powershell - Power Shell script to remove disabled and expired accounts from allusers group in AD -

-

i'm inherit script apparently takes 14 hours complete. i'm not best @ powershell seems me first step search ad disabled and/or expired user accounts, remove them group , maybe groups. here script;

$expired_disabled_users = get-qadgroupmember -identity allusers -sizelimit 0 | ?{$_.accountisdisabled -eq $true -or $_.accountisexpired -eq $true} $expired_disabled_users | ?{$_.accountisdisabled -eq $true | select name,whenchanged} foreach ($user in $expired_disabled_users) {remove-qadgroupmember -identity allusers -member $user}

so, don't have quest ad plugins. how speed script using regular module activedirectory in powershell? initial change this, don't have way test don't have rights in domain yet;

$expired_disabled_users = get-aduser -filter * | ?{$_.accountisdisabled -eq $true -or $_.accountisexpired -eq $true} $expired_disabled_users | ?{$_.accountisdisabled -eq $true | select name,whenchanged} foreach ($user in $expired_disabled_users) {remove-qadgroupmember -identity allusers -member $user}

thanks in advance help!

just convert code use 'activedirectory' module (i don't have quest cmdlets) following. 

$expired_disabled_users = get-adgroupmember -identity "allusers" |  get-aduser -properties enabled,accountexpirationdate |         where-object{$_.enabled -eq $false -or ($_.accountexpirationdate -is [datetime] -and $_.accountexpirationdate -lt (get-date))} $expired_disabled_users | where-object {$_.enabled -eq $false} | select name foreach ($user in $expired_disabled_users) {remove-adgroupmember -identity "allusers" -member $user -whatif}

now.. of course still perform slow since pulling all users active directory , filtering on account status. can't find reference allusers in quest documentation assume group exists in org. speed testing not going use group filter show how filter. have 600 users in ad. not going remove users leave code in -whatif simulate processing. of lost time comes enumerating users. address , should think else ok.

so can approach couple of ways. 1 of faster ways address ldapfilter focus on that. 

$groupdn = (get-adgroup "sslvpn_direct_forwards").distinguishedname $secondssince = (get-date).touniversaltime() - (get-date "00:00:00 01/01/1601") |     select-object -expandproperty totalseconds $100nanosecondintervals = ($secondssince * [math]::pow(10, 7)).tostring("0")  $ldapfilter = "(&(memberof=$groupdn)(|(useraccountcontrol:1.2.840.113556.1.4.803:=2)(&(!(accountexpires=0))(accountexpires<=$100nanosecondintervals))))"  get-aduser -ldapfilter $ldapfilter

some explanation

  1. $groupdn distunguishedname of group working with. ldap queries memberof use dn use get-adgroup capture value.
  2. know $100nanosecondintervals calculation of 100 nanoseconds intervals since "12:00 january 1, 1601". more detail can found here

  3. the $ldapfilter broken in 4 parts. user needs group member of group , account has @ least disabled or expired.

    • (memberof=$groupdn) match group looking for. resulting users have member of group
    • (useraccountcontrol:1.2.840.113556.1.4.803:=2) means useraccountcontroll bit enabled not set ( think have explanation right).
    • (!(accountexpires=0))(accountexpires<=$100nanosecondintervals) explained account having expiry value set , accompanying date occurred in past..... expired account

show down

i cant accurately measure command in question reasons mentioned should able idea of how stack against eachother primary query of users.

1..20 | %{     measure-command{         get-aduser -filter * -properties enabled,accountexpirationdate  | where-object{$_.enabled -eq $false -or ($_.accountexpirationdate -is [datetime] -and $_.accountexpirationdate -lt (get-date))}      } }| select -expand totalseconds | measure-object -sum   1..20 | %{     measure-command{         get-aduser -ldapfilter $ldapfilter -properties enabled,accountexpirationdate,memberof | select name,accountexpirationdate,enabled     } }| select -expand totalseconds | measure-object -sum

lets run 2 commands 20 times each , see how long take together. first users , filter expired or disabled accounts. second use ldap accounts matching same criteria previous.

sum      : 13.0219249  sum      : 1.6220821

as can see second query (ldap) took less 2 seconds compare 13 first 1 took.

in short i'm tired , should try use , ldap query given criteria , appears large org.


Comments

Post a Comment

Popular posts from this blog

python - mat is not a numerical tuple : openCV error -

-
i have write down code showing error ma not getting it: please help: showing mat not numerical tuple: import cv import cv2 capture = cv2.videocapture("j.3gp") while(1): _, frame1 = capture.read() grayimage1 = cv2.cvtcolor(frame1, cv2.color_bgr2gray) _, frame2 = capture.read() grayimage2 = cv2.cvtcolor(frame2, cv2.color_bgr2gray) differenceimage = cv2.absdiff(grayimage1,grayimage2) thresholdimage = cv2.threshold(differenceimage,25,255,cv2.thresh_binary) cv2.imshow("difference image", differenceimage) cv2.imshow("threshold image", thresholdimage) cv2.imshow("image", frame1) k = cv2.waitkey(30) & 0xff error arising : ----------------------------------------------------------------------------------------- traceback (most recent call last): file "desk.py", line 15, in <module> cv2.imshow("threshold image", thresholdimage) typeerror: mat not numerical tuple ...
Read more

c# - MSAA finds controls UI Automation doesn't -

-
i'm working on automating windows application. i'm using teststack white framework. i've hit problem. program has 'window' object cannot see inside of. white shows no controls inside of it. inspect.exe shows no controls inside of either when running in ui automation mode. if switch inspect msaa see controls inside fine. there anyway me use msaa c# handle on these controls? if can identify msaa functions need, can use p/invoke call them c#. here's example article doing msaa: http://www.codeproject.com/articles/38906/ui-automation-using-microsoft-active-accessibility also, pinvoke.net can used identify iaccessible (msaa) functions: http://www.pinvoke.net/search.aspx?search=iaccessible&namespace=[all] here's answer along lines: msaa com-based? finally, alternative p/invoke, might able use tlbimp.exe create wrapper assembly oleacc.dll, , access msaa functions through it. i'm not sure if works msaa, it's worth try. as e...
Read more

wordpress - .htaccess: RewriteRule: bad flag delimiters -

-
pulling hair out on one. have following .htaccess file custom redirects in addition wordpress's default settings. when tested on local wamp server worked fine after moving production i'm not getting rewriterule: bad flag delimiters error in server log , after while site goes down internal server error any appreciated. in advance! <ifmodule mod_rewrite.c> rewriteengine on rewritebase / rewriterule ^rockford_weddings___welcome\.html$ /wedding/ [r=301,l] rewriterule ^blog/?$ /journal/ [r=301,l] rewriterule ^blog/(.*)$ /$1 [r=301,l] rewriterule ^portraitinvestment/?$ /portraitinvestment\.pdf [r=301,l] rewriterule ^weddinginvestment/?$ /weddinginvestment\.pdf [r=301,l] rewriterule ^holidaycards2014/?$ /holidaycards2014\.pdf [r=301,l] </ifmodule> # begin wordpress <ifmodule mod_rewrite.c> rewriteengine on rewritebase / rewriterule ^index\.php$ - [l] rewritecond %{request_filename} !-f rewritecond %{request_filename} !-d rewriterule . /index.php [l] </...
Read more