Greetings;

I am running Windows Server 2008-R2 and try to execute a PowerShell command as follows:

I am trying to locate user objects that have been inactive since September 1 and do not have any Exchange mailboxes. The query does run and I do get a number of records, however, the error is issued, as shown above.

can you please shed some light as to why I am getting this error message? I do appreciate your time.

Behrooz

You need to post your script and not a picture of it.  The error can easily be copied to the clipboard and pasted here.

It is clear that the syntax of your filter is wrong.  I do not want to have to type all of that in  when you canjsut paste it.

Try this instead:

get-aduser -filter * -properties * | 
? {$_.lastlogondate -ge "9/1/2013" -and $_.homemdb -notlike $NULL} | 
select Displayname,Distinguishedname,Samaccountname | 
export-csv 'EmployeeType.csv' -notypeinformation 

This will look at all users in the domain and filter by users logging on since Sept 1 and filter out accounts that have a mailbox database populated.  Then it'll export to a CSV with the same properties you listed above.  

If you feel that my reply has been helpful (or the answer), please mark it appropri

Looks like some syntax went wrong..

Are you try running on the AD server? if not you may have to import the AD PS modules to make AD commandlet

You guys always do everything the hard way.

Search-ADAccount -AccountInactive -DateTime '01/01/2013' -UsersOnly |
     get-aduser -Properties * -LDAPFilter '(!(homemdb=*))' -ea 0 |
     Select Displayname,Distinguishedname,Samaccountname  

Looks like some syntax went wrong..

Are you try running on the AD server? if not you may have to import the AD PS modules to make AD commandlet

Same same.  Hard = Non familiar.  

The results are the same.

To many watcha-m'call-its.  Just code to the end.

Same-same is but a drop in the Caribbean.

Chris;

Thanks much for clarifying (and simplifying) my code. I am also trying to display the "EmployeeType" attribute. That is why I thought I should include the string -ldap filter (!EmployeeType=*)

In other words, I am trying to locate those user objects that have not logged on since September 1, 2013 AND their EmployeeType is Blank (i.e. there is nothing in the EmployeeType field).

Thanks again.

Behrooz

Thanks Ajo;

I am executing the command on the Domain Controller and in fact, I already executed the Import-Module Active Directory command.

Thanks.

Thanks for your time and suggestion.

When I try your suggestion, I only get two records returned and then the same error message "Get-ADUser: Directory object not found". It is interesting that some records are returned before this error message shows up and it abends.

Thanks for your time; This is the Powershell script I typed:

get-aduser -ldapfilter "(&(&(!EmployeeType=*)(lastlogontimestamp<=130225247380000000)(userAccountControl:1.2.840.113556.1.4.803:=2)(!msExchHomeServerName=/o= Semi/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=ONWATER*)))" -properties * |ft -wrap DisplayName, DistinguishedName,SamAccountName, LegacyExchangeDN,Mail

My objective is to show all employees without an Exchange Server mailbox, where the EmployeeType field is blank (i.e. does not contain any values), and they last logged on before September 1, 2013.

• Edited by Behrooz Khorsandi Wednesday, January 15, 2014 4:07 PM

Chris;

I tried your suggestion and this time I did not get any records returned. The error message being "Get-ADUser Directory Object not found".

I have been able to successfully execute other PowerShell scripts on this same domain controller without any issues.

Thanks.

Chris;

I tried your suggestion and this time I did not get any records returned. The error message being "Get-ADUser Directory Object not found".

I have been able to successfully execute other PowerShell scripts on this same domain controller without any issues.

Thanks.

The script is excuting correctly.  The directory object you specified does NOT exist. That is what the erro5r message is telling you.  Your filter spec is impossible to read.  That is why we asked you to post the script and not a screen capture.

From what little I can see of the code it looks like your filter spec is not correct.  It has logic that willnever4 match anything. But then I cannot test it because it is not possible to copy and paste an image as code.

Please post your code.

