failing ldapfilter in AD lookup

Welcome Forums General PowerShell Q&A failing ldapfilter in AD lookup

Viewing 2 reply threads
  • Author
    Posts
    • #179988
      Participant
      Topics: 8
      Replies: 13
      Points: 111
      Rank: Participant

      Ok I'm having issues with a ldapfilter using get-aduser or get-adcomputer.  The filter is:

      –LDAPFilter "(!memberOf=$ComputersGroup)"

      But no matter what I do the script always finds existing members.

      Basically I took this script and modified it to be my own:

      Active Directory Shadow Groups: How To Automatically Add OU Users To Security Groups

      $OU="OU=TheOUName,DC=yourdomain,DC=com"
      $ShadowGroup="CN=ShadowGroupName,OU=TheOUName,DC=yourdomain,DC=com"
      #Get-ADGroupMember –Identity $ShadowGroup | Where-Object {$_.distinguishedName –NotMatch $OU} | ForEach-Object {Remove-ADPrincipalGroupMembership –Identity $_ –MemberOf $ShadowGroup –Confirm:$false}
      
      Get-ADUser –SearchBase $OU –SearchScope OneLevel –LDAPFilter "(!memberOf=$ShadowGroup)" | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ShadowGroup}

      Here is an example of portion of the script:

      $ADLocations = import-csv "C:\Scripts\ADAutomation\Sites.csv"
      
      foreach ($ADLocation in $ADLocations)
      {
      # ==========================================================================
      # Site
      # ------------------------------------------
      $GroupU = $ADLocation.Location +'-Users'
      $GroupC = $ADLocation.Location +'-Computers'
      $ComputersGroup = Get-ADGroup -SearchBase $ADLocation.GroupOU -Filter 'name -eq $GroupC' -Properties Distinguishedname | Select-Object Distinguishedname
      $UsersGroup = Get-ADGroup -SearchBase $ADLocation.GroupOU -Filter 'name -eq $GroupU' -Properties Distinguishedname | Select-Object Distinguishedname
      # ------------------------------------------
      # Computer script
      $ltName = $ADLocation.Location +'lt*'
      $dtName = $ADLocation.Location +'dt*'
      $vdName = $ADLocation.Location +'vd*'
      $weName = $ADLocation.Location +'we*'
      # ------------------------------------------
      # User script
      $loc =  '*- ' + $ADLocation.Location
      # ------------------------------------------
      Get-ADComputer –SearchBase $ADLocation.OU –LDAPFilter "(!memberOf=$ComputersGroup)" -Server server1.Domain.com:3268  | Where-Object {$_.name -like $ltName -or $_.name -like $dtName -or $_.name -like $vdName -or $_.name -like $weName} | Export-csv -append -path C:\Scripts\ADAutomation\pc.csv -NoTypeInformation
      Get-ADUser –SearchBase $ADLocation.OU –LDAPFilter "(!memberOf=$UsersGroup)" -Properties memberof, office -Server server1.Domain.com:3268 | Where-Object {$_.Office -like "$loc" -and $_.Enabled -eq $true} | Export-csv -append -path C:\Scripts\ADAutomation\user.csv -NoTypeInformation
      
      #Get-ADComputer –SearchBase $ADLocation.OU –LDAPFilter "(!memberOf=$ComputersGroup)" -Server server1.Domain.com:3268 | Where-Object {$_.name -like $ltName -or $_.name -like $dtName -or $_.name -like $vdName -or $_.name -like $weName} | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ComputersGroup}
      #Get-ADUser –SearchBase $ADLocation.OU –LDAPFilter "(!memberOf=$UsersGroup)" -Properties office -Server server1.Domain.com:3268 | Where-Object {$_.Office -like "$loc" -and $_.Enabled -eq $true} | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $UsersGroup}
      # ==========================================================================
      }

      I would like to reduce some of the processing and errors by not running through ALL the systems every time. If I can just do that that need to be added I think the script will significantly speed up.

    • #180171
      Participant
      Topics: 8
      Replies: 13
      Points: 111
      Rank: Participant

      I'm thinking of using some code from a different script to fix (eliminate) the ldapfilter and use another where-object filter.

      One other thought is it seems like I could gain some efficiency also by removing the foreach from the end of the command and use AddADGroupMember.

