Correcting and querying AD group membership

This topic contains 3 replies, has 2 voices, and was last updated by  Art Beane 4 years, 11 months ago.

  • Author
  • #7847


    Hi Folks,

    Here's one....

    We've recently created a whole bunch of new AD groups, whose names all start with 'ROLE-G...' There are 27 of these groups and they are the only groups that start with 'ROLE-G'.

    Every user in the domain should belong to one (and strictly no more than one) of these groups.

    I need to do a couple of searches in order to:

    1. Identify users who have not yet been added to a 'ROLE-G' group.
    2. Identify users who have accidentally been added to more than one 'ROLE-G' group.

    For the first search, I've tried:

    Get-ADUser -f * -properties * | Where-Object {$_.memberof -notcontains '*ROLE-G*'}

    No luck with that. It still returns users that are members of groups beginning with 'ROLE-G'

    I've used various comparison operators (i.e.-notcontains,-notlike) and still not having any luck.

    I have no idea how to tackle the second search!

  • #7848

    Art Beane

    Try this:

    foreach ($u in (Get-ADUser -Filter * -Properties MemberOf)) {
    $b = @($U.MemberOf | Where {$_ -match "^CN=ROLE-G"})
    Switch ($b.Count) {
    0 {"$($u.Name) does not belong to the ROLE-G group"; Break}
    1 {Break}
    Default {"$($u.Name) belongs to $($b.Count) ROLE-G groups"}



    (Sorry, can't figure out how to make the formatting work.)

  • #7977



    You are an absolute LEGEND!

    I can't thank you enough. That script did both tasks perfectly on the first try! (I was expecting to need at least two separate scripts and multiple replies to the thread and having to to-and-fro several times!).

    It's done exactly what I needed and you've saved me an enormous amount of work.

    Thanks again.


  • #8001

    Art Beane

    [blush /]


You must be logged in to reply to this topic.