This is the script I try to execute:

get-aduser -ldapfilter "(&(&(!EmployeeType=*)(lastlogontimestamp<=130225247380000000)(userAccountControl:1.2.840.113556.1.4.803:=2)(!msExchHomeServerName=/o= Semi/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=ONWATER*)))" -properties * |ft -wrap DisplayName, DistinguishedName,SamAccountName, LegacyExchangeDN,Mail

This is the code I am executing:

get-aduser -ldapfilter "(&(&(!EmployeeType=*)(lastlogontimestamp<=130225247380000000)(userAccountControl:1.2.840.113556.1.4.803:=2)(!msExchHomeServerName=/o= Semi/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=ONWATER*)))" -properties * |ft -wrap DisplayName, DistinguishedName,SamAccountName, LegacyExchangeDN,Mail

Try to start with this:

$filter="(&(!EmployeeType=*)(lastlogontimestamp<=130225247380000000)(userAccountControl:1.2.840.113556.1.4.803:=2))"
Get-AdUser -LDAPfilter $filter

We will add the exchange exclusion later.  This returns two disabled accounts with no EmployeeType on my server.

Are you understanding how to do this.  You cannot get Exchange data with Get-ADUser.  It is only available from Get-Mailbox and must be done in a separate step.

$filter="(&(!EmployeeType=*)(lastlogontimestamp<=130225247380000000)(userAccountControl:1.2.840.113556.1.4.803:=2))"
Get-AdUser -LDAPfilter $filter | 
     ForEach-Object{
          Get-Mailbox $_.SamAccountname
    }

Is EmployeeType a custom property in your environment?

While using Get-aduser, your own queryable 'employee' fields are:

- EmployeeID

- EmployeeNumber

Because of that, I left the employeetype filter off my command.

Are you sure you're getting no results?  It will not write anything to the screen, it will dump all the results to a .CSV in folder that you run this command.

I did double check my syntax by copying and pasting right into my powershell window and I got the desired results.

-Users that have logged in SINCE 9/01/2013 and have no mailboxes.

Can you attach a screen shot of what you're running and what the result is?

Is EmployeeType a custom property in your environment?

While using Get-aduser, your own queryable 'employee' fields are:

- EmployeeID

- EmployeeNumber

Because of that, I left the employeetype filter off my command.

Are you sure you're getting no results?  It will not write anything to the screen, it will dump all the results to a .CSV in folder that you run this command.

I did double check my syntax by copying and pasting right into my powershell window and I got the desired results.

-Users that have logged in SINCE 9/01/2013 and have no mailboxes.

Can you attach a screen shot of what you're running and what the resu

Following the instruction I just posted this is the first entry in the search results: http://msdn.microsoft.com/en-us/library/windows/desktop/ms675664(v=vs.85).aspx

Notice it has been part of the schema since Windows 2000 or it has always been part of Windows AD.  I see many trying to create EmployeeId, EmployeeNumber and EmployeeType.  They neve4r think to look anything up. It will create issues if you redefine builtin types and attributes.

Here is a good place to start to learn about Active Directory.  It is short but gets you pointed in the right direction.

The bridge to LDAP: http://www.isode.com/whitepapers/ic-6033.html

I see it now. I don't know what I did the first time I looked but I obviously did something

I see this thread isn't answered yet, so I'm taking another shot at it.  I am positive my script is going to give you the results you are looking for. I have reproduced this in my lab.

What I did:
- I created a set of users in an OU in my domain.
- I populated the 'employeeType' property on a handful of them
- I created mailboxes fora subset of those users on my Exchange server
- I did NOT log in with any of these accounts, but that is the easy part.

Run this query and you will get a returned set of accounts that:
- Have not logged on since 9/1/2013
- Do NOT have a mailbox (this is query-able through Get-ADUser because the HomeMDB property is only populated when you have a mailbox.  Using the Exchange tools is not necessary)
- Accounts that do NOT have any anything in their 'employeeType' property.

Get-AdUser -filter * -properties * |
  Where-Object {$_.HomeMDB -eq $NULL -AND
                $_.employeeType -eq $NULL -AND
                $_.lastlogondate -ge "9/01/2013"} |
  Select displayname,distinguishedname,samaccountname,employeetype |
  Export-Csv "employeetype.csv" -notypeinformation

** This result is going to find people with NO employeeType.  If that is the opposite of what you're looking for, change that like from -eq (equal) to -ne (not equal) or you can use -like and -notlike.  Both give the same results.

Your results will export to a CSV and will not print to the screen.  Again, with the way this is written, the employeetype column will be empty.

If you want to copy and paste this script, please paste it into the ISE and push play.  If you save it as a .ps1, you'll have to ensure you have the appropriate executionpolicy set (Open PS as an admin, run 'set-executionpolicy unrestricted')

If you chose to run it in a PS window as is, please ensure this whole syntax is all on one line.

