I am working with a script to notify users of expiring passwords but I am having some problems getting results back for nested groups. My script will filter users who are a member of Parent-Test
. I will not have any users who are a member of this directly, they will be members of Child01-Test
and Child02-Test
. Child01
and Child02
are members of Parent-Test.
Is there a way to do this using Get-ADUser
or should I be using something like Get-ADGroupMember
?
$smtpServer="mail.company.com"
$expireindays = 10
$ADGroup ="CN=Parent-test,OU=Groups,OU=Test,DC=Test1,DC=Test2,DC=Test3,DC=com"
$OfficeOU ="OU=Test,DC=Test1,DC=Test2,DC=Test3,DC=com"
#Get Users From AD who are enabled
Import-Module ActiveDirectory
$users = get-aduser -filter {memberof -eq $ADGroup} -properties * -searchbase $OfficeOU |where {$_.Enabled -eq "True"} | where { $_.PasswordNeverExpires -eq $false } | where { $_.passwordexpired -eq $false }
foreach ($user in $users)
{
$Name = (Get-ADUser $user | foreach { $_.GivenName})
$emailaddress = $user.emailaddress
$passwordSetDate = (get-aduser $user -properties * | foreach { $_.PasswordLastSet })
$PasswordPol = (Get-AduserResultantPasswordPolicy $user)
# Check for Fine Grained Password
if (($PasswordPol) -ne $null)
{
$maxPasswordAge = ($PasswordPol).MaxPasswordAge
}
else
{
$maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
}
$expireson = $passwordsetdate + $maxPasswordAge
$today = (get-date)
$daystoexpire = (New-TimeSpan -Start $today -End $Expireson).Days
$subject="Your Network/Outlook password will expire in $daystoExpire days"
$attachment="C:\Util\Outlook Web App Password Change Procedure.pdf"
$body ="
Dear $name,
<p> Your Network/Outlook password will expire in $daystoexpire days.<br>
Please follow the instructions in the attached guide to change your password. For assistance, please contact me or send an email to admin@support.com<br>
if ($daystoexpire -lt $expireindays)
{
Send-Mailmessage -smtpServer $smtpServer -from $from -to $emailaddress -subject $subject -body $body -attachments $attachment -bodyasHTML -priority High
}
}
I would have gathered a list of group members first using Get-ADGroupMember $ADGroup -Recursive
and then matched the users against that, ex:
$pattern = [regex]::Escape($OfficeOU)
Get-ADGroupMember $ADGroup -Recursive |
Get-ADUser -Properties * |
? { $_.Enabled -and $_.PasswordNeverExpires -eq $false -and $_.passwordexpired -eq $false -and $_.DistinguishedName -match $pattern }
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.