By José C. Nieves Pérez

Import-Module ActiveDirectory

$outputFilePath = "C:\temp\users.csv"

$userAccounts = Get-ADUser -Filter * -Properties LastLogonTimestamp, AccountExpirationDate, Enabled, LockedOut, PasswordExpired, PasswordNeverExpires, PasswordNotRequired, Description

$userList = foreach ($user in $userAccounts) {
    $groups = Get-ADPrincipalGroupMembership $user.SamAccountName | Select-Object -ExpandProperty Name

    # Create a custom object for each user with the desired properties, including the group membership
    [PSCustomObject]@{
        Username = $user.SamAccountName
        LastLogon = [datetime]::FromFileTime($user.LastLogonTimestamp)
        ExpirationDate = $user.AccountExpirationDate
        Enabled = $user.Enabled
        LockedOut = $user.LockedOut
        PasswordExpired = $user.PasswordExpired
        PasswordNeverExpires = $user.PasswordNeverExpires
        PasswordNotRequired = $user.PasswordNotRequired
        Description = $user.Description
        GroupMembership = $groups -join ", " # Join the group names into a comma-separated string
    }
}

$userList | Export-Csv -Path $outputFilePath -NoTypeInformation

This is a PowerShell script that imports the ActiveDirectory module and uses it to gather information about user accounts in an Active Directory environment.

Here’s a step-by-step breakdown of what the script is doing:

The first line imports the ActiveDirectory module, which provides cmdlets for managing Active Directory.

The second line sets the output file path to «C:\temp\users.csv». This is where the output of the script will be saved.

The third line uses the Get-ADUser cmdlet to retrieve information about all user accounts in Active Directory. The -Filter parameter is set to «*», which means all users will be returned. The -Properties parameter specifies the additional properties that will be retrieved for each user, including LastLogonTimestamp, AccountExpirationDate, Enabled, LockedOut, PasswordExpired, PasswordNeverExpires, PasswordNotRequired, and Description.

The fourth line uses a foreach loop to iterate through each user account in $userAccounts. Inside the loop, the Get-ADPrincipalGroupMembership cmdlet is used to retrieve the group membership of each user. The output is stored in the $groups variable.

The next line creates a custom object for each user, with the desired properties. The [PSCustomObject] syntax creates an object with properties that are defined within braces {}. Each property corresponds to a piece of user information that was retrieved in step 3, or derived in step 4. The GroupMembership property is derived from the $groups variable using the -join operator to join the group names into a comma-separated string.

The custom object for each user is added to the $userList array using the += operator.

Finally, the $userList array is exported to a CSV file at the path specified in $outputFilePath using the Export-Csv cmdlet. The -NoTypeInformation parameter is used to exclude the type information from the CSV file.

The resulting CSV file will contain information about each user account in Active Directory, including their username, last logon time, account expiration date, and various account properties such as enabled/disabled, locked out status, password expiration, and group membership.