Okay! Come back and tell me you were successful and mark me as the answe

Are you understanding how to do this.  You cannot get Exchange data with Get-ADUser.  It is only available from Get-Mailbox and must be done in a separate step.

$filter="(&(!EmployeeType=*)(lastlogontimestamp<=130225247380000000)(userAccountControl:1.2.840.113556.1.4.803:=2))"
Get-AdUser -LDAPfilter $filter | 
     ForEach-Object{
          Get-Mailbox $_.SamAccountname
    }

Now you will need gather the fields

Chris - The exchange part won't work on E2010. 

Regardless of what version of Exchange you are using, having an Exchange mailbox tied to your Active Directory Account WILL populate the HomeMDB property.

This does work.

*Picture Re

I think if you check you will find that you can have an Exchange server reference with no mailboxes.  There are other reasons for the exchange MDB to be set.  Thee OP said "No Mailboxes".  I have two old accounts where the mailboxes have been moved to another account and the account is still showing an MDB.

Ok - If I go back and fully disable the user then the MDB reference is removed.

Not sure how the accounts got altered like that but they are all old test accounts.

That's not accurate.  My day to day job is literally 75% running these queries to clean the environment.  I run these queries against hundreds of thousands of users to identify several things about the account.  The HomeMDB attribute is absolutely a safe bet to use to query for mailboxes.  I can imagine there are too many environments that go off and disable-mailbox for inactive users.   If you disconnect the mailbox, then yes, the attributes are blank, but then the mailbox wouldn't belong to that account anymore, would it?  I'm not sure what your experience with this particular topic is, but you are incorrect.  Please stop trying to reply to all my posts with how inaccurate I am.

Because the scope of this request is to identify inactive users, not users we have disabled and then MAYBE ran disable-mailbox on, you're over complicating this thread.

*Picture Re

Ok given all of that this is the fastest and most efficient search:

$dt=[datetime]::Today.AddDays(-90)
$filter={HomeMDB -notlike '*' -and EmployeeType -notlike '*' -and lastlogondate -lt $dt}
Get-AdUser -filter $filter -properties * | select name, samaccountname

This only retrieves the requested records. Using a "Where-Object" returns all users in the AD domain and and then filters them. The above query returns only the users matching the request. In a domain with 10000+ users the "Where" method would be very, very slow.

The plus here is that internally the framework converts this to the more efficient LDAP filter syntax.

That's not accurate.  My day to day job is literally 75% running these queries to clean the environment.  I run these queries against hundreds of thousands of users to identify several things about the account.  The HomeMDB attribute is absolutely a safe bet to use to query for mailboxes.  I can imagine there are too many environments that go off and disable-mailbox for inactive users.   If you disconnect the mailbox, then yes, the attributes are blank, but then the mailbox wouldn't belong to that account anymore, would it?  I'm not sure what your experience with this particular topic is, but you are incorrect.  Please stop trying to reply to all my posts with how inaccurate I am.

Because the scope of this request is to identify inactive users, not users we have disabled and then MAYBE ran disable-mailbox on, you're over complicating this thread.

I'll agree to that.

Instead of setting a dynamic date of 90 days ago, the request is inactive accounts since 9/1/2013. And the typo in employeetype.  We don't want them to copy and paste, then come back with "it doesn't work"

Get-AdUser -filter {HomeMDB -notlike '*' -and EmployeeType -notlike '*' -and lastlogondate -gt "9/01/2013"} | 
select displayname,distinguishedname,samaccountname,employeetype | Export-Csv "employeetype.csv" -notypeinformation		

The question  answer is still not likely correct if you look closely at the OP.  I had started a discussion with the OP to get some of that clarified and to show how to approach this.  You jumped in and spun things is a different direction which just confused the issue.  We still have no clarification.

The code I pasted was copied quickly from another file that may have been only a demo and not tested.  It was for discussion as I still think we need to know more.

I am more interested in showing you how to best approach solutions.  It is up to you and the OP to actually apply the lesson and debug the code.  If you want a finished product then you will have to pay for it.  There is no SLA for us here.

I did fix the typo but I will leave the rest.  I think our discussion leaves the opening for the OP to stretch in a question of to figure out how.  My method and your methods are both useful background along with the discussion.

Ciao!