Good morning.

I'm not sure if this is the correct forum to post this question, and if its not, please direct me.

I have a script that lists the last logons for all users on all domain controllers in my domain. I've been asked to modify the script to exclude user objects if they are a member of a specific security group. I added the filter, but now the script fails to run. Here's the working script.

Trap {"Error: $_"; Break;}

$D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Domain = [ADSI]"LDAP://$D"
$Searcher = New-Object System.DirectoryServices.DirectorySearcher
$Searcher.PageSize = 200
$Searcher.SearchScope = "subtree"

$Searcher.Filter = "(&(objectCategory=person)(objectClass=user))"
$Searcher.PropertiesToLoad.Add("distinguishedName") > $Null
$Searcher.PropertiesToLoad.Add("lastLogon") > $Null

# Create hash table of users and their last logon dates.
$arrUsers = @{}

# Enumerate all Domain Controllers.
ForEach ($DC In $D.DomainControllers)
{
    $Server = $DC.Name
    $Searcher.SearchRoot = "LDAP://$Server/" + $Domain.distinguishedName
    $Results = $Searcher.FindAll()
    ForEach ($Result In $Results)
    {
        $DN = $Result.Properties.Item("distinguishedName")
        $LL = $Result.Properties.Item("lastLogon")
        If ($LL.Count -eq 0)
        {
            $Last = [DateTime]0
        }
        Else
        {
            $Last = [DateTime]$LL.Item(0)
        }
        If ($Last -eq 0)
        {
            $LastLogon = $Last.AddYears(1600)
        }
        Else
        {
            $LastLogon = $Last.AddYears(1600).ToLocalTime()
        }
        If ($arrUsers.ContainsKey("$DN"))
        {
            If ($LastLogon -gt $arrUsers["$DN"])
            {
                $arrUsers["$DN"] = $LastLogon
            }
        }
        Else
        {
            $arrUsers.Add("$DN", $LastLogon)
        }
    }
}

# Output latest last logon date for each user.
$Users = $arrUsers.Keys
ForEach ($DN In $Users)
{
    $Date = $arrUsers["$DN"]
    "$DN;$Date"
}

I tried to modify the $Searcher.Filter to be:

$Searcher.Filter = "(&(objectCategory=person)(objectClass=user))($(objectCategory=group)(!(description=Resource_Accounts)))"

Any clues as to what I've done wrong here?

You have to use the "memberOf" query segment (with the appropriate exclamation-point to indicate "NOT") in your filter statement. Here's a sample (names changed to protect the innocent):

$Searcher.Filter = "(&(objectCategory=person)(objectClass=user)(!(memberOf=CN=Domain Admins,OU=High Security Access Groups,OU=Information Technology,DC=corp,DC=myDomainHere,DC=com)))"

If you aren't that familiar with using LDAP queries, you should read up on them. Believe me, they are not for the faint of heart. There's a great tutorial on it here. If you go down about two-thirds of the way and look for the section entitled "Searching Active Directory", there's another link to a text file that has a brilliant "cheat sheet" written by a fellow named Paul S. Chapman. It will give you pretty much everything you need to know. You will of course need to do some science-experiment type activities with your specific AD environment.

Hope this helps! Good luck!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.