0 votes

Hello,

I am needing to email a list of user accounts that are not part of any distribution groups that start with "POD-" how can do that?

by (1.3k points)
0

Hello,

It can be done by scheduling a report generated by a script. For us to help you with the script, please, specify whether you have only distribution groups whose name starts with POD- or there are also security groups matching the pattern? If latter is the case, do we understand correctly that membership in the security groups should not influence the report?

0

We have both and memberships in the security groups should not influence the report

1 Answer

0 votes
by (228k points)
reshown by

Hello,

Thank you for specifying. Below is the script for generating the report you need. For information on how to create and schedule reports, have a look at the following tutorials:

In the script:

  • $groupIdentityProperty – Specifies the LDAP name of the property that will be used to find groups whose members will be excluded from the report.
  • $groupIdentityTemplate – Specifies a template for the property value that will be used to find the groups.
$groupIdentityProperty = "name" # TODO: modify me
$groupIdentityTemplate = "POD-*"  # TODO: modify me

# Group search parameters
$groupSearcher = New-Object Softerra.Adaxes.Adsi.Search.DirectorySearcher $NULL, $False
$groupSearcher.SearchParameters.VirtualRoot = $True
$groupSearcher.SearchParameters.SearchScope = "ADS_SCOPE_SUBTREE"
$groupSearcher.SearchParameters.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$groupSearcher.SearchParameters.Filter = "(&(objectCategory=group)($groupIdentityProperty=$groupIdentityTemplate)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))"
$groupSearcher.SearchParameters.PageSize = 500
$groupSearcher.SearchParameters.PropertiesToLoad.Add("distinguishedName")

# Build search filter for users
$userFilter = New-Object System.Text.StringBuilder
$userFilter.Append("(&(sAMAccountType=805306368)")
try
{
    $searchIterator = $groupSearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current
        $groupDN = $searchResult.GetPropertyByName("distinguishedName").Values[0]
        $filterPart = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("memberOf", $groupDN)
        $userFilter.Append("(!$filterPart)")
    }
    $userFilter.Append(")")
}
finally
{
    # Release resources
    if ($searchIterator) { $searchIterator.Dispose() }
}

# Generate report
$Context.DirectorySearcher.SearchFilter = $userFilter.ToString()
$Context.Items.Add($Context.DirectorySearcher)
0

This pulls a list of accounts that ARE part of a distribution groups that start with POD-. How to I update iot to show accounts that are not part of distribution groups that start with POD-? Also can it only pull Active accounts?

0

Hello,

How to I update iot to show accounts that are not part of distribution groups that start with POD-?

The script we provided does exactly what you need. It returns accounts that are not members of the groups matching the specified template. Make sure that you specify a correct property and template in the corresponding variables.

Also can it only pull Active accounts?

What exactly do you mean by active account? Do you mean enabled ones?

0

Sorry, Yes enabled accounts.

0

Hello,

Thank you for the confirmation. Here is the updated script.

$groupIdentityProperty = "name" # TODO: modify me
$groupIdentityTemplate = "POD-*"  # TODO: modify me

# Group search parameters
$groupSearcher = New-Object Softerra.Adaxes.Adsi.Search.DirectorySearcher $NULL, $False
$groupSearcher.SearchParameters.VirtualRoot = $True
$groupSearcher.SearchParameters.SearchScope = "ADS_SCOPE_SUBTREE"
$groupSearcher.SearchParameters.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$groupSearcher.SearchParameters.Filter = "(&(objectCategory=group)($groupIdentityProperty=$groupIdentityTemplate)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))"
$groupSearcher.SearchParameters.PageSize = 500
$groupSearcher.SearchParameters.PropertiesToLoad.Add("distinguishedName")

# Build search filter for users
$userFilter = New-Object System.Text.StringBuilder
$userFilter.Append("(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))")
try
{
    $searchIterator = $groupSearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current
        $groupDN = $searchResult.GetPropertyByName("distinguishedName").Values[0]
        $filterPart = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("memberOf", $groupDN)
        $userFilter.Append("(!$filterPart)")
    }
    $userFilter.Append(")")
}
finally
{
    # Release resources
    if ($searchIterator) { $searchIterator.Dispose() }
}

# Generate report
$Context.DirectorySearcher.SearchFilter = $userFilter.ToString()
$Context.Items.Add($Context.DirectorySearcher)
0

Thank you, The disable account are now gone but i'm still getting distrobution groups that start with POD- image.png

0

Hello,

Sorry for the confusion, but we are not sure what exactly you mean. The report only includes users, not groups. And they are only users that are not members of groups that meet the template. Your screenshot contains the Member Of section when viewing properties of a user in the Administration console, not a report. Please, make sure that you specify the $groupIdentityProperty and $groupIdentityTemplate variable values properly in your script. It might be so that a different property should be used.

Related questions

0 votes
1 answer

Hi, I created a distribution group via adaxes web interface. And Established e-mail address for the group. And "Automaticaly update e-mail addresses based on e-mail address policy" ... work fine. I make a mistake but I can not find it. Any suggestion. Thanks

asked Nov 12, 2013 by Erkan.Ozturk (40 points)
0 votes
0 answers

When I run the above script after selecting groups the custom field "Group" is not showing one of the selected groups and not all of the groups are being reported ... 2 specific security groups are appearing and neither in one that was included in the search

asked Nov 18, 2021 by A_Pastor (20 points)
0 votes
1 answer

We have some dynamic groups with roughly 1800 members. Get-AdmGroup returns the member property OK for small groups, but for these large groups it returns null ... by calling Get-AdmGroupMember for those groups? Thanks, Randy Lindsey Colorado Springs Utilities

asked Aug 1, 2013 by rlindsey (20 points)
0 votes
1 answer

When we create a shared mailbox, we create an associated mail-enabled security group. In the security group I want to populate the description field with the name of the shared mailbox ... How can I get just the "name" of the shared mailbox versus the full DN?

asked Feb 4, 2021 by atnorman (120 points)
0 votes
1 answer

I am setting up a custom command to decomission users, part of the process before the AD groups are removed I want it to export a list of the groups to a network location. ... command which I have added my account to, so i believe i have permission to run it.

asked Feb 15, 2018 by ScottGriff (400 points)
2,807 questions
2,541 answers
6,615 comments
65,738 users