locked
List out enabled users who are members of certain security groups RRS feed

  • Question

  • Hi All,

    Thanks in advance, I am trying to list out number of users who are enabled and are members of certain security groups. This looks very simple, but I am unable to retrive any output, somewhere I am missing out, so requesting to help me out on this:

    (Get-ADForest).domains | % { Get-ADUser -Filter 'Enabled -eq "True" -and ((memberof -like "CN=Internet Access _ Medium") -or (memberof -like "CN=Internet Access _ Low") -or (memberof -like "CN=Internet Access _ High") -or (memberof -like "CN=Internet Access _ Full"))' -Properties * -SearchScope 2 | Select Name, Distinguishedname }


    Niranjan

    Thursday, June 21, 2018 12:50 PM

Answers

  • HI JRV,

    But, when I used 'Enabled -eq "True"' it worked and listed me all the user details of those who were enabled, it is only when I added the security groups the command didn't give me any input.
    What it does is the command executes and outputs nothing.

    Thanks,

    Niru


    Niranjan

    Yes.  In this particular case you can get away with this but you should never uses strings to check Boolean values.

    Npote that "False" is also $true:

    PS D:\scripts> $true -eq 'false'
    True

    or

    PS D:\scripts> [bool]'False'
    True

    and

    PS D:\scripts> [bool]$false
    False

    Computers are tricky.  You need to learn a bit about how they and logic work.


    \_(ツ)_/

    Thursday, June 21, 2018 2:01 PM
  • 'Enabled -eq $tr

    Get-ADUser -Filter 'Enabled -eq $true' -properties memberof | Where{ [bool]($_.MemberOf  | Where{$_-in $groups}) }


    \_(ツ)_/


    • Edited by jrv Thursday, June 21, 2018 1:00 PM
    • Marked as answer by Niri.shetty5323411 Friday, June 22, 2018 1:35 PM
    Thursday, June 21, 2018 12:57 PM
  • The memberOf attribute is DN syntax. The -Filter and -LDAPFilter parameters can only use the -eq or -ne operators with DN attributes. You must specify the full distinguished names of the groups. After a pipe, a Where clause can employ other operators.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Thursday, June 21, 2018 1:38 PM
  • Hi Richard,

    Thanks for the advise, I used DN for all group names and I got the list of all group DNs and ran the command, and I got the needed. Below is the one i used:

    (Get-ADForest).domains | % { Get-ADUser -Filter 'Enabled -eq "True" -and ((memberof -like "CN=Internet Access _ Low,OU=_Security Groups,OU=_OUname,DC=domain,DC=name") -or (memberof -like "CN=Internet Access _ Low,OU=_Security Groups,OU=_OUname,DC=domain,DC=name") -or (memberof -like "CN=Internet Access _ High,OU=_Security Groups,OU=_OUname,DC=domain,DC=name") -or (memberof -like "CN=Internet Access _ Full,OU=_Security Groups,OU=_OUname,DC=domain,DC=name"))' -Properties * -SearchScope 2 }| Export-csv filepath


    Niranjan

    Friday, June 22, 2018 1:34 PM

All replies

  • 'Enabled -eq $tr

    Get-ADUser -Filter 'Enabled -eq $true' -properties memberof | Where{ [bool]($_.MemberOf  | Where{$_-in $groups}) }


    \_(ツ)_/


    • Edited by jrv Thursday, June 21, 2018 1:00 PM
    • Marked as answer by Niri.shetty5323411 Friday, June 22, 2018 1:35 PM
    Thursday, June 21, 2018 12:57 PM
  • The memberOf attribute is DN syntax. The -Filter and -LDAPFilter parameters can only use the -eq or -ne operators with DN attributes. You must specify the full distinguished names of the groups. After a pipe, a Where clause can employ other operators.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Thursday, June 21, 2018 1:38 PM
  • HI JRV,

    But, when I used 'Enabled -eq "True"' it worked and listed me all the user details of those who were enabled, it is only when I added the security groups the command didn't give me any input.
    What it does is the command executes and outputs nothing.

    Thanks,

    Niru


    Niranjan

    Thursday, June 21, 2018 1:51 PM
  • HI JRV,

    But, when I used 'Enabled -eq "True"' it worked and listed me all the user details of those who were enabled, it is only when I added the security groups the command didn't give me any input.
    What it does is the command executes and outputs nothing.

    Thanks,

    Niru


    Niranjan

    Yes.  In this particular case you can get away with this but you should never uses strings to check Boolean values.

