locked
powershell get-aduser filtering issue RRS feed

  • Question

  • Hi, I am trying to retrieve a list of all AD accounts not in groups that begin with "P Imageright" and not in certain OU's. The "p imageright filter" appears to work because all returned users i have checked are not members of that group, but my script is returning users from OU's i filtered out. What am i missing?

    import-module activedirectory
    Get-ADUser -Filter * -properties memberof | Where-Object {!($_.memberof -like "P imageright*" -and ($_.DistinguishedName -notlike "*OU=Admin Accounts,DC=Domain,DC=com"))} | select samaccountname | export-csv 'c:\temp\groups.csv'

    Friday, December 19, 2014 1:56 PM

Answers

  • If that works, ok, but your original code had the closing parentheses in the wrong place. How about:

    Get-ADUser -Filter * -properties memberof | Where-Object {!($_.memberof -like "P imageright*") -and ($_.DistinguishedName -notlike "*OU=Admin Accounts,DC=Domain,DC=com")} | select samaccountname | export-csv 'c:\temp\groups.csv'

    But that still looks wrong to me. The "!" should not be supported in PowerShell filters. It is LDAP syntax. I still think Mike's suggestion is best.

    Get-ADUser -Filter * -Properties memberOf | 
        Where {($_.memberOf -notlike "CN=P Imageright*") -and ($_.DistinguishedName -notlike "*,OU=Admin Accounts,DC=Domain,DC=com")}

    But I used double quotes in place of single.

    Richard Mueller - MVP Directory Services


    • Edited by Richard MuellerMVP Friday, December 19, 2014 4:58 PM
    • Marked as answer by glacket Friday, December 19, 2014 8:37 PM
    Friday, December 19, 2014 4:58 PM

All replies

  • Hi,

    You're using ! (not) and -notlike together, so not + notlike = like.


    Don't retire TechNet! - (Don't give up yet - 13,085+ strong and growing)

    Friday, December 19, 2014 2:23 PM
  • Start like this:

    Get-ADUser -Filter * -properties memberof |
        Where-Object{
            $_.memberof|%{$_ -match 'P imageright'
       }

    After that use Parent to exclude the unwanted OU.


    ¯\_(ツ)_/¯


    • Edited by jrv Friday, December 19, 2014 2:28 PM
    Friday, December 19, 2014 2:27 PM
  • Thanks for the replies. I tried changing to "like". That did not work for me. How would i use the parent o exclude multiple OU's i want to ignore?
    Friday, December 19, 2014 2:51 PM
  • I would suggest (if I understand what you want):

    Where-Object {($_.memberof -like "P imageright*") -and ($_.DistinguishedName -notlike "*OU=Admin Accounts,DC=Domain,DC=com")}


    Richard Mueller - MVP Directory Services

    Friday, December 19, 2014 2:59 PM
  • So you want users who are NOT a member of any 'P Imageright *' groups and who are also NOT in the Admin Accounts OU?

    If so:

    Get-ADUser -Filter * -Properties memberOf | 
        Where { ($_.memberOf -notlike 'CN=P Imageright*') -and ($_.DistinguishedName -notlike '*,OU=Admin Accounts,DC=Domain,DC=com') }


    Don't retire TechNet! - (Don't give up yet - 13,085+ strong and growing)

    Friday, December 19, 2014 3:08 PM
  • I am not sure what i am missing. I tried every posted method, and the output still shows users that are members of p imageright  groups.
    Friday, December 19, 2014 4:22 PM
  • I used -and, so it only excludes those who meet both requirements. You can try -or or something like this:

    Get-ADUser -Filter * -Properties memberOf | 
        Where { ($_.memberOf -notlike 'CN=P Imageright*') } | 
            Where { ($_.DistinguishedName -notlike '*,OU=Admin Accounts,DC=Domain,DC=com') }


    Don't retire TechNet! - (Don't give up yet - 13,085+ strong and growing)

    Friday, December 19, 2014 4:24 PM
  • ok, when i just filter the group i do not want, any "p imageright *" group, that part appears to work. When i add exclusions to filter out multiple OU's, it appears to override the "P imageright" filter

    Get-ADUser -Filter * -properties memberof | Where-Object {!($_.memberof -like "cn=P imageright *" )}

    Friday, December 19, 2014 4:29 PM
  • If that works, ok, but your original code had the closing parentheses in the wrong place. How about:

    Get-ADUser -Filter * -properties memberof | Where-Object {!($_.memberof -like "P imageright*") -and ($_.DistinguishedName -notlike "*OU=Admin Accounts,DC=Domain,DC=com")} | select samaccountname | export-csv 'c:\temp\groups.csv'

    But that still looks wrong to me. The "!" should not be supported in PowerShell filters. It is LDAP syntax. I still think Mike's suggestion is best.

    Get-ADUser -Filter * -Properties memberOf | 
        Where {($_.memberOf -notlike "CN=P Imageright*") -and ($_.DistinguishedName -notlike "*,OU=Admin Accounts,DC=Domain,DC=com")}

    But I used double quotes in place of single.

