-1

我写了一个脚本会禁用老用户...我需要对其进行排除列表...排除列表应该是 .csv,包含 3 列“名称”、“SamaccountName”、“原因”...我有点坚持排除列表过滤......我试图做 -notmatch 和 -notcontains 并没有对我有用......我什至尝试用 if 但相同的方式做一个 foreach......

 Function Get-ADLockOldUsers {
param ()
begin{
    [datetime]$myDate = '01/01/1601 02:00:00'
    $colObj = @()
    $AllUsers = (Get-ADUser -Filter * -Properties lastLogonTimestamp | ? {$_.Enabled} | Select-Object Name,SamAccountName,@{N="LastLogon";E={[datetime]::FromFileTime($_.lastLogonTimestamp)}})
    $AllUsers = $AllUsers | ? {(Get-Date).AddDays(-30) -gt $_.LastLogon -and -not ($_.LastLogon -eq $myDate)}
}
process {
$AllUsers | % { 
        $obj = New-Object psobject
        $obj | Add-Member noteproperty 'Name' $_.Name -Force
        $obj | Add-Member noteproperty 'SamAccountName' $_.SamAccountName -Force
        $obj | Add-Member noteproperty 'LastLogon' $_.LastLogon -Force
        $obj | Add-Member noteproperty 'NeedDisabled' $true -Force
        $colObj += $obj
        }
}
end { return $colObj }
}

Function Set-ADLockUser {
param()
begin{
    if (Test-Path '.\excludeusers.csv') {
        $excludeUsers = Import-Csv '.\excludeusers.csv'
        $DUser = @()
        $colUsers = Get-ADLockOldUsers
        $colUsers | ? {$_.SamAccountName -notcontains $excludeUsers} | % {Set-ADUser -Identity $_.SamAccountName -Enabled $false -WhatIf }
        }
    else { Write-Output "Error! excludeusers.csv cannot be found, stop script"; break }
    }
process { 
    }
end{}
}

Set-ADLockUser
4

2 回答 2

1

字符串值永远不能包含数组,所以

$_.SamAccountName -notcontains $excludeUsers

将始终评估为$true. 您需要反转检查并使引用成为字符串数组(CSV 导入生成自定义对象数组)。仅从导入的 CSV 中选择字段SamaccountName并切换参数应该可以满足您的要求:

$excludeUsers = Import-Csv '.\excludeusers.csv' | % { $_.SamaccountName }
...
$colUsers | ? { $excludeUsers -notcontains $_.SamAccountName } | ...

作为旁注,您可以简化查找过时帐户的代码,如下所示:

$myDate = Get-Date '01/01/1601 02:00:00'
$limit  = (Get-Date).AddDays(-30)

$colObj = Get-ADUser -Filter * -Properties * `
  | ? { $_.Enabled } `
  | select Name,SamAccountName,@{n="NeedDisabled";e={$true}},
      @{n="LastLogon";e={[datetime]::FromFileTime($_.lastLogonTimestamp)}} `
  | ? { $limit -gt $_.LastLogon -and $_.LastLogon -ne $myDate }
于 2013-07-11T10:32:28.510 回答
-1

这是最终的解决方案...

  <# 
    .Synopsis 
     Get All Users in the Domain and check the last logon Date
    .Example 
     Set-ADLockUser -ReportOnly:$true
     Get all users that didn't logon for a 30 days and write a report to the current directory
    .Example 
     Set-ADLockUser -ReportOnly:$false
     Get all users that didn't logon for a 30 days and disabled them
    .Description
     Get All Users in the Domain and check the last logon Date, and exclude some users from a list .\excludeusers.csv
    .Parameter ReportOnly 
     Specifies if the script is in reportmode or active mode if ReportOnly=$false all the relevant users will lock
    .Outputs 
     PSObject[] 
    .Notes 
     Name:   Set-ADLockUser 
     Author: Ohad Halali 
     Date:   14.07.2013 
    .Link 
  #> 
Function Get-ADLockOldUsers {
param ()
begin{
    [datetime]$myDate = '01/01/1601 02:00:00'
    $colObj = @()
    $AllUsers = (Get-ADUser -Filter * -Properties lastLogonTimestamp | ? {$_.Enabled} | `
                Select Name,SamAccountName,@{N="LastLogon";E={[datetime]::FromFileTime($_.lastLogonTimestamp)}}) | `
                ? {(Get-Date).AddDays(-30) -gt $_.LastLogon -and -not ($_.LastLogon -eq $myDate)}
}
process {
$AllUsers | % { 
        $obj = New-Object psobject
        $obj | Add-Member noteproperty 'Name' $_.Name -Force
        $obj | Add-Member noteproperty 'SamAccountName' $_.SamAccountName -Force
        $obj | Add-Member noteproperty 'LastLogon' $_.LastLogon -Force
        $obj | Add-Member noteproperty 'NeedDisabled' $true -Force
        $colObj += $obj
        }
}
end { return $colObj }
}

Function Set-ADLockUser {
param([bool]$ReportOnly=$true)
begin{
    if (Test-Path '.\excludeusers.csv') {
        $excludeUsers = Import-Csv '.\excludeusers.csv'
        $colUsers = Get-ADLockOldUsers | ? {$excludeUsers.SamAccountName -notcontains $_.SamAccountName}
        if ($ReportOnly) {
            $colUsers | Export-Csv '.\Report.csv' -NoClobber -NoTypeInformation -Encoding ASCII -Force
            }
        else {
                $colUsers.SamAccountName | Set-ADUser -SamAccountName $_ -Enabled:$False -Replace @{info="Disabled after no login for 30 days (Script)"} -WhatIf
            }
        }
    else { Write-Output "Error! excludeusers.csv cannot be found, stop script"; break }
    }
process {}
end{}
}

Set-ADLockUser
于 2013-07-14T14:02:18.423 回答