This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Query users NOT members of multiple groups

Question
0

Sign in to vote

I have 3 groups. I want to query users that are not part of ANY of those 3... if they are part of 1 group then I do not want to know that... I want a user that is not part of Group1 AND group2 AND group 3... I'm so stuck

Here's what I've tried

#1

$groups = get-adgroup -LDAPFilter "(samaccountname=Group*)"
Get-ADUser -LDAPFilter "(!(memberof=$groups))" |
select-object Name, SamAccountName

#2
get-aduser -Filter * -Properties memberof |
where {$_.memberof -notmatch "Group1" -and $_.memberof -notmatch "Group2 -and $_.memberof -notmatch "Group3"} |
select name,samaccountname

Both of these keep returning a user that is part of 1 of the groups... seems like its doing an "OR" instead of "AND" … please help!!

Thanks

C

-C-

Friday, October 25, 2019 9:34 PM

Answers

0

Sign in to vote
The memberOf attribute is DN syntax. You must compare with the distinguishedNames of the groups, and only exact matches are allowed (no wildcards). For example:

$Group1 = "cn=Group1,ou=East,dc=mydomain,dc=com" $Group2 = "cn=Group2,ou=West,dc=mydomain,dc=com" $Group3 = "cn=Group3,ou=South,dc=mydomain,dc=com" Get-ADUser -LDAPFilter "(&(!memberOf=Group1)(!memberOf=Group2)(!memberOf=Group3))

Richard Mueller - MVP Enterprise Mobility (Identity and Access)
- Marked as answer by Charlie1313 Friday, October 25, 2019 10:44 PM
Friday, October 25, 2019 9:56 PM
0

Sign in to vote
Or using this (use "-notcontains" and the full Distinguished name:

Get-AdUser -Filter * -Properties memberof | where{ $_.memberof -notcontains 'Group1' -and $_.memberof -notcontains 'Group2' -and $_.memberof -notcontains 'Group3' } | select name,samaccountname

\_(ツ)_/
- Marked as answer by Charlie1313 Friday, October 25, 2019 10:44 PM
- Unmarked as answer by Charlie1313 Friday, October 25, 2019 10:44 PM
- Marked as answer by Charlie1313 Friday, October 25, 2019 10:44 PM
Friday, October 25, 2019 10:13 PM

All replies

0

Sign in to vote
The memberOf attribute is DN syntax. You must compare with the distinguishedNames of the groups, and only exact matches are allowed (no wildcards). For example:

$Group1 = "cn=Group1,ou=East,dc=mydomain,dc=com" $Group2 = "cn=Group2,ou=West,dc=mydomain,dc=com" $Group3 = "cn=Group3,ou=South,dc=mydomain,dc=com" Get-ADUser -LDAPFilter "(&(!memberOf=Group1)(!memberOf=Group2)(!memberOf=Group3))

Richard Mueller - MVP Enterprise Mobility (Identity and Access)
- Marked as answer by Charlie1313 Friday, October 25, 2019 10:44 PM
Friday, October 25, 2019 9:56 PM
0

Sign in to vote
Or using this (use "-notcontains" and the full Distinguished name:

Get-AdUser -Filter * -Properties memberof | where{ $_.memberof -notcontains 'Group1' -and $_.memberof -notcontains 'Group2' -and $_.memberof -notcontains 'Group3' } | select name,samaccountname

\_(ツ)_/
- Marked as answer by Charlie1313 Friday, October 25, 2019 10:44 PM
- Unmarked as answer by Charlie1313 Friday, October 25, 2019 10:44 PM
- Marked as answer by Charlie1313 Friday, October 25, 2019 10:44 PM
Friday, October 25, 2019 10:13 PM
0

Sign in to vote

Works perfectly! Thank yoU!!!
-C-

Friday, October 25, 2019 10:45 PM
0

Sign in to vote

Works thanks you!!!
-C-

Friday, October 25, 2019 10:45 PM