    Richard Mueller - MVP Directory Services


    • Edited by Richard MuellerMVP Friday, December 19, 2014 4:58 PM
    • Marked as answer by glacket Friday, December 19, 2014 8:37 PM
    Friday, December 19, 2014 4:58 PM
  • This works absolutely ffine for me:

    $groupname='CN=PasswordAuthority'
    $ouname='OU=Admins,DC=TESTNET,DC=local'
    get-aduser -filter * -Properties memberof|
         ?{$_.memberof -notmatch $groupname -and $_.Distinguishedname -notmatch $ouname}


    ¯\_(ツ)_/¯


    • Proposed as answer by jrv Friday, December 19, 2014 5:05 PM
    • Edited by jrv Friday, December 19, 2014 5:08 PM
    Friday, December 19, 2014 5:04 PM
  • parens are no needed due to operator precedence.  I find "match" more reliable for many reasons. 

    Adding the CN= is likely a good idea.

    Oh - removing visual noise can also be helpful.


    ¯\_(ツ)_/¯


    • Edited by jrv Friday, December 19, 2014 5:08 PM
    Friday, December 19, 2014 5:07 PM
  • Thanks Richard moving the Parentheses around fixed my issue. I was able to filter multple OU's after making that change. Here is the corrected code using multiple OU filters. For some reason i could not get any other script working. I appreciate everyones help. Thanks.

    Get-ADUser -Filter * -properties memberof | Where-Object {!($_.memberof -like "*P imageright*") -and ($_.DistinguishedName -notlike "*OU=Admin Accounts,DC=domain,DC=com" -and ($_.DistinguishedName -notlike "*CN=Users,DC=domain,DC=com"))} | select samaccountname | export-csv 'c:\temp\groups.csv'

    Friday, December 19, 2014 8:37 PM
  • When i removed the parens, my original script would fail. When adding the CN= for matching the groupname,the filter would not work. I had to use "*P ImageRight*"
    Friday, December 19, 2014 8:40 PM
  • I just realized that the code is still retrieving users that are in groups nested to "P imageright" groups. I did not even think about that. I have no idea how i would filter those out. Could i use get-adgroupmember and pipe the output to get-aduser?
    Friday, December 19, 2014 9:01 PM
  • Yes. The memberOf property is the distinguished names of the groups the user is a direct member of. It does not include nested groups. If the user is a member of a group nested in one called "P imageright8", the later group is not included in memberOf.

    Get-ADGroupMember cannot be used to find users that are not members of a group, recursive or not.

    I have to think about this.


    Richard Mueller - MVP Directory Services


    Friday, December 19, 2014 9:55 PM
  • I see now why your unusual syntax is necessary. With just -NotLike, any users with no group memberships (besides their "primary") are not considered, because there memberOf is empty. However you could replace "!" with -Not.

    I'm still trying to find a simple solution. There may not be one.


    Richard Mueller - MVP Directory Services

    Friday, December 19, 2014 10:29 PM
  • Simple.  Get a flat list of all users and groups in the filter group down to a list of usser DNs.  Now test aginst that flat list. with '-notin'.

    ¯\_(ツ)_/¯

    Friday, December 19, 2014 10:53 PM
  • I couldn't get -NotIn to work, but I got something using -Contains and -Not. However, Get-ADGroupMember can only deal with one group at a time. I got a script to work that excludes all users that are members of one group, but I don't see how to deal with group memberships for all groups that start with a string.


    Richard Mueller - MVP Directory Services

    Friday, December 19, 2014 11:40 PM
  • Make thiso recursive and you've got it:

     Get-ADGroupMember users |
        %{
             if($_.objectclass -eq 'User'){
                  $_
             }elseif($_.objectClass -eq 'Group'){
                  Get-AdGroupMember $_.Name
             }
         }


    ¯\_(ツ)_/¯

    Friday, December 19, 2014 11:58 PM
  • Make thiso recursive and you've got it:

     Get-ADGroupMember users |
        %{
             if($_.objectclass -eq 'User'){
                  $_
             }elseif($_.objectClass -eq 'Group'){
                  Get-AdGroupMember $_.Name
             }
         }


    ¯\_(ツ)_/¯


    Jrv, running this outputs a blank csv. I ran just the get-adgroupmember users command and it seems to act as a wild card. It lists, authenticated users, interactive and the domain users group. Wouldnt i need to pipe the output from my current script to get-adgroupmember?
    Monday, December 22, 2014 4:02 PM
  • Itis jsut an example of a way to get all members of included groups.  THe idea is to get a complete list of all members who are users recursively then use that to match to your script.  YOU will have to write the full recursive solution.  I son't have time to write and test the whole thing.


    ¯\_(ツ)_/¯


    • Edited by jrv Monday, December 22, 2014 4:11 PM
    Monday, December 22, 2014 4:10 PM
  • Here is the recursive function:

    function Get-AllGroupMembers{
        Param(
            $groupname='Users'
        )
        
        Get-ADGroupMember $groupname |
            ForEach-Object{
              if($_.objectclass -eq 'User'){
                   $_
              }elseif($_.objectClass -eq 'Group'){
                   Get-AllGroupMembers $_.Name
              }
          }
    }


    ¯\_(ツ)_/¯

    Monday, December 22, 2014 4:20 PM
  • Thanks. I wasn't sure where to begin. I was just going to ask about the recursive part because i did not understand that either. LOL.
    • Edited by glacket Monday, December 22, 2014 7:41 PM
    Monday, December 22, 2014 7:40 PM