    Npote that "False" is also $true:

    PS D:\scripts> $true -eq 'false'
    True

    or

    PS D:\scripts> [bool]'False'
    True

    and

    PS D:\scripts> [bool]$false
    False

    Computers are tricky.  You need to learn a bit about how they and logic work.


    \_(ツ)_/

    Thursday, June 21, 2018 2:01 PM
  • Try

    Get-ADUser -Filter {Enabled -eq $True -and memberof -like "CN=Internet Access _ Medium" -or memberof -like "CN=Internet Access _ Low" -or memberof -like "CN=Internet Access _ High" -or memberof -like "CN=Internet Access _ Full"}   |
     Select Name, Distinguishedname 

    <g class="gr_ gr_62 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="62" id="62">issue</g> seems to b with

    Get-ADUser -Filter 'Enabled -eq "True" 

     should be

    Get-ADUser -Filter "Enabled -eq $True"

    Thursday, June 21, 2018 2:04 PM
  • As I stated, use the -eq operator and specify the full distinguished name of each group or the -filter will never work with memberOf. And use $True for the boolean.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, June 21, 2018 2:12 PM
  • Hi Richard,

    Thanks for the advise, I used DN for all group names and I got the list of all group DNs and ran the command, and I got the needed. Below is the one i used:

    (Get-ADForest).domains | % { Get-ADUser -Filter 'Enabled -eq "True" -and ((memberof -like "CN=Internet Access _ Low,OU=_Security Groups,OU=_OUname,DC=domain,DC=name") -or (memberof -like "CN=Internet Access _ Low,OU=_Security Groups,OU=_OUname,DC=domain,DC=name") -or (memberof -like "CN=Internet Access _ High,OU=_Security Groups,OU=_OUname,DC=domain,DC=name") -or (memberof -like "CN=Internet Access _ Full,OU=_Security Groups,OU=_OUname,DC=domain,DC=name"))' -Properties * -SearchScope 2 }| Export-csv filepath


    Niranjan

    Friday, June 22, 2018 1:34 PM
  • I'm glad it worked. Using full DN's can make the filter long, but I've used very long filters, hundreds of characters long, with no problems. Once it is coded, it can be reused.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, June 22, 2018 1:38 PM
  • Hi Richard,

    Thanks for the advise, I used DN for all group names and I got the list of all group DNs and ran the command, and I got the needed. Below is the one i used:

    (Get-ADForest).domains | % { Get-ADUser -Filter 'Enabled -eq "True" -and ((memberof -like "CN=Internet Access _ Low,OU=_Security Groups,OU=_OUname,DC=domain,DC=name") -or (memberof -like "CN=Internet Access _ Low,OU=_Security Groups,OU=_OUname,DC=domain,DC=name") -or (memberof -like "CN=Internet Access _ High,OU=_Security Groups,OU=_OUname,DC=domain,DC=name") -or (memberof -like "CN=Internet Access _ Full,OU=_Security Groups,OU=_OUname,DC=domain,DC=name"))' -Properties * -SearchScope 2 }| Export-csv filepath


    Niranjan

    This will not do what you asked for.  It has two major errors and one minor error.


    \_(ツ)_/

    Friday, June 22, 2018 1:45 PM
  • I didn't even scroll to view the code. The -Like operator requires use of the "*" wildcard, but should not be used with DN attributes. Only the -eq and -ne operators should be used. A limitation of LDAP syntax and DN attributes, and all PowerShell filters are converted to LDAP under the covers.

    Edit: Oh, "True" is not boolean.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Friday, June 22, 2018 1:50 PM
  • Here is the easy way to do compound filters:

    $filter = @'
        Enabled -eq $true -and 
        memberof -eq 'CN=Internet Access _ Low,OU=_Security Groups,OU=_OUname,DC=domain,DC=name' -and 
        memberof -eq 'CN=Internet Access _ Low,OU=_Security Groups,OU=_OUname,DC=domain,DC=name' -and 
        memberof -eq 'CN=Internet Access _ High,OU=_Security Groups,OU=_OUname,DC=domain,DC=name' -and 
        memberof -eq 'CN=Internet Access _ Full,OU=_Security Groups,OU=_OUname,DC=domain,DC=name'
    '@
    (Get-ADForest).domains | 
        ForEach-Object {
            Get-ADUser -Filter $filter -Properties *
        }| 
        Export-csv filepath

    "SearchScope 2" is the default.  It is not needed.

    Try to never force everything onto one line. It makes debugging and reading very difficult.

    Even with this this filter will not work.


    \_(ツ)_/


    • Edited by jrv Friday, June 22, 2018 1:55 PM
    Friday, June 22, 2018 1:51 PM