locked
PowerShell script to list user access with MemberOf for a specific OU RRS feed

  • Question

  • Hello,

    I am trying to find the correct syntax to correct the following script so that it will only include the groups in a specific OU, instead of all the groups shown in the "MemberOf" tab.  Currently the script provides most of the correct information I need but includes all the groups in the "MemberOf" tab. I just need to list the groups from a specific OU, i.e Sample Security\Enterprise

    Get-aduser –filter * -Properties DisplayName, Title, Manager, Department, Memberof | Select DisplayName, Title, Manager, Department, @{name=”MemberOf”;expression={$_.memberof -join “;”}} | Export-csv c:\Temp\UserAccess.csv

    Any help would be appreciated.

    Thanks,

    Roger


    • Edited by Vallee18 Monday, December 24, 2018 3:47 PM type
    Monday, December 24, 2018 3:47 PM

Answers

  • You can't.  They are not related results.

    A user is a member or a group has members. They are logically inverse requests and cannot be combined in a any useful way.


    \_(ツ)_/

    • Marked as answer by Vallee18 Thursday, December 27, 2018 8:48 PM
    Thursday, December 27, 2018 7:18 PM

All replies

  • You will have to parse the individual memberof elements to filter for the OU you want.

    ($_.memberof | Where{ $_ -match 'OU=ouname' }) -join ';'


    \_(ツ)_/

    Monday, December 24, 2018 4:23 PM
  • Hello,

    Sorry.  The following doesn't seem to work.  What am I missing?

    Get-aduser –filter * -Properties DisplayName, Title, Manager, Department, Memberof | Select DisplayName, Title, Manager, Department, @{name=”MemberOf” ($_.memberof | Where{ $_ -match 'OU=enterprise' }) -join ';' | Export-csv c:\Temp\UserWithMoreInfo.csv

    Thanks,

    Roger


    r

    Monday, December 24, 2018 4:47 PM
  • I agree , and you cannot filter for this, because memberOf is DN (distinguished name) syntax.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Monday, December 24, 2018 4:50 PM
  • Hi Richard,

    Thank you. So you are saying there is no way I can modify the script to get just the "MemberOf" groups for a specific OU?

    Thanks,

    Roger


    r

    Monday, December 24, 2018 4:57 PM
  • My code works as required if you use it correctly.  The match string must be enough of the OU part of the name to work.

    Of course maybe you are not asking for the groups in an OU but the users who are in an OU.

    If we have 10 memeberof DNs then filtering on the OU name will return only those groups defined in that OU.

    You edited the code incorrectly.  You lost the "e={" part of the parameter.

    Formatting the code to be readable would allow you to see this but first you need to learn how to use PowerShell syntax and how to use computed properties.

    $properties = @(
        'DisplayName',
        'Title',
        'Manager',
        'Department',
        @{n = 'MemberOf';e = { ($_.memberof | Where-Object{ $_ -match 'OU=enterprise' }) -join ';'}}
    )
    Get-aduser –filter * -Properties DisplayName, Title, Manager, Department, Memberof |
        Select-Object $properties |
        Export-csv c:\Temp\UserWithMoreInfo.csv
    This makes building the code much easier.


    \_(ツ)_/




    • Edited by jrv Monday, December 24, 2018 5:25 PM
    • Proposed as answer by Richard MuellerMVP Monday, December 24, 2018 6:04 PM
    Monday, December 24, 2018 5:24 PM
  • Roger, no my only point is that you cannot filter on memberOf before the pipe in the PowerShell statement. It is more efficient to use -Filter before the pipe (to greatly reduce the number of objects sent over the network from the DC), but it cannot be done in this case. The only operators you can use with DN syntax attributes (like member, memberOf, or manager) in -Filter clauses are -eq and -ne. Sorry to confuse the issue.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Monday, December 24, 2018 6:13 PM
  • Roger, no my only point is that you cannot filter on memberOf before the pipe in the PowerShell statement. It is more efficient to use -Filter before the pipe (to greatly reduce the number of objects sent over the network from the DC), but it cannot be done in this case. The only operators you can use with DN syntax attributes (like member, memberOf, or manager) in -Filter clauses are -eq and -ne. Sorry to confuse the issue.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Yes.  An important consideration. 

    It seems the issue is not filtering ON memberof but filtering out items in the memberof array which was what I assumed the code was trying to do.  This cannot be done in an LDAP filter in any way for any attribute that is not a simple value array and never with DNs.

    It is really too bad that MS never tried to implement this extension.


    \_(ツ)_/

    Monday, December 24, 2018 6:20 PM
  • Thank you.  

    How can I combine the following two scripts?  The following will get me the bulk of the information I need. I know I would need to remove Memberof and @{name=”MemberOf”;expression={$_.memberof -join “;”}} in the second part of the script.

    Get-aduser –filter * -Properties Office, DisplayName, Title, Manager, Department, Memberof | Select Office, DisplayName, Title, Manager, Department, @{name=”MemberOf”;expression={$_.memberof -join “;”}} | Export-csv c:\UserWithMoreInfo.csv

    How do I combine them so I get the results from both in one file?

    The following will provide a list of just the groups and their members in the OU I need. 

    Get-ADGroup -Properties * -Filter * -SearchBase "OU=Sample,OU=Sample,DC=qmetric,DC=com" | Foreach {
    $Group = $_
    Get-ADGroupMember -Id $Group | `
    select  @{Expression={$Group.Name};Label="Group Name"},Name | `
    Export-CSV C:\Temp\EnterpriseGroupList.CSV -NoTypeInformation -append

    Thanks,

    Roger


    r

    Thursday, December 27, 2018 6:48 PM
  • You can't.  They are not related results.

    A user is a member or a group has members. They are logically inverse requests and cannot be combined in a any useful way.


    \_(ツ)_/

    • Marked as answer by Vallee18 Thursday, December 27, 2018 8:48 PM
    Thursday, December 27, 2018 7:18 PM