以两个 OU 中的所有用户为目标并删除分发列表 - 添加日期条件
Target all users in two OU's and remove Distribution Lists - Adding date criteria
@BenH 和@TheMadTechnician 在帮助我编写脚本方面非常有帮助,可以(仅)从特定 AD OU 中的用户删除 Distro 列表。我忘了添加一个需要的标准,所以决定 post 这是一个单独的问题(原始线程 )
@BenH 的做法是这样的:
$OUs = 'OU=PendingDeletion,OU=Users,DC=Stuff,DC=Place,DC=net','OU=HoldForReview,OU=Users,DC=Stuff,DC=Place,DC=net'
$Users = ForEach ($OU in $OUs) {
Get-ADUser -Filter * -SearchBase $OU
}
ForEach ($User in $Users) {
Get-ADPrincipalGroupMembership -Identity $user |
Where-Object {$_.GroupCategory -eq 0} |
ForEach-Object {
Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $_
}
}
我的问题 - 我可以通过向第一个循环是这样的?:
$OUs = 'OU=PendingDeletion,OU=Users,DC=Stuff,DC=Place,DC=net','OU=HoldForReview,OU=Users,DC=Stuff,DC=Place,DC=net'
DaysOld = (Get-Date).AddDays(-30)
$Users = ForEach ($OU in $OUs) {
Get-ADUser -Filter * -SearchBase $OU |
Where-Object {$_.AccountExpirationDate -gt DaysOld}}
ForEach ($User in $Users) {
Get-ADPrincipalGroupMembership -Identity $user |
Where-Object {$_.GroupCategory -eq 0} |
ForEach-Object {
Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $_
}
}
可能吗?或者我需要将 -gt 更改为 -lt 以获得正确的日期范围吗?
感谢观看!
搞定了:
Perhaps Where{$_.AccountExpirationDate -lt DaysOld -and $_.AccountExpirationDate} would work for you. That makes sure they're more than 30 days old, and makes sure that the value isn't $null. If you still feel that too many results are being generated, go and look at the dates. Are there actually any that expired less than 30 days ago, or have not yet expired?
我需要将嵌套的“where”语句更改为:
Where-Object {$_.AccountExpirationDate -lt DaysOld -and $_.AccountExpirationDate}
所以功能代码是:
DaysOld = (Get-Date).AddDays(-30)
$OUs = 'OU=PendingDeletion,OU=Users,DC=Stuff,DC=Place,DC=net','OU=HoldForReview,OU=Users,DC=Stuff,DC=Place,DC=net'
$Users = ForEach ($OU in $OUs) {
Get-ADUser -Filter * -Properties AccountExpirationDate -SearchBase $OU |
Where-Object {$_.AccountExpirationDate -lt DaysOld -and $_.AccountExpirationDate}
}
ForEach ($User in $Users) {
Get-ADPrincipalGroupMembership -Identity $user |
Where-Object {$_.GroupCategory -eq 0} |
ForEach-Object {
Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $_ -Confirm:$false
}
}
按要求作答。问题出在 Where 语句:
Where-Object {$_.AccountExpirationDate -gt DaysOld}
虽然逻辑上听起来是对的 'where the account expired more than 30 days ago' 但实际上 'where the Date that the account expired is greater than what the Date was 30 days ago'。当您考虑到某些系统将日期测量为自 Unix 纪元(1970 年 1 月 1 日 12:00:00 AM UTC)以来经过的秒数,并且日期被转换为整数时,-gt 运算符更有意义选择时间顺序上较晚发生的日期,因为自纪元以来已经过去了更多的秒数,并且整数是一个更大的数字。
如果您将 -gt 更改为 -lt,它就能满足您的需求。此外,向其中添加 -and $_.AccountExpirationDate 可确保 AccountExpirationDate 不为空。所以我们最终得到:
Where-Object {$_.AccountExpirationDate -lt DaysOld -and $_.AccountExpirationDate}
OP here - 我一直在继续努力(在协助下),并添加了一些我认为其他人可能会觉得有用的额外修饰,所以我想分享回来。
and 打破这一切的功劳应归功于此。
这会将删除的发行版名称写入 AD 帐户,使用分号分隔符(如果需要重新添加发行版,则 cut/paste 名称),并且不会增加混乱AD 帐户,如果它 运行 针对该帐户不止一次。
# Variables
DaysOld = (Get-Date).AddDays(-30)
$OUs = (
'OU=PendingDeletion,OU=Users,DC=Stuff,DC=Place,DC=net',
'OU=HoldForReview,OU=Users,DC=Stuff,DC=Place,DC=net'
)
# Collect the needed users
$Users = ForEach ($OU in $OUs) {
Get-ADUser -Filter * -Properties AccountExpirationDate,info -SearchBase $OU |
Where-Object {$_.AccountExpirationDate -lt DaysOld -and $_.AccountExpirationDate}
}
# Collect each user's Distro Lists & REMOVE
ForEach ($User in $Users) {
$distrosremoved=@()
Get-ADPrincipalGroupMembership -Identity $user |
Where-Object {$_.GroupCategory -eq "distribution"} |
ForEach-Object {
$distrosremoved+=$_.name
Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $_ -Confirm:$false
}
# Collect info from the Telephone > Notes field, and ADD the list of Distros into the existing info
if($distrosremoved){
$distro_str="Removed Distro Lists: `r`n"+($distrosremoved -join "; ")
if ($user.info){
$newinfo=$user.info+"`r`n"+$distro_str
Set-ADUser $user -Replace @{info=$newinfo}
}else{