      Any thoughts...

    • #180186
      Participant
      Topics: 8
      Replies: 13
      Points: 111
      Rank: Participant

      Not one line pretty but what do you think?

      of adding this:
      Function to get proper memberships because of multiple domain lookup:

      Function Get-ADGroupMemberFix {
          [CmdletBinding()]
          param(
              [Parameter(
                  Mandatory = $true,
                  ValueFromPipeline = $true,
                  ValueFromPipelineByPropertyName = $true,
                  Position = 0
              )]
              [string[]]
              $Identity
          )
          process {
              foreach ($GroupIdentity in $Identity) {
                  $Group = $null
                  $Group = Get-ADGroup -Identity $GroupIdentity -Properties Member
                  if (-not $Group) {
                      continue
                  }
                  Foreach ($Member in $Group.Member) {
                      Get-ADObject $Member -Server server1.Domain.com:3268
                  }
              }
          }
      }

      Then get members to variable:

      $GroupU = $ADLocation.Location +'-Users'
      $GroupC = $ADLocation.Location +'-Computers'
      $ComputersGroup = Get-ADGroup -SearchBase $ADLocation.GroupOU -Filter 'name -eq $GroupC' -Properties Name,Distinguishedname | Select-Object Name,Distinguishedname
      $existCompGroupMembers = Get-ADGroupMemberFix $ComputersGroup.name
      $UsersGroup = Get-ADGroup -SearchBase $ADLocation.GroupOU -Filter 'name -eq $GroupU' -Properties Name,Distinguishedname | Select-Object Name,Distinguishedname
      $existUserGroupMembers = Get-ADGroupMemberFix $UsersGroup.name

      Then examine the data to end up with a final add command:

      #Get-ADComputer –SearchBase $ADLocation.OU –LDAPFilter "(!memberOf=$ComputersGroup)" -Server server1.Domain.com:3268 | Where-Object {$_.name -like $ltName -or $_.name -like $dtName -or $_.name -like $vdName -or $_.name -like $weName} | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ComputersGroup -Server $ADLocation.serv}
      $Comps = Get-ADComputer –SearchBase $ADLocation.OU –Filter 'enabled -eq $true' -Server server1.Domain.com:3268 | Where-Object {$_.objectGUID -notin $existCompGroupMembers.objectGUID}
      $Comps2 = $Comps | Where-Object {$_.name -like $ltName -or $_.name -like $dtName -or $_.name -like $vdName -or $_.name -like $weName}
      #$Comps2 | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ComputersGroup -Server $ADLocation.serv}
      $Comps2 | export-csv -NoTypeInformation -Append -Path $coutlog
      Add-ADGroupMember $ComputersGroup.Distinguishedname -Members $Comps2 -ErrorAction SilentlyContinue
      #Get-ADUser –SearchBase $ADLocation.OU –LDAPFilter "(!memberOf=$UsersGroup)" -Properties office -Server server1.Domain.com:3268 | Where-Object {$_.Office -like "$loc" -and $_.Enabled -eq $true} | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $UsersGroup -Server $ADLocation.serv}
      $Users = Get-ADUser –SearchBase $ADLocation.OU –Filter 'enabled -eq $true' -Server server1.Domain.com:3268 | Where-Object {$_.objectGUID -notin $existUserGroupMembers.objectGUID}
      $Users2 = $Users | Where-Object {$_.name -like $ltName -or $_.name -like $dtName -or $_.name -like $vdName -or $_.name -like $weName}
      $Users2 | export-csv -NoTypeInformation -Append -Path $uoutlog
      #$User2 | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ComputersGroup -Server $ADLocation.serv}
      Add-ADGroupMember $UsersGroup.Distinguishedname -Members $Users2 -ErrorAction SilentlyContinue
      

      Again not as pretty because it is not in one line and a lot of work for what it sounds like should be a working ldapfilter. Anyone see anything glaring before I put this into test. I had to make a few updates from my last post so just edit the code. One thing I really do not like is if there are no members to add I get like 300 errors saying null so I have put in the -ErrorAction SilentlyContinue but it would be better to create a if statement to not even do the add if it is null. Maybe someday I will work on that.

Viewing 2 reply threads
  • The topic ‘failing ldapfilter in AD lookup’ is closed to new replies.