在两个OU中定位所有用户，并删除分发列表-添加日期条件 [英] Target all users in two OU's and remove Distribution Lists - Adding date criteria

问题描述

@BenH和@TheMadTechnician在协助我编写脚本，从特定AD OU中的用户(仅)中删除发行列表(帮助)方面非常有用.我忘记添加必要的条件，因此决定将此作为单独的问题发布(原始线程

@BenH and @TheMadTechnician were extremely helpful in assisting me with a script, to remove Distro Lists (only) from users in specific AD OU's. I forgot to add a needed criteria, so decided to post this as a separate question (original thread here)

@BenH的方法是这样的:

@BenH's approach was like this:

$OUs = 'OU=PendingDeletion,OU=Users,DC=Stuff,DC=Place,DC=net','OU=HoldForReview,OU=Users,DC=Stuff,DC=Place,DC=net'
$Users = ForEach ($OU in $OUs) {
    Get-ADUser -Filter * -SearchBase $OU 
}

ForEach ($User in $Users) {
    Get-ADPrincipalGroupMembership -Identity $user |
    Where-Object {$_.GroupCategory -eq 0} |
    ForEach-Object {
        Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $_
    }
} 

我的问题-我可以通过向第一个循环中添加变量和"Where-Object"逻辑来强制脚本仅对已过期30天以上的帐户执行操作吗? :

My question - can I force the script to only take action on accounts that have expired more than 30days ago, by adding a variable and "Where-Object" logic to the first loop like this?:

    $OUs = 'OU=PendingDeletion,OU=Users,DC=Stuff,DC=Place,DC=net','OU=HoldForReview,OU=Users,DC=Stuff,DC=Place,DC=net'
    $30DaysOld = (Get-Date).AddDays(-30)

    $Users = ForEach ($OU in $OUs) {
        Get-ADUser -Filter * -SearchBase $OU |
        Where-Object {$_.AccountExpirationDate -gt $30DaysOld}}

    ForEach ($User in $Users) {
    Get-ADPrincipalGroupMembership -Identity $user |
    Where-Object {$_.GroupCategory -eq 0} |
    ForEach-Object {
        Remove-ADPrincipalGroupMembership -Identity $user -MemberOf $_
    }
} 

可能吗?还是我需要将-gt更改为-lt才能获得正确的日期范围?

Possible? Or would I need to change the -gt to a -lt in order to get the correct date range?

感谢您的光临！

推荐答案

根据要求提供答案.问题出在Where语句上:

Making an answer as requested. The problem is with the Where statement:

Where-Object {$_.AccountExpirationDate -gt $30DaysOld}

在逻辑上听起来像是正确的'其中帐户已过期30天以上'，但实际上是'，其中帐户已过期的日期大于日期是30天前的.当您认为某些系统将日期度量为自Unix纪元(1970年1月1日，UTC AM 12:00)以来经过的秒数，并且日期被转换为整数，并且-gt运算符选择哪个更有意义由于自该纪元起经过了更多的秒数，所以日期按时间顺序在以后发生，并且整数是一个较大的数字.

While logically is sounds like it's right 'where the account expired more than 30 days ago' it actually comes out to 'where the Date that the account expired is greater than what the Date was 30 days ago'. When you consider that some systems measure dates as seconds passed since the Unix Epoch (Jan 1, 1970 at 12:00:00 AM UTC), and dates are converted to integers, and it makes more sense that the -gt operator selects whichever date happens later chronologically as more seconds have passed since the epoch, and the integer is a larger number.

如果将-gt更改为-lt，它将完成您要查找的内容.另外，向其中添加-and $_.AccountExpirationDate可以确保AccountExpirationDate不为null.所以我们最终得到:

If you change the -gt to -lt it accomplishes what you're looking for. Also, adding -and $_.AccountExpirationDate to it makes sure that the AccountExpirationDate is not null. So we end up with:

Where-Object {$_.AccountExpirationDate -lt $30DaysOld -and $_.AccountExpirationDate}

这篇关于在两个OU中定位所有用户，并删除分发列表-添加日期条件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！