除了确保用户对象实际上具有员工编号并已启用之外,我还尝试使用特定的员工编号过滤掉几个员工。
还有更好的写法吗?并在用户仍在使用时使其真正发挥作用。
Get-ADUser -Filter {(employeeNumber -ne $false) -and (employeeNumber -ne 000614)
-and (employeeNumber -ne 000864) -and (employeeNumber -ne 001195)
-and (employeeNumber -ne 001200) -and (employeeNumber -ne 001201)
-and (employeeNumber -ne 000628) -and (employeeNumber -ne 000742)
-and (employeeNumber -ne 000041) -and (employeeNumber -ne 001225)
-and (employeeNumber -ne 001181) -and (employeeNumber -ne 001074)
-and (employeeNumber -ne 001203) -and (employeeNumber -ne 001198)
-and (employeeNumber -ne 001208) -and (employeeNumber -ne 001224)
-and (employeeNumber -ne 001207) -and (employeeNumber -ne 001199)
-and (employeeNumber -ne 001210) -and (employeeNumber -ne 001214)
-and (employeeNumber -ne 001220) -and (employeeNumber -ne 001212)
-and (employeeNumber -ne 001213) -and (employeeNumber -ne 001221)
-and (employeeNumber -ne 000036) -and (employeeNumber -ne 000589)
-and (employeeNumber -ne 099998) -and (enabled -ne $false)}
首先,您可以创建一个哈希表,或者只是一个数字列表:
$list = New-Object Collections.Generic.List[Int]
$list.Add(000614)
...
然后检查雇主号码是否不在这个列表中:
Get-ADUser -Filter {(employeeNumber -ne $false) -and not ($list -contains employeeNumber)}
或者,您可以根据员工数据库中的其他共同点过滤这些特定员工(例如团队等于 SO-1)。
还有更好的写法吗?
其实不然,过滤方法是正确的。您可以自动化的是从值数组构建过滤器字符串。我个人在这里使用
LDAPFilter
,构建过滤字符串更容易。
$toExclude = 000864, 001200, 000628, 000041, 001181, 001203 # etc, more values can be added here
$filter = -join @(
'(&' # AND, all conditions must be met
'(!userAccountControl:1.2.840.113556.1.4.803:=2)' # Enabled objects
'(employeeNumber=*)' # employeeNumber is not null
$toExclude | ForEach-Object {
"(!employeeNumber=$_)" # employeeNumber is not equal to any of values
}
')' # close AND
)
Get-ADUser -LDAPFilter $filter