email - 禁用非活动 AD 用户的 Powershell 脚本创建日志并发送电子邮件

Question

一位同事联系我创建了一个 PowerShell 脚本来执行以下操作：

该脚本将读取名为“Temp Associates”的 AD 安全组的 lastlogondate，禁用 lastlogondate > 或 = 从当前日期起 29 天的帐户，然后移至 Disabled OU。当它禁用时，它还会将描述更改为禁用日期。然后创建一份列出禁用用户的报告并通过电子邮件发送给我们的全球帮助台。

我已经将一些看起来应该可以工作的东西编译在一起，但实际上并没有。当我运行脚本时，我没有收到任何错误消息，并且生成的日志文件没有填充数据。为了保持 SOX 兼容，我应该能够$PasswordAge = (Get-Date).adddays(-29)为测试目的操纵该值，因为我不确定我们目前是否有任何满足要求的帐户。

电子邮件现在正在工作，只需创建 PSCredential 以在 send-mailmessage -credential 参数中使用。

我是 PowerShell 的新手，可以使用我能获得的所有帮助。欢迎任何改进现有代码或使用不同方法的建议，但如果可能的话，我想利用我已经拥有的东西。

下面的代码：

#import the ActiveDirectory Module
Import-Module ActiveDirectory

#Create a variable for the date stamp in the log file
$LogDate = get-date -f yyyyMMddhhmm

#Sets the OU to do the base search for all user accounts, change for your env.
$SearchBase = "CN=Temp Associates,OU=Res Accounts,DC=our,DC=domain,DC=org"

#Create an empty array for the log file
$LogArray = @()

#Sets the number of days to disable user accounts based on lastlogontimestamp and pwdlastset.
$PasswordAge = (Get-Date).adddays(-29)

#Use ForEach to loop through all users with pwdlastset and lastlogontimestamp greater than date set. Also added users with no lastlogon date set. Disables the accounts and adds to log array.
#Add the properties you will be using to ensure they are available.
$DisabledUsers = (Get-ADUser -searchbase $SearchBase -Properties samaccountname, name, distinguishedname -filter {((lastlogondate -notlike "*") -OR (lastlogondate -le $Passwordage)) -AND (enabled -eq $True) -AND (whencreated -le $Passwordage)} )

if ($DisabledUsers -ne $null -and $DisabledUsers.Count > 0) {
    ForEach ($DisabledUser in $DisabledUsers) {

        #Sets the user objects description attribute to a date stamp. Example "11/13/2011"
        set-aduser $DisabledUser -Description ((get-date).toshortdatestring()) -whatif

        #Disabled user object. To log only add "-whatif"
        Disable-ADAccount $DisabledUser -whatif

        #Create new object for logging
        $obj = New-Object PSObject
        $obj | Add-Member -MemberType NoteProperty -Name "Name" -Value $DisabledUser.name
        $obj | Add-Member -MemberType NoteProperty -Name "samAccountName" -Value $DisabledUser.samaccountname
        $obj | Add-Member -MemberType NoteProperty -Name "DistinguishedName" -Value $DisabledUser.DistinguishedName
        $obj | Add-Member -MemberType NoteProperty -Name "Status" -Value 'Disabled'

        #Adds object to the log array
        $LogArray += $obj

    }

    # Move disabled users in Temp Associates group to Disabled OU 
    Search-ADAccount –AccountDisabled –UsersOnly –SearchBase “CN=Temp Associates,OU=Res Accounts,DC=our,DC=domain,DC=org”  | 
    Move-ADObject –TargetPath “OU=Disabled,DC=our,DC=domain,DC=org” -WhatIf

    #Exports log array to CSV file in the temp directory with a date and time stamp in the file name.
    $logArray | Export-Csv "C:\Temp\User_Report_$logDate.csv" -NoTypeInformation

    #Create PSCredential for use in e-mail -credential parameter
    $secpasswd = ConvertTo-SecureString "PasswordHere" -AsPlainText -Force
    $mycreds = New-Object System.Management.Automation.PSCredential ("UserHere", $secpasswd)

    #Send e-mail to Global Helpdesk with report generated
    $emailFrom = "smtp@address.com"
    $emailTo = "User@address.com" 
    $subject = "NA Disabled Temp Users to be deleted" 
    $smtpServer = "smtp.address.com"
    $attachment = "C:\Temp\User_Report_$logDate.csv"


    Send-MailMessage -To $emailTo -From $emailFrom -Subject $subject -SmtpServer $smtpServer -attachment $attachment -credential $mycreds
}else {
    Write-Output "No disabled users to process for $PasswordAge."