$newinfo=$distro_str
Set-ADUser $user -Add @{info=$distro_str}
}
}
}
@BenH 和@TheMadTechnician 在帮助我编写脚本方面非常有帮助,可以(仅)从特定 AD OU 中的用户删除 Distro 列表。我忘了添加一个需要的标准,所以决定 post 这是一个单独的问题(原始线程
@BenH 的做法是这样的:
$OUs = 'OU=PendingDeletion,OU=Users,DC=Stuff,DC=Place,DC=net','OU=HoldForReview,OU=Users,DC=Stuff,DC=Place,DC=net'
$Users = ForEach ($OU in $OUs) {
Get-ADUser -Filter * -SearchBase $OU
}
ForEach ($User in $Users) {
Get-ADPrincipalGroupMembership -Identity $user |
Where-Object {$_.GroupCategory -eq 0} |
ForEach-Object {
Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $_
}
}
我的问题 - 我可以通过向第一个循环是这样的?:
$OUs = 'OU=PendingDeletion,OU=Users,DC=Stuff,DC=Place,DC=net','OU=HoldForReview,OU=Users,DC=Stuff,DC=Place,DC=net'
DaysOld = (Get-Date).AddDays(-30)
$Users = ForEach ($OU in $OUs) {
Get-ADUser -Filter * -SearchBase $OU |
Where-Object {$_.AccountExpirationDate -gt DaysOld}}
ForEach ($User in $Users) {
Get-ADPrincipalGroupMembership -Identity $user |
Where-Object {$_.GroupCategory -eq 0} |
ForEach-Object {
Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $_
}
}
可能吗?或者我需要将 -gt 更改为 -lt 以获得正确的日期范围吗?
感谢观看!
Perhaps
Where{$_.AccountExpirationDate -lt DaysOld -and $_.AccountExpirationDate}would work for you. That makes sure they're more than 30 days old, and makes sure that the value isn't$null. If you still feel that too many results are being generated, go and look at the dates. Are there actually any that expired less than 30 days ago, or have not yet expired?
我需要将嵌套的“where”语句更改为:
Where-Object {$_.AccountExpirationDate -lt DaysOld -and $_.AccountExpirationDate}
所以功能代码是:
DaysOld = (Get-Date).AddDays(-30)
$OUs = 'OU=PendingDeletion,OU=Users,DC=Stuff,DC=Place,DC=net','OU=HoldForReview,OU=Users,DC=Stuff,DC=Place,DC=net'
$Users = ForEach ($OU in $OUs) {
Get-ADUser -Filter * -Properties AccountExpirationDate -SearchBase $OU |
Where-Object {$_.AccountExpirationDate -lt DaysOld -and $_.AccountExpirationDate}
}
ForEach ($User in $Users) {
Get-ADPrincipalGroupMembership -Identity $user |
Where-Object {$_.GroupCategory -eq 0} |
ForEach-Object {
Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $_ -Confirm:$false
}
}
按要求作答。问题出在 Where 语句:
Where-Object {$_.AccountExpirationDate -gt DaysOld}
虽然逻辑上听起来是对的 'where the account expired more than 30 days ago' 但实际上 'where the Date that the account expired is greater than what the Date was 30 days ago'。当您考虑到某些系统将日期测量为自 Unix 纪元(1970 年 1 月 1 日 12:00:00 AM UTC)以来经过的秒数,并且日期被转换为整数时,-gt 运算符更有意义选择时间顺序上较晚发生的日期,因为自纪元以来已经过去了更多的秒数,并且整数是一个更大的数字。
如果您将 -gt 更改为 -lt,它就能满足您的需求。此外,向其中添加 -and $_.AccountExpirationDate 可确保 AccountExpirationDate 不为空。所以我们最终得到:
Where-Object {$_.AccountExpirationDate -lt DaysOld -and $_.AccountExpirationDate}
OP here - 我一直在继续努力(在协助下),并添加了一些我认为其他人可能会觉得有用的额外修饰,所以我想分享回来。
这会将删除的发行版名称写入 AD 帐户,使用分号分隔符(如果需要重新添加发行版,则 cut/paste 名称),并且不会增加混乱AD 帐户,如果它 运行 针对该帐户不止一次。
# Variables
DaysOld = (Get-Date).AddDays(-30)
$OUs = (
'OU=PendingDeletion,OU=Users,DC=Stuff,DC=Place,DC=net',
'OU=HoldForReview,OU=Users,DC=Stuff,DC=Place,DC=net'
)
# Collect the needed users
$Users = ForEach ($OU in $OUs) {
Get-ADUser -Filter * -Properties AccountExpirationDate,info -SearchBase $OU |
Where-Object {$_.AccountExpirationDate -lt DaysOld -and $_.AccountExpirationDate}
}
# Collect each user's Distro Lists & REMOVE
ForEach ($User in $Users) {
$distrosremoved=@()
Get-ADPrincipalGroupMembership -Identity $user |
Where-Object {$_.GroupCategory -eq "distribution"} |
ForEach-Object {
$distrosremoved+=$_.name
Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $_ -Confirm:$false
}
# Collect info from the Telephone > Notes field, and ADD the list of Distros into the existing info
if($distrosremoved){
$distro_str="Removed Distro Lists: `r`n"+($distrosremoved -join "; ")
if ($user.info){
$newinfo=$user.info+"`r`n"+$distro_str
Set-ADUser $user -Replace @{info=$newinfo}
}else{
$newinfo=$distro_str
Set-ADUser $user -Add @{info=$distro_str}
}
}
}