
|
|
|
|
|