none
Get-ADUser -Filter on multiple group memberships

    Question

  • Hi Guys,

    I have to reorganise a bunch of users into new groups and have used the following one liner as the basis for much of what I needed to do.  What I need to do now is filter using an additional group.  For example the script below adds users from "people OU" who are members of group "USERS_X" to group "DestGroup"  -  How do I extend this so that I can select users who are in "USERS_X" and "USERS_Y" and beyond?

    Get-ADUser -Filter { memberof -RecursiveMatch "CN=USERS_X,OU=Groups,DC=testdomain,DC=local" } -SearchBase "OU=People,DC=testdomain,DC=local" | %{Add-ADGroupMember -identity 'DestGroup' $_ -whatif}

     

    Hope someone can help

    Thanks

    Mick

    Tuesday, October 04, 2011 11:01 PM

Answers

  • The Get-ADUser cmdlet has a -SearchBase parameter where you specify the DN of the OU where the search starts. The -SearchScope parameter would be "subtree" if you want to search the base OU and all child OU's under that, or "onelevel" if you only want to search the base OU and no child OU's. I would suggest:

    Get-ADUser -LDAPFilter "(&(memberOf:1.2.840.113556.1.4.1941:=cn=Users_X,ou=Groups,dc=hadtest,dc=local)(memberOf:1.2.840.113556.1.4.1941:=cn=Users_Y,ou=Groups,dc=hadtest,dc=local))" -SearchBase "ou=People,dc=hadtest,dc=local" -SearchScope onelevel | %{Add-ADGroupMember -identity 'DestGroup' $_ -whatif}

    I'm not sure about the DN of ou "people".

     


    Richard Mueller - MVP Directory Services
    • Marked as answer by Mickoz Wednesday, October 05, 2011 10:50 PM
    Wednesday, October 05, 2011 11:36 AM

All replies

  • I don't know what you mean by "and beyond". However, you can use the LDAP_MATCHING_RULE_IN_CHAIN in an LDAP filter for recursive group membership. You can OR clauses with the "|" OR operator. For example, to retrieve all users that are members (directly or due to group nesting) of either of two groups: 

     

    Get-ADUser -LDAPFilter "(|(memberOf:1.2.840.113556.1.4.1941:=cn=Users_X,ou=Groups,dc=testdomain,dc=local)(memberOf:1.2.840.113556.1.4.1941:=cn=Users_Y,ou=Groups,dc=testdomain,dc=local))"

    -----

     

    The above is one line. For documentation on the filter syntax, see this link:

    http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx

     

    As noted, I assumed you want all users that are members of either of the two groups. If instead you need users that are members of both of the groups, use the AND operator "&" instead of "|" to operate on the clauses. More on filters here:

    http://www.rlmueller.net/ADOSearchTips.htm

     


    Richard Mueller - MVP Directory Services
    Wednesday, October 05, 2011 12:13 AM
  • Hi Richard,

     

    Thanks for your reply.  I meant more than 2 groups when I said "beyond" :)

     

    I do need to an & operation so what you have provided works and selects only members that are in both USERS_X AND USERS_Y

     

    Sorry, I'm a dummy :)  How do I extend this to include an OU?

    So what I need is for the selected user to be in group USERS_X & group USERS_Y & located in OU "People"

    What I have this far:

    Get-ADUser -LDAPFilter "(&(memberOf:1.2.840.113556.1.4.1941:=cn=Users_X,ou=Groups,dc=hadtest,dc=local)(memberOf:1.2.840.113556.1.4.1941:=cn=Users_Y,ou=Groups,dc=hadtest,dc=local))" | %{Add-ADGroupMember -identity 'DestGroup' $_ -whatif}

     

    Any ideas?

     

    Thanks

     

    Mick


    • Edited by Mickoz Wednesday, October 05, 2011 2:06 AM
    Wednesday, October 05, 2011 1:56 AM
  • The Get-ADUser cmdlet has a -SearchBase parameter where you specify the DN of the OU where the search starts. The -SearchScope parameter would be "subtree" if you want to search the base OU and all child OU's under that, or "onelevel" if you only want to search the base OU and no child OU's. I would suggest:

    Get-ADUser -LDAPFilter "(&(memberOf:1.2.840.113556.1.4.1941:=cn=Users_X,ou=Groups,dc=hadtest,dc=local)(memberOf:1.2.840.113556.1.4.1941:=cn=Users_Y,ou=Groups,dc=hadtest,dc=local))" -SearchBase "ou=People,dc=hadtest,dc=local" -SearchScope onelevel | %{Add-ADGroupMember -identity 'DestGroup' $_ -whatif}

    I'm not sure about the DN of ou "people".

     


    Richard Mueller - MVP Directory Services
    • Marked as answer by Mickoz Wednesday, October 05, 2011 10:50 PM
    Wednesday, October 05, 2011 11:36 AM
  • Thank you Richard

     

    As always you come to rescue :)

     

    Regards

     

    Mick

    Wednesday, October 05, 2011 10:50 PM