none
Powershell script to show what users in a particular OU are members of a specific group

    Question

  • We have an OU that solely contains users of a web application.  These users should not be part of the Domain Users group.

    I have found a couple of instances where our techs have forgotten the step of removing them from Domain Users, and was wondering if there was a powershell script I could run that would give me a list of users in that OU that are members of the Domain Users group.

    Thursday, January 26, 2017 8:06 PM

Answers

  • The issue here is that most users will have this group designated as their "primary", but it is also possible some other group has been made "primary", perhaps in expectation that the user would be removed from Domain Users. The following finds all users in the specified OU that are direct members of the group, whether or not it is the primary:

    Get-ADUser -SearchBase "ou=Sales,ou=West,dc=Domain,dc=com" -LDAPFilter "(|(memberOf=Domain Users,cn=Users,dc=MyDomain,dc=com)(primaryGroupID=513))"

    In case it matters, the following finds users in the OU that either have Domain Users designated their primary, or are members even if by group nesting (not just direct members):

    Get-ADUser -SearchBase "ou=Sales,ou=West,dc=Domain,dc=com" -LDAPFilter "(|(memberOf:1.2.840.113556.1.4.1941:=Domain Users,cn=Users,dc=MyDomain,dc=com)(primaryGroupID=513))"

    The string 1.2.840.113556.1.4.1941 specifies LDAP_MATCHING_RULE_IN_CHAIN. However, this will not find users where their primary group is nested in Domain Users. But that would be very unusual.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    • Edited by Richard MuellerMVP Thursday, January 26, 2017 8:28 PM
    • Marked as answer by JGrover Thursday, January 26, 2017 8:32 PM
    Thursday, January 26, 2017 8:20 PM

All replies

  • The issue here is that most users will have this group designated as their "primary", but it is also possible some other group has been made "primary", perhaps in expectation that the user would be removed from Domain Users. The following finds all users in the specified OU that are direct members of the group, whether or not it is the primary:

    Get-ADUser -SearchBase "ou=Sales,ou=West,dc=Domain,dc=com" -LDAPFilter "(|(memberOf=Domain Users,cn=Users,dc=MyDomain,dc=com)(primaryGroupID=513))"

    In case it matters, the following finds users in the OU that either have Domain Users designated their primary, or are members even if by group nesting (not just direct members):

    Get-ADUser -SearchBase "ou=Sales,ou=West,dc=Domain,dc=com" -LDAPFilter "(|(memberOf:1.2.840.113556.1.4.1941:=Domain Users,cn=Users,dc=MyDomain,dc=com)(primaryGroupID=513))"

    The string 1.2.840.113556.1.4.1941 specifies LDAP_MATCHING_RULE_IN_CHAIN. However, this will not find users where their primary group is nested in Domain Users. But that would be very unusual.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    • Edited by Richard MuellerMVP Thursday, January 26, 2017 8:28 PM
    • Marked as answer by JGrover Thursday, January 26, 2017 8:32 PM
    Thursday, January 26, 2017 8:20 PM
  • Yes, thank you.  That's exactly what I needed.

    Our procedure is to place new users for this application in a dummy group and set that as the default, then remove them from Domain Users.  I've found over the years that some users forget this step, or add them to the dummy group but don't set it as the default/remove them from DU, or set it as the default but *still* don't remove them from DU. :)
    Thursday, January 26, 2017 8:32 PM