Check for user AD account
existing with PowerShell script.
Once I needed to check if
AD user account exists on server and is enabled.
There are two option to
do that.
The first option is to
use Get-ADUser.
Make sure you install the
module Active Directory.
More info about the
module http://technet.microsoft.com/en-us/library/ee617195.aspx
How to install and use Active
Directory Module
http://blogs.technet.com/b/heyscriptingguy/archive/2011/08/30/install-active-directory-management-service-for-easy-powershell-access.aspx
The following example shows how to use the function:
Import-Module ActiveDirectory
$AccountName = $profile[[Microsoft.Office.Server.UserProfiles.PropertyConstants]::AccountName].Value ;
$SplitUserName = ($AccountName.Split("\")[1])
$UserExists = Get-ADUser
-Filter {sAMAccountName -eq $UserName}
$UserName =
$splitusername;
if ($UserExists -eq $null)
{
Write-Host "User $AccountName does not exist in AD "
}
else
{
if (!$UserExists.Enabled)
{
Write-Host "User
$AccountName is disabled"
}
Else
{
Write-Host "AD
account $AccountName is ok";
}
}
In my case I didn’t have the
module Active Directory installed on production server, so I need to find the
second way. I couldn’t use the function Get-ADUser from module ActiveDirectory. My opinion is to better to install the module because
it has a lot of usefull functions that will makes yourlife easear. I didn’t
have such opotunaty because installing module means to restart production
server, but this approach I needed to escape, so I found the second option and
wrote function.
|
# function Check-ADUser gets user name as a parametr
# return two properties:
# Status
# return "0" if AD account doesn't
exist in Active directory or was deleted
# return "1" if the user exists.
# AccountEnable
# return "0" if AD account is
disabled
# return "1" if
AD account is enabled
#Example:
# $UserStatus = (Check-ADUser -Username "testuser1").Status;
# $UserAccountEnabled = (Check-ADUser -Username
"$SplitUserName").AccountEnable;
function Check-ADUser
{
Param ($Username)
$ADRoot = [ADSI]''
$ADSearch = New-Object System.DirectoryServices.DirectorySearcher($ADRoot);
$SAMAccountName = "$Username";
$ADSearch.Filter = "(&(objectClass=user(sAMAccountName=$SAMAccountName))";
$Result = $ADSearch.FindAll();
$Status = "-1";
$Enabled = "-1";
if($Result.Count -eq 0)
{ # "No such user on the Server"
$Status = "0";
}
Else
{ #"User exist on the Server"
$Status = "1";
foreach ($objResult in $Result)
{
$objResult = $objResult.GetDirectoryEntry()
if ($objResult.accountdisabled)
{
#"Account
diabled"
$Enabled = "0";
}
else
{ # "Account
enabled"
$Enabled = "1";
}
}
}
$Results = New-Object Psobject
$Results | Add-Member Noteproperty Status $Status
$Results | Add-Member Noteproperty AccountEnable $Enabled
Write-Output $Results
}
|
Example how
to use the function Check-ADUser:
|
$AccountName = $profile[[Microsoft.Office.Server.UserProfiles.PropertyConstants]::AccountName]
.Value
$SplitUserName = ($AccountName.Split("\")[1])
$UserName = $splitusername;
# check if user exists in AD
$UserExists = (Check-ADUser -Username $SplitUserName).Status;
$UserAccountEnabled = (Check-ADUser -Username $SplitUserName).AccountEnable;
if ($UserExists -ne 1)
{
#"User does
not exist in AD"
}
else
{
if ($UserAccountEnabled -eq 0)
{
#"Account is
disabled"
}
else
{
#"Account is ok"
}
|
I hope you will help this
information.
Have a good day. :)
