none
Exclude a particular group members from querying in AD RRS feed

  • Question

  • I have a below existing script which will fetch the users and disable who are not logged in (inactive) for 90 days with different conditions. Now I need to exclude the members of an AD group so that those accounts will not be disabled. 

    I have tried many ways to exclude the member of a group but no luck, please help me out for the same.

    $InactiveTimeLimit = (Get-Date).AddDays(-90)
    $UserOUs = "OU=Office Users,DC=contoso,DC=com",
               "OU=Store Users,DC=contoso,DC=com",
               "OU=DC Users,DC=contoso,DC=com",


    $InactiveUsers = @()

    foreach ($UserOU in $UserOUs) {

        try {
            $InactiveUsers += Get-ADUser -SearchBase $UserOU -filter { (lastlogondate -notlike "*" -OR lastlogondate -le $InactiveTimeLimit) -AND (passwordlastset -le $InactiveTimeLimit) -AND (Enabled -eq $True) -AND (pwdLastSet -ne 0 -OR modifyTimeStamp -lt $InactiveTimeLimit) -AND (employeeid -notlike '*')  } -Properties memberof,lastlogondate, passwordlastset, UserPrincipalName, DisplayName, Created, Description, pwdLastSet, modifyTimeStamp, employeeid -Server $ActiveDirectoryServer | Where-Object { $_.Created -le $InactiveTimeLimit } | Sort-Object lastlogondate 
        }
        catch {
            LogProgress -LogType "ERROR" -LogLine "Failed to load users from OU: $UserOU. The error was: $($Error[0])"
        }
    }

    Tuesday, December 17, 2019 1:19 PM

Answers

  • First, the MemberOf property returns an array of DN's rather than one string. The -ne operator looks at each DN in the array separately.

    However, the -ne operator does have a flaw (bug) I forgot about. The clause will be True for all users that are not members of the specified group, but only if they are members of at least one group. The clause will be False if the user has no group memberships in the memberOf attribute. But that is not the problem you describe. You say the clause is True for a user that is a member of the group.

    The fix (or workaround) for the bug I describe is to -Or another clause that is True if the user has no group memberships (except their "primary" group).

    -And ((MemberOf -ne "cn=MyGroup,ou=Sales,ou=East,dc=domain,dc=com") -Or (MemberOf -NotLike "*"))

    These two clauses return True when the user is not a member of the group, even if they have no group memberships. It is a subtle and little known problem, but as I said, it does not account for the problem you describe.

    Edit: Just to clarify, if the problem user has SamAccountName "jsmith", does this retrieve the user?

    Get-ADUser -Filter {(SamAccountName -eq "jsmith) -And (MemberOf -ne "cn=MyGroup,ou=Sales,ou=East,dc=domain,dc=com")} -Properties SamAccountName, MemberOf | Select SamAccountName, MemberOf
    If this returns the user and the MemberOf array in the display includes the group, then it makes no sense.



    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Thursday, December 19, 2019 11:58 AM
    Moderator
  • The sAMAccountName must be quoted. Otherwise, PowerShell thinks "sampath" is a command. The sAMAccountName is the pre-Windows 2000 logon name in ADUC. I suggested using sAMAccountName to uniquely identify the problem user, because it is shorter than the distinguished name.

    We just want to see if the logic retrieves the user and recognizes that the user is really a member of the specified group. If the user is not a member of the group, then the command will return nothing. In that case, changing the -ne operator (in the MemberOf clause) to -eq should retrieve the user.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by Sampath KK Thursday, December 19, 2019 3:53 PM
    Thursday, December 19, 2019 2:23 PM
    Moderator

All replies

  • I have a below existing script which will fetch the users and disable who are not logged in (inactive) for 90 days with different conditions. Now I need to exclude the members of an AD group so that those accounts will not be disabled.

    $InactiveTimeLimit = (Get-Date).AddDays(-90)
    $UserOUs = "OU=Office Users,DC=contoso,DC=com",
               "OU=Store Users,DC=contoso,DC=com",
               "OU=DC Users,DC=contoso,DC=com",


    $InactiveUsers = @()

    foreach ($UserOU in $UserOUs) {

        try {
            $InactiveUsers += Get-ADUser -SearchBase $UserOU -filter { (lastlogondate -notlike "*" -OR lastlogondate -le $InactiveTimeLimit) -AND (passwordlastset -le $InactiveTimeLimit) -AND (Enabled -eq $True) -AND (pwdLastSet -ne 0 -OR modifyTimeStamp -lt $InactiveTimeLimit) -AND (employeeid -notlike '*')  } -Properties memberof,lastlogondate, passwordlastset, UserPrincipalName, DisplayName, Created, Description, pwdLastSet, modifyTimeStamp, employeeid -Server $ActiveDirectoryServer | Where-Object { $_.Created -le $InactiveTimeLimit } | Sort-Object lastlogondate 
        }
        catch {
            LogProgress -LogType "ERROR" -LogLine "Failed to load users from OU: $UserOU. The error was: $($Error[0])"
        }
    }
    • Merged by jrv Tuesday, December 17, 2019 3:43 PM DUPLICATE
    Tuesday, December 17, 2019 1:32 PM
  • You can add a clause to your Get-ADUser -Filter parameter to exclude the group. You must specify the full DN of the group. For example (in part):

