AD user properties and group membership check combined

Welcome Forums General PowerShell Q&A AD user properties and group membership check combined

Viewing 4 reply threads
  • Author
    • #225705
      Topics: 1
      Replies: 1
      Points: 13
      Rank: Member


      I have a script that gets AD user properties for new users, formats them in an HTML table and sends them out by email. I would like to add an extra property/column to the results which lists whether the user is a member of a particular group.

      Here’s the basic part of the script

      $When = ((Get-Date).AddDays(-14)).Date
      $NewAccounts=Get-ADUser -Filter {whenCreated -ge $When} -Properties *|convertTo-html name,department,description -head $style

      Then I was trying various combinations of the following:

      $members=Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty Name
      $user=$newaccounts|select name
      if ($members -contains $user) {$contained=$True}
      else {$contained=$false}
      $newAccounts|select-object @{Name="Member of Groupname";Expression={$contained}},@{Name="Name";Expression={$_."name"}},@{Name="Department";Expression={$_."department"}},@{Name="description";Expression={$_."description"}}

      I also tried the if statement like so:

      $newAccounts|%{if ($members -contains $user) {$contained=$True} else {$contained=$false}}|select-object @{Name="Member of Groupname";Expression={$contained}},@{Name="Name";Expression={$_."name"}},@{Name="Department";Expression={$_."department"}},@{Name="description";Expression={$_."description"}}

      Any ideas would be appreciated.

    • #225732
      Topics: 12
      Replies: 1622
      Points: 2,560
      Helping Hand
      Rank: Community Hero

      Please use the PRE tags for posting code. Rather than get Properties *, specify what you want to get, it will much faster to only return what you need. User objects have a MemberOf property that contains the DN of group memberships, so you can use LIKE for a wildcard search or CONTAINS with a full DN to match, but it would be something like this:

      $NewAccounts = Get-ADUser -Filter {whenCreated -ge $When} -Properties Name,Department,Description,MemberOf |
                     Select Name, Department, Description, @{Name='InXGroup';Expression={[boolean]($_.MemberOf -like 'CN=GroupX*')}} |
                     ConvertTo-Html name,department,description,InXGroup -head $style
    • #225738
      Topics: 4
      Replies: 12
      Points: 89
      Rank: Member

      So, the good news is, I think you’ve just overthought the problem.

      Let’s say you’re checking to see if new accounts are members of the administrators group – here’s how I would do it:

      #Reusing your Get-Date information
      $When = ((Get-date).adddays(-14)).date
      # Getting all users created after the date in $when, and only grabbing the extra properties we need
      $Users = Get-ADUser -f {whenCreated -ge $when} -Properties Description,Department,MemberOf
      # Getting the Group I want to check against, since I don't want to hard-code the DistinguishedName
      $Group = Get-ADGroup -Identity "Administrators"
      # Grabbing only the properties we want, and creating the new property on the fly:
      # each object will take the list it has for the MemberOf property, and check if it contains an entry for the 
      # Group you're looking for (in this case, the administrators group). 'MemberOf' contains the distinguished names
      # of the groups it's a member of, so we see if the groups Distinguished name appears in that list. The comparisson
      # will return a simple True or False.
      $Users | Select-Object Name,Department,Description,@{name="IsAdminMember";expression={$_.memberof -contains $Group.distinguishedname}}

      I’m noticing your select strings going a little funky towards the end. You only need to use the Select -property @{n="";e={}} format, when you’re doing something PowerShell won’t automatically figure out. Just selecting Name,Department,Description would work fine.

    • #225741
      Topics: 4
      Replies: 2247
      Points: 5,484
      Helping Hand
      Rank: Community MVP

      Ig, welcome to Please take a moment and read the very first post on top of the list of this forum: Read Me Before Posting! You’ll be Glad You Did!.

      When you post code or error messages or sample data or console output format it as code, please.
      In the “Text” view you can use the code tags “PRE“, in the “Visual” view you can use the format template “Preformatted“. You can go back edit your post and fix the formatting – you don’t have to create a new one.
      Thanks in advance.

      That’s actually all you need:

      $When = ((Get-Date).AddDays(-14)).Date
      $GroupName = 'Groupname'
      $NewAccounts = Get-ADUser -Filter { whenCreated -ge $When } -Properties department, description,memberOf | 
      Select-Object -Property name, department, description,
              Name = "Member Of $GroupName";
              Expression = {if($_.MemberOf -match "CN=$GroupName") {$true}else {$false}}
          } |
              convertTo-html -head $style
    • #225759
      Topics: 1
      Replies: 1
      Points: 13
      Rank: Member

      Thank you all very much! It turned out to be so simple.
      Sorry for not including the Pre tags, I was just breaking my head trying to figure out this script. I edited the original post to include them.

      Rob’s answer is probably the simplest, while Olaf’s solves it from the direction I was trying to tackle it, using If statements. Mitch’s answer is somewhere in between Rob’s and Olaf’s. All of these work great!

Viewing 4 reply threads
  • You must be logged in to reply to this topic.