Trying to filter an AD export script in powershell by user type?

Question

I've been asked to pull a report containing User's name, username, enabled/disabled, and the last login time from our Windows server 2008 domain. I'm using the script below and it's working, but the problem is it's pulling built-in security accounts and some system accounts, and I need just users. Does anyone know if this filtering is possible? The script I'm using is below. Thanks in advance!

$ADUserParams=@{
'Server' = 'servername.domain.local'
'Searchbase' = 'DC=domain,DC=local'
'Searchscope'= 'Subtree'
'Filter' = '*'
'Properties' = '*'
}


$SelectParams=@{
'Property' = 'CN', 'SAMAccountname', 'DisplayName', 'enabled', 'lastlogondate',
}

get-aduser @ADUserParams | select-object @SelectParams  | export-csv "c:\temp\users.csv"

Answer 1

part of your requirements for the report are to show all users in AD, this would include system and built-in accounts. That being said, ff you can exclude the OUs or containers that contain the built-in/system accounts you don't want in the report that would be easiest. It looks like your trying to audit the whole AD DS and should use exclusions otherwise only include the OU that contains the User Accounts as long as it is only possible to not have User accounts anywhere else.

Answer 2

At the very least you'll want to modify your filter to something like:
'(&(|(objectclass=person)(objectclass=inetorgperson))(!(objectclass=computer)))'.

That will still leave Administrator, Guest and and domain/realm trusts you've got, but otherwise it's pretty clean.

'(&(sAMAccountType=805306368)(!(isCriticalSystemObject=TRUE)))' is even cleaner, and may be exactly what you need. This uses sAMAccountType, but I pulled from existing AD users rather than build that value from scratch.

Also there is no Enabled attribute. The closest you can get is userAccountControl. lastLogonDate is actually lastLogonTimestamp.

Answer 3

It really depends on what you can use to separate your built-ins and system accounts.

The easiest way would be to add a SearchBase to your $ADUserParams:

$ADUserParams=@{
     'Server' = 'servername.domain.local'
     ...
     'SearchBase' = 'OU=Lemmings,DC=contoso,DC=com'
}

If there's one OU that you need to filter out, try adding a Where-Object:

get-aduser @ADUserParams | ?{$_.DistinguishedName -notlike '*ou=Beancounters,*'} | select-object @SelectParams  | export-csv c:\temp\users.csv"

The ?{ } bit is an alias for the Where-Object command. $_ represents the objects passed along the pipe.

This is all assuming that these accounts are cleanly separated by OU, however. I know this isn't true in my environment.

You might have to play around for a while before finding something that will separate your users cleanly. It might help to store your initial query as a variable, $users = Get-ADUser @ADUserParams, and see what you can pick apart:

$users | ?{$_.SomeProperty -eq 'SomeValue'}

Try running $users[0] to get an idea of what properties there might be to help you filter through these users. If you need to wrap your head around things like -eq and -like, take a look here.

If all the accounts you're wanting to filter contain a character like $, you could filter the output like so:

$users | ?{$_.SamAccountName -notlike "*$*"}