Get-ADuser and nested AD groups

StackOverflow https://stackoverflow.com/questions/23685389

  •  23-07-2023
  •  | 
  •  

Вопрос

I am working with a script to notify users of expiring passwords but I am having some problems getting results back for nested groups. My script will filter users who are a member of Parent-Test. I will not have any users who are a member of this directly, they will be members of Child01-Test and Child02-Test. Child01 and Child02 are members of Parent-Test.

Is there a way to do this using Get-ADUser or should I be using something like Get-ADGroupMember?

$smtpServer="mail.company.com"
$expireindays = 10
$ADGroup ="CN=Parent-test,OU=Groups,OU=Test,DC=Test1,DC=Test2,DC=Test3,DC=com"
$OfficeOU ="OU=Test,DC=Test1,DC=Test2,DC=Test3,DC=com"

#Get Users From AD who are enabled
Import-Module ActiveDirectory
$users = get-aduser -filter {memberof -eq $ADGroup} -properties * -searchbase $OfficeOU |where {$_.Enabled -eq "True"} | where { $_.PasswordNeverExpires -eq $false } | where { $_.passwordexpired -eq $false }

foreach ($user in $users)
{
$Name = (Get-ADUser $user | foreach { $_.GivenName})
$emailaddress = $user.emailaddress
$passwordSetDate = (get-aduser $user -properties * | foreach { $_.PasswordLastSet })
$PasswordPol = (Get-AduserResultantPasswordPolicy $user)
# Check for Fine Grained Password
if (($PasswordPol) -ne $null)
{
$maxPasswordAge = ($PasswordPol).MaxPasswordAge
}

else
{
$maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
}


$expireson = $passwordsetdate + $maxPasswordAge
$today = (get-date)
$daystoexpire = (New-TimeSpan -Start $today -End $Expireson).Days
$subject="Your Network/Outlook password will expire in $daystoExpire days"
$attachment="C:\Util\Outlook Web App Password Change Procedure.pdf"
$body ="
Dear $name,
<p> Your Network/Outlook password will expire in $daystoexpire days.<br>
Please follow the instructions in the attached guide to change your password. For     assistance, please contact me or send an email to admin@support.com<br>

if ($daystoexpire -lt $expireindays)
{
Send-Mailmessage -smtpServer $smtpServer -from $from -to $emailaddress -subject    $subject -body $body -attachments $attachment -bodyasHTML -priority High

}  

}
Это было полезно?

Решение

I would have gathered a list of group members first using Get-ADGroupMember $ADGroup -Recursive and then matched the users against that, ex:

$pattern = [regex]::Escape($OfficeOU)

Get-ADGroupMember $ADGroup -Recursive |
Get-ADUser -Properties * |
? { $_.Enabled -and $_.PasswordNeverExpires -eq $false -and $_.passwordexpired -eq $false -and $_.DistinguishedName -match $pattern }
Лицензировано под: CC-BY-SA с атрибуция
Не связан с StackOverflow
scroll top