locked
find users NOT in group RRS feed

  • Question

  • hello,

    i need to find all users in AD that are not meber in one of the group named "Permanent sometring";

    i tryed the next command:

    Get-ADUser -Filter * -properties memberof | Where-Object {$_.memberof -notlike "*permanent*"} | measure
    Count    : 2652

    but it returns all the users in AD;

    if i try:

    Get-ADUser -Filter * -properties memberof | Where-Object {$_.memberof -like "*permanent*"} | measure
    Count    : 2628

    so i figure that i have 24 users that are not member of a permanent group but i cannot figure out how to find them;

    can you please help ?

    thanks.

    Friday, July 27, 2012 7:41 AM

Answers

  • got the unswer from a colegue:

    Get-ADUser -Filter * -properties memberof | Where-Object {!($_.memberof -like "*permanent*")} | measure

    Count    : 24

    • Marked as answer by octavmarius Friday, July 27, 2012 1:10 PM
    Friday, July 27, 2012 1:10 PM

All replies

  • $list = @()

    $list += Get-ADUser -Filter * -properties memberof | Where-Object {$_.memberof -notlike "*permanent*"} | measure

    $list += Get-ADUser -Filter * -properties memberof | Where-Object {$_.memberof -like "*permanent*"} | measure

    $list | Select-Object -Uniqe

    Didn't test it but it is a way I would try do this

    Friday, July 27, 2012 7:47 AM
  • $list = @()

    $list += Get-ADUser -Filter * -properties memberof | Where-Object {$_.memberof -notlike "*permanent*"} | measure

    $list += Get-ADUser -Filter * -properties memberof | Where-Object {$_.memberof -like "*permanent*"} | measure

    $list | Select-Object -Uniqe

    Didn't test it but it is a way I would try do this


    i'm not much of a powershell scripter but i think that the script above will just return all users in AD.
    Friday, July 27, 2012 8:09 AM
  • OMG please forget my previous post. I seem to have problem with sleeping lastly :P

    Did You try this way?

    Compare-Object $list1 $list2

    Friday, July 27, 2012 9:55 AM
  • hello,

    i need to find all users in AD that are not meber in one of the group named "Permanent sometring";

    i tryed the next command:

    Get-ADUser -Filter * -properties memberof | Where-Object {$_.memberof -notlike "*permanent*"} | measure
    Count    : 2652

    but it returns all the users in AD;

    if i try:

    Get-ADUser -Filter * -properties memberof | Where-Object {$_.memberof -like "*permanent*"} | measure
    Count    : 2628

    so i figure that i have 24 users that are not member of a permanent group but i cannot figure out how to find them;

    can you please help ?

    thanks.


    This means to me that you have 2652 + 2628 users in your AD.  Based on the code you posted, this is the only logical conclusion.  If you had 24 users that are not a member of the "Permanent" group, your first command should have returned 24.

    Grant Ward, a.k.a. Bigteddy

    Friday, July 27, 2012 10:05 AM
  • I have found this to be the only reliable way of getting the info you need:

    $results = @()
    $users = Get-ADUser  -Properties memberof -Filter * 
    foreach ($user in $users) {
        $groups = $user.memberof -join ';'
        $results += New-Object psObject -Property @{'User'=$user.name;'Groups'= $groups}
        }
    $results | Where-Object { $_.groups -notmatch 'permanent' } | Select-Object user


    Grant Ward, a.k.a. Bigteddy



    • Edited by Bigteddy Friday, July 27, 2012 10:51 AM
    • Proposed as answer by Carl_B_ Wednesday, July 31, 2013 9:53 AM
    Friday, July 27, 2012 10:49 AM
  • hello,

    i need to find all users in AD that are not meber in one of the group named "Permanent sometring";

    i tryed the next command:

    Get-ADUser -Filter * -properties memberof | Where-Object {$_.memberof -notlike "*permanent*"} | measure
    Count    : 2652

    but it returns all the users in AD;

    if i try:

    Get-ADUser -Filter * -properties memberof | Where-Object {$_.memberof -like "*permanent*"} | measure
    Count    : 2628

    so i figure that i have 24 users that are not member of a permanent group but i cannot figure out how to find them;

    can you please help ?

    thanks.


    This means to me that you have 2652 + 2628 users in your AD.  Based on the code you posted, this is the only logical conclusion.  If you had 24 users that are not a member of the "Permanent" group, your first command should have returned 24.

    Grant Ward, a.k.a. Bigteddy

    it only means that i'm doing someting rong in the command i have used because if i retreive all the users in AD i have 2652 users:

    Get-ADUser -Filter * | measure
    Count    : 2652

    it also means that the "-like" condition is working just fine since it retuns less than 2652 users but the "-notlike"  condition is not working al all since it returns all users from AD;

    Thanks anyway.

    Friday, July 27, 2012 11:01 AM
  • I have found this to be the only reliable way of getting the info you need:

    $results = @()
    $users = Get-ADUser  -Properties memberof -Filter * 
    foreach ($user in $users) {
        $groups = $user.memberof -join ';'
        $results += New-Object psObject -Property @{'User'=$user.name;'Groups'= $groups}
        }
    $results | Where-Object { $_.groups -notmatch 'permanent' } | Select-Object user


    Grant Ward, a.k.a. Bigteddy



    the script worked just jine but i was hoping to be abble to use only get-aduser and where-object cmdlets in a very very simple oneliner
    or
    to obtain an explanation about why is not possible to do so;

    thanks !

