TPM device object ownership script RRS feed

  • Question

  • Hello,

    I have been trying to get a script working to list all of the tpm objects that has a delete computers SID as their owner so I can then in turn tell the script to delete the orphaned objects.

    I have the script returning me all off the owners for all of the objects in the tpm device container and I am now trying to tune it to only return those objects that have a sid as the owner but I am obviously missing something.

    What I have working to return me all owners is:

    Get-ADObject -Filter {(ObjectClass -eq "msTPM-InformationObject")} | Select name,@{n="owner*";e={(Get-Acl "ad:\$($_.distinguishedname)").owner}} | export-csv mypath

    This obviously returns me a csv listing the name of the tpm object and its current owner but I am now trying to use a comparison operator to have it only return me the objects that have an owner containing the domainsid by adding the following:

    Get-ADObject -Filter {(ObjectClass -eq "msTPM-InformationObject")} | Select name,@{n="owner*";e={(Get-Acl "ad:\$($_.distinguishedname)").owner}} | Where {"ad:\$($_.distinguishedname)".owner -like '*S-1-5-21'} | export-csv mycsvpath. I have also tried other syntax like just $_.owner -like to no avail.

    I am pretty new to scripting and have spent many hours trying to figure how to get this to return desired results without having to resort to the pros but I am not seeing where this one is going wrong exactly. I assume that the field it needs to call for the "where" function is not correct but I am just needing a little help please.

    Thank you in advance for any direction you can provide.

    • Moved by Bill_Stewart Friday, July 7, 2017 7:00 PM User answered own question
    Thursday, June 1, 2017 6:07 PM

All replies

  • Well of course like 10 minutes after I write you all after beating my head against the wall for hours, I got it to work finally. Just had to step away for a bit I guess. I realized I was not calling the correct variable in my where statement that the equation was defining. I simply needed to remove the * I had in my initial variable of "owner" and the above would have worked with the * on the other side of my domain sid.

    below is what finally returned my desired results:

    Get-ADObject -Filter {(ObjectClass -eq "msTPM-InformationObject")} | Select name,@{n="owner";e={(Get-Acl "ad:\$($_.distinguishedname)").owner}} | Where {$_.owner -like 'O:S-1-5-21*'} | export-csv mycsvpath

    Thursday, June 1, 2017 6:27 PM