Get-ADUser filter out specific OU, custom column

Question

trying to get an Audit report of active users. We have an OU that I do not want to report on.

Give me all the active (enabled) AD accounts. EXCEPT in a specific OU.

Get-ADUser -Filter{enabled -eq $true} | Select-object Samaccountname,surname,givenname `
        | Export-Csv -NoTypeInformation C:\scripts\ActiveUsers.csv

How can I filter out OU=Service Accounts?

I also need to have a custom column in Column A of the csv output. Example: The word "ACME" in column A in all rows.

Thanks much Esther

score 11 · Answer 1 · edited Jun 20 '20 at 09:12

Filter on parent containers

The OU is part of the object's DistinguishedName property.

Use Where-Object to filter out objects that reside inside a certain OU by removing the first part of the DistinguishedName and comparing the rest with the DistinguishedName of the OU:

$OUDN = "OU=Service Accounts,OU=Accounts,DC=domain,DC=tld"
Get-ADUser -Filter {Enabled -eq $true} | Where-Object { $_.DistinguishedName -notlike "*,$OUDN" }

If you know the OU name, but not the full DistinguishedName, you can remove immediate child objects of the OU from the results by splitting the distinguished name into compartments and comparing the second one (the immediate parent container) to the name you want to exclude:

$OUName = "Service Accounts"
Get-ADUser -Filter {Enabled -eq $true} | Where-Object {
    $ObjectCN,$ParentCN,$null = $_.DistinguishedName -split "(?<=[^\\]),"
    $ParentCN -ne "OU=$OUName"
}

or exclude any object with the given OU name in its ancestral path:

$OUName = "Service Accounts"
Get-ADUser -Filter {Enabled -eq $true} | Where-Object {
    $ObjectCN,$ParentCNs = $_.DistinguishedName -split "(?<=[^\\]),"
    $ParentCNs -notcontains "OU=$OUName"
}

Custom property values

Select-Object supports calculated properties. You can supply a calculated property with a static expression as the first property to select, like so:

Get-ADUser | Select-Object @{Name="MyCustomColumn";Expression={"ACME"}},Name

Exported to a CSV, the above example would have the colunm headers "MyCustomColumn" and "Name" in col A and B respectively, col A holding the value "ACME" always, whereas col B would hold the individual Names of the users

Where-Object has really bad performance. people suggest using LDAPFilter over Where-Object — Kellen Stuart, Oct 05 '17 at 19:27
@KolobCanyon Correct, but you can't do wildcard filtering against the `DistinguishedName` attribute using an LDAP filter :-) — Mathias R. Jessen, Oct 05 '17 at 20:23
I just learned that the hard way yesterday... So frustrating! — Kellen Stuart, Oct 06 '17 at 15:34
@KolobCanyon, how to incorporate the LDAPFilter instead of the Where-Object? — Senior Systems Engineer, Oct 11 '19 at 06:22
@SeniorSystemsEngineer You don't, LDAP doesn't support partial name filtering on `distinguishedName` — Mathias R. Jessen, Oct 11 '19 at 09:03

score 6 · Answer 2 · edited Jan 24 '17 at 21:26

6

This worked - thanks gang.

Get-ADUser -Filter {enabled -eq $true} | ? {$_.DistinguishedName -notlike "*,OU=Service Accounts,*"}

And the custom column:

Select-Object -Property @{n="ColumnA"; e={"ACME"}}

edited Jan 24 '17 at 21:26

jpaugh

6,634
4
38
90

answered Aug 04 '15 at 19:44

MNEsther

111
1
2
6

Get-ADUser filter out specific OU, custom column

2 Answers2

Filter on parent containers

Custom property values