    Friday, July 27, 2012 11:07 AM
  • OMG please forget my previous post. I seem to have problem with sleeping lastly :P

    Did You try this way?

    Compare-Object $list1 $list2

     i din't tryit; i'm shure it will work but i was hoping for something more easy and less resource consuming;

    thanks !

    Friday, July 27, 2012 11:15 AM
  • the script worked just jine but i was hoping to be abble to use only get-aduser and where-object cmdlets in a very very simple oneliner
    or
    to obtain an explanation about why is not possible to do so;

    thanks !

    Because .memberof returns an array of full DN's of the groups, so you can't use -notcontains.  I have simply built a custom object with the name and a string containing all the groups.  As I said, I tried various methods, and this is the only one that works correctly.

    Grant Ward, a.k.a. Bigteddy

    Friday, July 27, 2012 11:22 AM
  • Because .memberof returns an array of full DN's of the groups, so you can't use -notcontains.  I have simply built a custom object with the name and a string containing all the groups.  As I said, I tried various methods, and this is the only one that works correctly.


    Grant Ward, a.k.a. Bigteddy

    i understood what you did and how the script works;

    i was just hoping for someting more easy to use (and more important) more easy to remember;

    OR

    to understant why the "-like" works just fine but the "-notlike" is not.
    it could be resonable if none of them worked but why one work and one don't;

    Thanks. 

    Friday, July 27, 2012 11:34 AM
  • Here's a simpler 'one-liner':

    Get-ADUser  -Properties memberof -Filter * | 
        Select-Object name, @{n='Groups';e={$_.memberof | Out-String}} | 
        Where-Object { $_.groups -notmatch 'permanent' } |
        Select-Object name


    Grant Ward, a.k.a. Bigteddy


    • Edited by Bigteddy Friday, July 27, 2012 12:00 PM
    Friday, July 27, 2012 11:59 AM
  • Here's a simpler 'one-liner':

    Get-ADUser  -Properties memberof -Filter * | 
        Select-Object name, @{n='Groups';e={$_.memberof | Out-String}} | 
        Where-Object { $_.groups -notmatch 'permanent' } |
        Select-Object name


    Grant Ward, a.k.a. Bigteddy


    is more easy and is a one liner but i would say that it is still hard to remember;
    Friday, July 27, 2012 1:08 PM
  • got the unswer from a colegue:

    Get-ADUser -Filter * -properties memberof | Where-Object {!($_.memberof -like "*permanent*")} | measure

    Count    : 24

    • Marked as answer by octavmarius Friday, July 27, 2012 1:10 PM
    Friday, July 27, 2012 1:10 PM
  • When you are testing an array or collection of values, -notlike is NOT the opposite of -like! Try this instead:

    Get-ADUser -Filter * -properties memberof | Where-Object {-not ($_.memberof -like "*permanent*")} | measure

    Of course, this is not efficient in large environments because it first has to get ALL users from AD and then filter them on the client. Better to filter on the server side, if you know the full distinguishedname of the group:

    Get-ADUser -Filter "-not (memberOf -eq 'CN=MyPermanentGroup,CN=Users,DC=Fabrikam,DC=com')" | measure

    Regards,

    Arnoud

    • Proposed as answer by Bigteddy Friday, July 27, 2012 1:37 PM
    • Marked as answer by octavmarius Friday, July 27, 2012 1:37 PM
    • Unmarked as answer by octavmarius Friday, July 27, 2012 1:54 PM
    Friday, July 27, 2012 1:22 PM
  • got the unswer from a colegue:

    Get-ADUser -Filter * -properties memberof | Where-Object {!($_.memberof -like "*permanent*")} | measure

    Count    : 24


    It seems so obvious now!  Of course!

    Grant Ward, a.k.a. Bigteddy

    Friday, July 27, 2012 1:37 PM
  • When you are testing an array or collection of values, -notlike is NOT the opposite of -like! Try this instead:

    Get-ADUser -Filter * -properties memberof | Where-Object {-not ($_.memberof -like "*permanent*")} | measure

    Of course, this is not efficient in large environments because it first has to get ALL users from AD and then filter them on the client. Better to filter on the server side, if you know the full distinguishedname of the group:

    Get-ADUser -Filter "-not (memberOf -eq 'CN=MyPermanentGroup,CN=Users,DC=Fabrikam,DC=com')" | measure

    Regards,

    Arnoud

    Get-ADUser -Filter "-not (memberOf -like 'CN=Permanent*')" | measure

    somehow filtering on the server is not working; mabe because i need to use the "*" wildcharacter in order to cach all my grups that have a name that starts with "Permanent*"

    Friday, July 27, 2012 1:59 PM
  • It seems like you have to put the FQDN of the group in the -Filter.  Wildcards do not seem to work.

    Grant Ward, a.k.a. Bigteddy

    Friday, July 27, 2012 3:21 PM
  • Cheers Grant - your code worked for me and I'm also glad of the explanation re .memberof - was puzzled for a while till I saw this

    Carl Barrett | Twitter: @Mosquat

    Wednesday, July 31, 2013 9:53 AM