Mark Minasi's Tech Forum
Sign up Calendar Latest Topics

  Author   Comment  

Avatar / Picture

Still Checking the Forum Out
Posts: 3
Reply with quote  #1 
Hi All,

Can anyone here please assist me in modifying the Powershell script below which limits the scope of listing inactive users in on particular AD security group ?

$time =[datetime]::Today.Adddays(-180)
$filter={Enabled -eq $true -and LastLogonDate -le $time -and PasswordLastSet -le $time}
$props='Name','LastLogonDate', 'passwordlastset', 'CanonicalName'
$search='OU=Main Office,DC=domain,DC=com' 
Get-ADGroupMember -Identity "Browsing Allowed" | Get-ADUser -SearchBase $search -filter $filter -Properties $props | Select-Object $props |
Export-Csv -Path C:\temp\Inactive180.csv -UseCulture -NoTypeInformation

Because at the moment the result comes from the whole AD domain not from within the Internet Allowed AD security group ?

Here's the error message:

Get-ADUser : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of the parameters that 
take pipeline input.
At C:\Users\Admin\AppData\Local\Temp\fc8e5dd3-5962-496c-9e59-eaf95b323be2.ps1:15 char:53
+ ...  Allowed" | Get-ADUser -SearchBase $search -filter $filter -Propertie ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (CN=Jet Chen,,DC=com:PSObject) [Get-ADUser], ParameterBindingException
    + FullyQualifiedErrorId : InputObjectNotBound,Microsoft.ActiveDirectory.Management.Commands.GetADUser


Server System Specialist
MCITP: Messaging Administrator & VCP: Data Center Virtualization


Avatar / Picture

Posts: 241
Reply with quote  #2 


There are several problems with this approach.

- The group may contain not only users, but also other groups or even computer objects
- Users from the group may live outside the user searchbase you specified
- Nested membership will not resolve.

Turn it around. Get the users first, then check for membership. Something like this (just ran it in my lab). This also assumes that direct membership is sufficient.

$time = [datetime]::Today.Adddays(-180)
$filter= {Enabled -eq $true -and LastLogonDate -le $time -and PasswordLastSet -le $time}

Get-ADUser -SearchBase "ou=users,ou=myou,dc=sol,dc=local" -filter $filter -properties samaccountname,memberof | Where-Object { $_.memberof -like "*browsing allowed*" }

Note: groupname here is the CN=<name>, which may not be the same as the samAccountName.


[MSFT]; Blog:

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Posts: 35
Reply with quote  #3 
And as a general rule, if you can use a cmdlet use that instead of calling native .NET code. So instead of using the [datetime] class use an expression like this: (Get-Date).AddDays(-180)

The real problem with your command is that you mixing up parameter sets for Get-ADUser. You really should be seeing an error that says PowerShell can't determine the parameter set.  If you look at help for Get-ADuser you'll see that you are actually using this syntax:

    Get-ADUser [-Identity] <ADUser> [-AuthType ] [-Credential <PSCredential>] [-Partition <String>] [-Properties <String[]>] [-Server <String>] [<CommonParameters>]

Because you are piping in the identity from Get-ADGroupMember. There is no provision for the other parameters you are trying to use.

Jeff Hicks Author ~ Trainer ~ Guru
Cloud and Datacenter Management MVP

Previous Topic | Next Topic

Quick Navigation:

Easily create a Forum Website with Website Toolbox.