    $GroupDN = "cn=MyGroup,ou=Sales,ou=East,dc=domain,dc=com"
    
    -And (MemberOf -ne $GroupDN)


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Tuesday, December 17, 2019 1:44 PM
    Moderator
  • See my reply in your similar post in the other forum here:

    https://social.technet.microsoft.com/Forums/en-US/7cce3207-8ebd-4934-8eac-c4c033156dae/exclude-the-group-members-from-ad-querying?forum=winserverpowershell

    Add a clause to your Get-ADUser filter to exclude membership in the group:

    -And (MemberOf -ne $GroupDN)

    where $GroupDN must be the full DistinguishedName of the group.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, December 17, 2019 1:47 PM
    Moderator
  • I have tried this syntax earlier and now as well. However I see the user who is part of the group.
    Wednesday, December 18, 2019 1:17 PM
  • A few possible explanations:

    • Wildcards are not allowed in filters with DN properties like MemberOf. You must specify the full distinguished name of the group.
    • Only the -eq and -ne operators can be used with DN properties.
    • Only direct membership in the group is checked. If the membership is due to group nesting, then a different syntax is required.
    • If you don't use a variable for the group distinguished name, as in my reply above, then the DN should be quoted in the filter clause (assuming the entire filter is enclosed in braces), similar to below:
    -And (MemberOf -ne "cn=MyGroup,ou=Sales,ou=East,dc=domain,dc=com")

    Edit: Also, the MemberOf property does not include the "primary" group of the user. This is most likely "Domain Users".

    You can check in the ADUC properties for the user. On the "Attribute Editor" tab look at the memberOf attribute to see if the group is included. The collection only includes groups the user is directly a member of, and does not include the "primary" group.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Wednesday, December 18, 2019 2:32 PM
    Moderator
  • I used both the syntaxes and still I see the user who is part of the group. 

    -And (MemberOf -ne "cn=MyGroup,ou=Sales,ou=East,dc=domain,dc=com")

    User would be part of many groups and the memberof property will have all group's DN separated by commas, so here we are just mentioning one group without wildcard(you said, wildcard can't be used). I feel this is the reason it is not matching to it and finding it though it is part of AD group. Please suggest.

    Thursday, December 19, 2019 10:49 AM
  • First, the MemberOf property returns an array of DN's rather than one string. The -ne operator looks at each DN in the array separately.

    However, the -ne operator does have a flaw (bug) I forgot about. The clause will be True for all users that are not members of the specified group, but only if they are members of at least one group. The clause will be False if the user has no group memberships in the memberOf attribute. But that is not the problem you describe. You say the clause is True for a user that is a member of the group.

    The fix (or workaround) for the bug I describe is to -Or another clause that is True if the user has no group memberships (except their "primary" group).

    -And ((MemberOf -ne "cn=MyGroup,ou=Sales,ou=East,dc=domain,dc=com") -Or (MemberOf -NotLike "*"))

    These two clauses return True when the user is not a member of the group, even if they have no group memberships. It is a subtle and little known problem, but as I said, it does not account for the problem you describe.

    Edit: Just to clarify, if the problem user has SamAccountName "jsmith", does this retrieve the user?

    Get-ADUser -Filter {(SamAccountName -eq "jsmith) -And (MemberOf -ne "cn=MyGroup,ou=Sales,ou=East,dc=domain,dc=com")} -Properties SamAccountName, MemberOf | Select SamAccountName, MemberOf
    If this returns the user and the MemberOf array in the display includes the group, then it makes no sense.



    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Thursday, December 19, 2019 11:58 AM
    Moderator
  • Getting below error  when I run the command which is in second box

    + Get-ADUser -Filter {(SamAccountName -eq sampath) -And (MemberOf -ne "C ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ParserError: (:) [Get-ADUser], ADFilterParsingException

    Thursday, December 19, 2019 1:56 PM
  • The sAMAccountName must be quoted. Otherwise, PowerShell thinks "sampath" is a command. The sAMAccountName is the pre-Windows 2000 logon name in ADUC. I suggested using sAMAccountName to uniquely identify the problem user, because it is shorter than the distinguished name.

    We just want to see if the logic retrieves the user and recognizes that the user is really a member of the specified group. If the user is not a member of the group, then the command will return nothing. In that case, changing the -ne operator (in the MemberOf clause) to -eq should retrieve the user.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by Sampath KK Thursday, December 19, 2019 3:53 PM
    Thursday, December 19, 2019 2:23 PM
    Moderator
  • Thank you so much!! Script is working like champ!!
    Thursday, December 19, 2019 3:53 PM
  • Glad to hear it worked out.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, December 19, 2019 4:21 PM
    Moderator