How to check if disabled samaccountnames are contained/part of an enabled samaccountname in AD (e.g.-CodePudding

I am able to export the disabled users, but then from that .csv I want to check if they have active accounts in AD, containing their samaccount name -adm or -tst. The script runs but the second export is blank.

$users = import-csv C:\Users\....csv
$OU = 'OU=Disabled users ...'

Get-ADUser -Property Enabled -filter * -SearchBase $OU | Where {$_.Enabled -like "False"}  | Select @{Name="samaccountname";Expression={$_.SamAccountName}} | Export-Csv  C:\Users\... -notypeinformation -encoding UTF8

$data = foreach($line in $users){
    
    

    $user = $line.samaccountname
    
    
    Get-ADUser -Filter {(samaccountname -like $user) -and (samaccountname -like "*-adm") -and (samaccountname -like "*-tst")} -Properties Enabled  | Where {$_.Enabled -like "True"} | select @{Name="SAPID";Expression={$_.samaccountname}}
        
        
}  $data | export-csv C:\Users\... -notypeinformation -encoding UTF8

CodePudding user response：

I think your issue is

(samaccountname -like "*-adm") -and (samaccountname -like "*-tst")

You want an -OR here but that would cause problems with your first comparison.

What would work better is something like:

$regex = ".\-(adm|tst)"
Get-ADUser -Filter {(samaccountname -like $user) -and (samaccountname -match $regex)} -Properties Enabled  | Where {$_.Enabled -like "True"} | select @{Name="SAPID";Expression={$_.samaccountname}}

We can use Regex to match any set of characters proceedeed by -adm or -tst.

CodePudding user response：

If I understand correctly, you're looking to find all those Enabled Accounts ending in -adm OR -tst AND containing the SamAccountName of ANY disabled user found in $OU.

If my assumption is correct, one way to approach the problem is to first query all the Disabled users in $OU and have them in memory (Note that there is no need to export them to CSV and then import them back again - see inline comments).

Once we have the list of Disabled users, we can loop over them to construct an LDAP Filter which will be used to query all users at once, and lastly export to CSV if any user was found.

$users = Import-Csv C:\Users\....csv
$OU = 'OU=Disabled users ...'

# Hold disabled Users under `$OU` in memory, no reason to import the data from CSV
$disabledUsers = Get-ADUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)" -SearchBase $OU |
    Select-Object SamAccountName
# Export Disabled Users
$disabledUsers | Export-Csv C:\Users\... -NoTypeInformation -Encoding utf8

# Construct an LDAP Filter to query al users at once
$filters = foreach($user in $disabledUsers) {
    '(samAccountName=*{0}*-adm)(samAccountName=*{0}*-tst)' -f $user.SamAccountName
}
$ldapFilter = "(&(!userAccountControl:1.2.840.113556.1.4.803:=2)(|$(-join $filters)))"

# Query the users
$enabledUsers = Get-ADUser -LDAPFilter $ldapFilter

# Check if any user could be found
if(-not $enabledUsers) {
    'No Enabled -adm or -tst Account Could be found...'
}
else {
    $enabledUsers | Select-Object @{ N = "SAPID"; E = { $_.SamAccountName} } | 
        Export-Csv C:\Users\... -NoTypeInformation -Encoding utf8
}

This is an example of how the filter would look like, having user0 and user1 as example SamAccountName:

(&
   (!userAccountControl:1.2.840.113556.1.4.803:=2)
   (|
      (samAccountName=*user0*-adm)
      (samAccountName=*user0*-tst)
      (samAccountName=*user1*-adm)
      (samAccountName=*user1*-tst)
    )
)