    #Create PSCredential for use in e-mail -credential parameter
    $secpasswd = ConvertTo-SecureString "PasswordHere" -AsPlainText -Force
    $mycreds = New-Object System.Management.Automation.PSCredential ("UserHere", $secpasswd)

    #Send e-mail to Global Helpdesk with report generated
    $emailFrom = "smtp@address.com"
    $emailTo = "User@address.com" 
    $subject = "NA Disabled Temp Users to be deleted" 
    $smtpServer = "smtp.address.com"
    $attachment = "C:\Temp\User_Report_$logDate.csv"
    Send-MailMessage -To $emailTo -From $emailFrom -Subject $subject -Body "No disabled users to process for $PasswordAge." -SmtpServer $smtpServer -credential $mycreds
}

Answer 1

我发现其中的代码if从未执行过。您必须替换$DisabledUsers.Count > 0为$DisabledUsers.Count -gt 0

Answer 2

把它作为一个答案，即使它不是一个直接的答案。

真的很难说哪里出了问题，尤其是当您没有在此过程中实施任何检查时。一个基本的调试策略是沿途添加一些输出以查看脚本是否命中部分。这就是：write-output "Entering Foreach"并write-output "Looping user $($DisabledUser.samaccountname)"确保您的脚本正确执行。这将有助于确定你打嗝的位置。

或者，我首先会在您的Get-ADUser查询中查看。单独运行它并确保它返回用户。如果没有得到它返回预期结果的地方。

这是您的代码的修订版本，如果没有返回用户，它会进行错误检查。

#import the ActiveDirectory Module
Import-Module ActiveDirectory

#Create a variable for the date stamp in the log file
$LogDate = get-date -f yyyyMMddhhmm

#Sets the OU to do the base search for all user accounts, change for your env.
$SearchBase = "CN=Temp Associates,OU=Res Accounts,DC=our,DC=domain,DC=org"

#Create an empty array for the log file
$LogArray = @()

#Sets the number of days to disable user accounts based on lastlogontimestamp and pwdlastset.
$PasswordAge = (Get-Date).adddays(-29)

#Use ForEach to loop through all users with pwdlastset and lastlogontimestamp greater than date set. Also added users with no lastlogon date set. Disables the accounts and adds to log array.
#Add the properties you will be using to ensure they are available.
$DisabledUsers = (Get-ADUser -searchbase $SearchBase -Properties samaccountname, name, distinguishedname -filter {((lastlogondate -notlike "*") -OR (lastlogondate -le $Passwordage)) -AND (enabled -eq $True) -AND (whencreated -le $Passwordage)} )

if ($DisabledUsers -ne $null -and $DisabledUsers.Count > 0) {
    ForEach ($DisabledUser in $DisabledUsers) {

        #Sets the user objects description attribute to a date stamp. Example "11/13/2011"
        set-aduser $DisabledUser -Description ((get-date).toshortdatestring()) -whatif

        #Disabled user object. To log only add "-whatif"
        Disable-ADAccount $DisabledUser -whatif

        #Create new object for logging
        $obj = New-Object PSObject
        $obj | Add-Member -MemberType NoteProperty -Name "Name" -Value $DisabledUser.name
        $obj | Add-Member -MemberType NoteProperty -Name "samAccountName" -Value $DisabledUser.samaccountname
        $obj | Add-Member -MemberType NoteProperty -Name "DistinguishedName" -Value $DisabledUser.DistinguishedName
        $obj | Add-Member -MemberType NoteProperty -Name "Status" -Value 'Disabled'

        #Adds object to the log array
        $LogArray += $obj

    }

    # Move disabled users in Temp Associates group to Disabled OU 
    Search-ADAccount –AccountDisabled –UsersOnly –SearchBase “CN=Temp Associates,OU=Res Accounts,DC=our,DC=domain,DC=org”  | 
    Move-ADObject –TargetPath “OU=Disabled,DC=our,DC=domain,DC=org” -WhatIf

    #Exports log array to CSV file in the temp directory with a date and time stamp in the file name.
    $logArray | Export-Csv "C:\Temp\User_Report_$logDate.csv" -NoTypeInformation

    #Send e-mail to Global Helpdesk with report generated
    $emailFrom = "sender@mail.com" 
    $emailTo = "recipient@mail.com" 
    $subject = "NA Disabled Temp Users to be deleted" 
    $smtpServer = "smtp.server.com"
    $attachment = "C:\Temp\User_Report_$logDate.csv"


    Send-MailMessage -To $emailTo -From $emailFrom -Subject $subject -SmtpServer $smtpServer -attachment $attachment
}else {
    Write-Output "No disabled users to process for $PasswordAge."
}