locked
Query users NOT members of multiple groups RRS feed

  • Question

  • I have 3 groups.  I want to query users that are not part of ANY of those 3... if they are part of 1 group then I do not want to know that... I want a user that is not part of Group1 AND group2 AND group 3...  I'm so stuck

    Here's what I've tried

    #1

    $groups = get-adgroup -LDAPFilter "(samaccountname=Group*)"
    Get-ADUser -LDAPFilter "(!(memberof=$groups))" |
    select-object Name, SamAccountName

    #2
    get-aduser -Filter * -Properties memberof |
        where {$_.memberof -notmatch "Group1" -and $_.memberof -notmatch "Group2 -and $_.memberof -notmatch "Group3"} |
        select name,samaccountname

    Both of these keep returning a user that is part of 1 of the groups... seems like its doing an "OR" instead of "AND" … please help!!

    Thanks

    C


    -C-

    Friday, October 25, 2019 9:34 PM

Answers

  • The memberOf attribute is DN syntax. You must compare with the distinguishedNames of the groups, and only exact matches are allowed (no wildcards). For example:

    $Group1 = "cn=Group1,ou=East,dc=mydomain,dc=com"
    $Group2 = "cn=Group2,ou=West,dc=mydomain,dc=com"
    $Group3 = "cn=Group3,ou=South,dc=mydomain,dc=com"
    
    Get-ADUser -LDAPFilter "(&(!memberOf=Group1)(!memberOf=Group2)(!memberOf=Group3))
    


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by Charlie1313 Friday, October 25, 2019 10:44 PM
    Friday, October 25, 2019 9:56 PM
  • Or using this (use "-notcontains" and the full Distinguished name:

    Get-AdUser -Filter * -Properties memberof |
         where{
    		$_.memberof -notcontains 'Group1' -and
    		$_.memberof -notcontains 'Group2' -and 
    		$_.memberof -notcontains 'Group3'
    	} |
        select name,samaccountname
    
    


    \_(ツ)_/

    • Marked as answer by Charlie1313 Friday, October 25, 2019 10:44 PM
    • Unmarked as answer by Charlie1313 Friday, October 25, 2019 10:44 PM
    • Marked as answer by Charlie1313 Friday, October 25, 2019 10:44 PM
    Friday, October 25, 2019 10:13 PM

All replies

  • The memberOf attribute is DN syntax. You must compare with the distinguishedNames of the groups, and only exact matches are allowed (no wildcards). For example:

    $Group1 = "cn=Group1,ou=East,dc=mydomain,dc=com"
    $Group2 = "cn=Group2,ou=West,dc=mydomain,dc=com"
    $Group3 = "cn=Group3,ou=South,dc=mydomain,dc=com"
    
    Get-ADUser -LDAPFilter "(&(!memberOf=Group1)(!memberOf=Group2)(!memberOf=Group3))
    


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by Charlie1313 Friday, October 25, 2019 10:44 PM
    Friday, October 25, 2019 9:56 PM
  • Or using this (use "-notcontains" and the full Distinguished name:

    Get-AdUser -Filter * -Properties memberof |
         where{
    		$_.memberof -notcontains 'Group1' -and
    		$_.memberof -notcontains 'Group2' -and 
    		$_.memberof -notcontains 'Group3'
    	} |
        select name,samaccountname
    
    


    \_(ツ)_/

    • Marked as answer by Charlie1313 Friday, October 25, 2019 10:44 PM
    • Unmarked as answer by Charlie1313 Friday, October 25, 2019 10:44 PM
    • Marked as answer by Charlie1313 Friday, October 25, 2019 10:44 PM
    Friday, October 25, 2019 10:13 PM
  • Works perfectly!  Thank yoU!!!

    -C-

    Friday, October 25, 2019 10:45 PM
  • Works thanks you!!!

    -C-

    Friday, October 25, 2019 10:45 PM