Logon Restrictions

Was approached yesterday with the following request.
- Find all users that have a logon restriction
- Return Last, First name and the users login ID
- Indicate if they belong to any group like "Citrix.PatientLink.*"

Quest AD CMDLETS to the rescue (again).

First let's find all the users with a logon restriction and toss them into a CSV file.
GET-QADUser -SizeLimit 0 -IncludeAllProperties `
WHERE {$_.logonHours -ne $null} `
SELECT logonname, logonHours `
EXPORT-CSV -Path 'C:\logonRestrictions.csv' -NoTypeInformation

We have to use the parameter -IncludeAllProperties to expand the property logonHours.

Next we will use this list to grab the users last, first name, department, logonName and indicate if they belong to any group matching "Citrix.PatientLink.*".

function Get-LogonRestrictions {
  foreach($Users in $AllUsers) {
    $MemberOF = $Null
    $User = Get-QADUser $Users.LogonName  `
      Select LastName, FirstName, Department, LogonName, MemberOf
    $Groups = (Get-QADUser $Users.LogonName).MemberOf
    foreach ($Group in $Groups){
      if($Group -match 'Citrix.Patient') {
        $MemberOF = (get-qadgroup $Group).Name
      }
    }
    $obj = New-Object psObject
    $obj  Add-Member NoteProperty LastName $User.LastName
    $obj  Add-Member NoteProperty FirstName $User.FirstName
    $obj  Add-Member NoteProperty Department $User.Department
    $obj  Add-Member NoteProperty LogonName $User.LogonName
    $obj  Add-Member NoteProperty MemberOF $MemberOF
    Write-Output $obj
  }
}

$AllUsers = Import-Csv -Path 'C:\logonRestrictions.csv'
$AllUsers  Get-LogonRestrictions Export-Csv `
   -Path 'C:\logonRestrictionsDetail.csv' 

And we are done!