1

I have a list of potential account ids. I would like to use Get-ADUser to query if the account or a variation of it exists in the environment. I would then like to capture the data including which accounts ids from my original list don't have any accounts in the environment.

I have successfully captured data for account ids that have an account or a variation of the account id in the AD environment. I am having difficultly with capturing the account ids from my original list that do not produce any results using Get-ADUser

foreach ($user in $inputdata)
{$user = $user + "*"
$(try {Get-ADUser -filter {SamAccountName -like "$user"} -properties Description} catch {$null}) | % {if ($_ -ne $null) {[pscustomobject]@{"ID"=$_.SamAccountName;"DN"=$_.DistinguishedName;"Desc"=$_.Description}}
else {$noaccount += $user}
}

My pscustomobject populates properly with data from everyone that does have an account. But there are no values in $noaccount even though there are ids in my list that do not have accounts in the environment. What should I do to capture the instances which do not have accounts using Get-ADUser? Also, no error is outputted.

James T
  • 25
  • 5
  • the AD cmdlets do NOT trigger any error at all if you use `-Filter` and the filter syntax is correct. so your `try/catch` is not going to work. instead, assign the call to a $Var, test that $Var with `$Null -eq $Var`, and then build a `PSCustomObject` with the appropriate values - including something like `__NotFound__` in the props other than the user name. – Lee_Dailey Jul 16 '19 at 22:12
  • @Lee_Dailey, the `-Filter` syntax isn't correct, because it uses a script block _and_ quotes around a variable reference, but more importantly, as also stated in AdminOfThings' answer, It's best to [avoid the use of script blocks (`{ ... }`) as `-Filter` arguments](https://stackoverflow.com/a/44184818/45375). – mklement0 Jul 16 '19 at 22:45
  • 1
    @mklement0 - yep, i was aware of that. [*grin*] to me, the most important thing was that - if you use the `-Filter` parameter - you will only get an error if there is a _syntax_ error ... not if the filter finds no match. that meant the `try/catch` would fail when the OP was counting on the `catch` being triggered. ///// i likely otta have mentioned the string/scriptblock problem ... thanks for heads up! [*grin*] – Lee_Dailey Jul 16 '19 at 23:25

1 Answers1

1

The following should achieve what you want.

$noaccount = [Collections.Generic.List[String]] @()
foreach ($user in $inputdata) {
    $userToCheck = Get-ADUser -Filter "SamAccountName -like '$user*'" -properties Description
    if ($userToCheck) {
        [pscustomobject]@{"ID"=$userToCheck.SamAccountName
                          "DN"=$userToCheck.DistinguishedName
                          "Desc"=$userToCheck.Description
        }
    }
    else {
        $noaccount.Add($user)
    }
}

Explanation:

$noaccount is initialized as a generic list of strings so that we can use the .Add() method rather than the inefficient += operator. $userToCheck will contain a found user object or $null depending on whether the query found a result. If a user is found, the if condition is $true and your custom object is output. If no user is found, the else condition is triggered and the data stored in $user is added to the $noaccount collection.

I changed the -Filter slightly to remove the script block notation because it is not a script block. The online documentation of the command teaches bad habits by demonstrating the use of script block notation. Instead the filter should be surrounded by double quotes with the values on the inside surrounded by single quotes. The double quotes will allow for PowerShell interpolation to expand variable within. The single quotes will be passed in literally so that the value is interpreted as a string by Get-ADUser.

With your attempt, the try {} block would rarely throw an error and would not throw an error just because an account was not found. You would have to remove the -Filter in favor of the -Identity parameter to produce errors when no object is found. You will still see errors if there are connectivity issues between your session and the domain server though. When your Get-ADUser command produced no output, nothing would get piped into the the foreach {} script block. Therefore, your if {} else {} would never be evaluated.

Enhancement Considerations:

Following some insight provided by Lee_Dailey, instead of adding the not found accounts to a separate collection, you could incorporate them into your custom object output. Maybe you could add a new property that states whether or not they are found. See below for an example:

$noaccount = [Collections.Generic.List[String]] @()
foreach ($user in $inputdata) {
    $userToCheck = Get-ADUser -Filter "SamAccountName -like '$user*'" -properties Description
    if ($userToCheck) {
        [pscustomobject]@{"User" = $user
                          "ID"=$userToCheck.SamAccountName
                          "DN"=$userToCheck.DistinguishedName
                          "Desc"=$userToCheck.Description
                          "In_AD" = "Yes"
        }
    }
    else {
        [pscustomobject]@{"User" = $user
                          "ID"=$null
                          "DN"=$null
                          "Desc"=$null
                          "In_AD" = "No"
         }
    }
}
AdminOfThings
  • 23,946
  • 4
  • 17
  • 27