1

I am trying to set up a powershell script to automatically run a command to get a list of all user accounts that have "Remotepowershellenabled" $True then take that list and compare it to 2 admin groups. After that I want it to set all of the user accounts that are not a part of the 2 admin accounts to then set that option to $false. When I get to this part of my script the new variable is not populating with anything. I know for a fact that there are users listed in the variable $UserswithRemotePS that are not in the $DomainAdmin variable.

$UsersNotDA = $UserswithRemotePS | where {$_.samaccountname -inotin $DomainAdmin}

I put this script together by looking at a couple of other similar scripts so I clearly missed something. Any help would be greatly appreciated.

$DomainAdmins = (Get-ADGroupMember -Identity "Domain Admins").samaccountname|out-string
$Exchangeadmins = (Get-ADGroupMember -Identity "ExchangeAdmins").samaccountname|out-string

Get-PSSession|Remove-PSSession

$ExchangePSSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://ExchangeServer/PowerShell/ -Authentication Kerberos

$UserswithRemotePS = (Invoke-Command -Session (Get-PSSession) {Get-User -ResultSize Unlimited -Filter 'RemotePowerShellEnabled -eq $true'}).samaccountname|out-string
 
$UsersNotDA = $UserswithRemotePS | where {$_.samaccountname -notin $DomainAdmin}
Theo
  • 57,719
  • 8
  • 24
  • 41
Heimdalwk
  • 11
  • 3
  • currently you have a typo: ```-inotin``` should probably be: ```-notin```. without knowing whats in those variables its hard to help... – Toni Oct 13 '22 at 20:06
  • I had pulled that from somewhere else and assumed it was supposed to represent "is not in" but I tried it as -notin as well still no luck. Ill add the code once i get rid of the Company specific details – Heimdalwk Oct 13 '22 at 21:04

1 Answers1

1

There are some typos in your code like $DomainAdmins where later you use -notin $DomainAdmin (note the lack of the s in there), but most notably is the mistake you make by destroying your arrays using Out-String.

This will make the arrays become single strings where operator -notin is meant to search for items not contained in an array of things.

Also, by using single-quotes here: 'RemotePowerShellEnabled -eq $true', $true will not be evaluated as you would like, because now the value is the exact string '$true'. For this, you need double-quotes.

Try

# get arrays of SamAccountNames (so do not pipe to Out-String!!)
$DomainAdmins   = (Get-ADGroupMember -Identity "Domain Admins").SamAccountName
$Exchangeadmins = (Get-ADGroupMember -Identity "ExchangeAdmins").SamAccountName

Get-PSSession|Remove-PSSession

$ExchangePSSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://ExchangeServer/PowerShell/ -Authentication Kerberos

$UserswithRemotePS = Invoke-Command -Session $ExchangePSSession -ScriptBlock {
    (Get-User -ResultSize Unlimited -Filter "RemotePowerShellEnabled -eq $true").SamAccountName
}

$UsersNotDA = $UserswithRemotePS | Where-Object {$_.SamAccountName -notin $DomainAdmins}
mklement0
  • 382,024
  • 64
  • 607
  • 775
Theo
  • 57,719
  • 8
  • 24
  • 41
  • 1
    Nice, though `$true`,`$false`, and `$null` _are_ expanded by the AD provider itself, from what I remember (I cannot verify it myself). With `"..."`, the `-Filter` argument becomes verbatim `RemotePowerShellEnabled -eq True` before the AD provider sees it - does that actually work? – mklement0 Oct 14 '22 at 14:15
  • 1
    @mklement0 Now that you mention that, I vaguely remember that too.. Perhaps the OP can tell us if the double quoting is wrong here or not, as I can't test this myself – Theo Oct 14 '22 at 14:19
  • 1
    @mklement0 `'attribute -eq $bool'` will work fine though wouldn't recommend that syntax as it may bring problems and only works with equality / inequality, it would fail as soon as a wildcard is used // I think it could be worth recommending not using that syntax and using the robust `"attribute -eq '$bool'"` but as OP has it right now it will definitely work – Santiago Squarzon Oct 14 '22 at 14:32
  • 1
    Thanks, @Santiago. Yes, letting the AD provider resolve variable references can lead to conceptual confusion, but, if memory serves, letting it do so for `[datetime]` instances is easier than the alternative with string interpolation (which requires calling .`ToFileTime()`, right? Or `.ToFileTimeUtc()`? I was never able to confirm that). As for the Boolean comparison: I'm assuming that AD requires an explicit `-eq` comparison, and that a PowerShell-style shortcut (`"attribute"` instead of `"attribute -eq 'True'"` does _not_ work, correct? – mklement0 Oct 14 '22 at 14:53
  • 1
    you're right on both @mklement0, something like `$date = [datetime]::now.AddDays(-30); Get-ADuser -Filter 'lastlogon -gt $date'` would work perfectly fine, the AD provider sees `$date` as a `DateTime` instance and calls `ToFileTime()` to it (unsure if `Utc` or not would need to test), as opposed to us doing it manually during string interpolation. Bool comparison (any comparison actually) requires an actual expression that the AD provider can convert into LDAP Syntax, hence `-Filter 'attribute'` is a syntax error. – Santiago Squarzon Oct 14 '22 at 15:10
  • 1
    I appreciate it, @Santiago. If you could also figure out the UTC part, that would be great - I'm trying to maintain a "canonical" answer [here](https://stackoverflow.com/a/44184818/45375). I'm also wondering if there are additional data types where string interpolation requires similar workarounds. – mklement0 Oct 14 '22 at 15:19
  • 1
    Thank you, guys for the help so far. I can't believe I missed the typo. As for the "" vs '' The single quotes does populate the variable with an expected number of names. When I tried adjusted to use double quotes I get an invalid syntax error, so it looks like single quotes is correct within this syntax. I also tried using the suggested syntax for the invoke command but I get a different error "Syntax not support by this runspace. This can occur if the runspace is in no-language mode." I apologize all of my powershell knowledge is self-taught so there is a lot I still don't understand – Heimdalwk Oct 14 '22 at 16:02