failing ldapfilter in AD lookup

Welcome Forums General PowerShell Q&A failing ldapfilter in AD lookup

This topic contains 2 replies, has 1 voice, and was last updated by

3 weeks, 2 days ago.

  • Author
  • #179988

    Topics: 7
    Replies: 11
    Points: 92
    Rank: Member

    Ok I'm having issues with a ldapfilter using get-aduser or get-adcomputer.  The filter is:

    –LDAPFilter "(!memberOf=$ComputersGroup)"

    But no matter what I do the script always finds existing members.

    Basically I took this script and modified it to be my own:

    Active Directory Shadow Groups: How To Automatically Add OU Users To Security Groups

    #Get-ADGroupMember –Identity $ShadowGroup | Where-Object {$_.distinguishedName –NotMatch $OU} | ForEach-Object {Remove-ADPrincipalGroupMembership –Identity $_ –MemberOf $ShadowGroup –Confirm:$false}
    Get-ADUser –SearchBase $OU –SearchScope OneLevel –LDAPFilter "(!memberOf=$ShadowGroup)" | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ShadowGroup}

    Here is an example of portion of the script:

    $ADLocations = import-csv "C:\Scripts\ADAutomation\Sites.csv"
    foreach ($ADLocation in $ADLocations)
    # ==========================================================================
    # Site
    # ------------------------------------------
    $GroupU = $ADLocation.Location +'-Users'
    $GroupC = $ADLocation.Location +'-Computers'
    $ComputersGroup = Get-ADGroup -SearchBase $ADLocation.GroupOU -Filter 'name -eq $GroupC' -Properties Distinguishedname | Select-Object Distinguishedname
    $UsersGroup = Get-ADGroup -SearchBase $ADLocation.GroupOU -Filter 'name -eq $GroupU' -Properties Distinguishedname | Select-Object Distinguishedname
    # ------------------------------------------
    # Computer script
    $ltName = $ADLocation.Location +'lt*'
    $dtName = $ADLocation.Location +'dt*'
    $vdName = $ADLocation.Location +'vd*'
    $weName = $ADLocation.Location +'we*'
    # ------------------------------------------
    # User script
    $loc =  '*- ' + $ADLocation.Location
    # ------------------------------------------
    Get-ADComputer –SearchBase $ADLocation.OU –LDAPFilter "(!memberOf=$ComputersGroup)" -Server  | Where-Object {$ -like $ltName -or $ -like $dtName -or $ -like $vdName -or $ -like $weName} | Export-csv -append -path C:\Scripts\ADAutomation\pc.csv -NoTypeInformation
    Get-ADUser –SearchBase $ADLocation.OU –LDAPFilter "(!memberOf=$UsersGroup)" -Properties memberof, office -Server | Where-Object {$_.Office -like "$loc" -and $_.Enabled -eq $true} | Export-csv -append -path C:\Scripts\ADAutomation\user.csv -NoTypeInformation
    #Get-ADComputer –SearchBase $ADLocation.OU –LDAPFilter "(!memberOf=$ComputersGroup)" -Server | Where-Object {$ -like $ltName -or $ -like $dtName -or $ -like $vdName -or $ -like $weName} | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ComputersGroup}
    #Get-ADUser –SearchBase $ADLocation.OU –LDAPFilter "(!memberOf=$UsersGroup)" -Properties office -Server | Where-Object {$_.Office -like "$loc" -and $_.Enabled -eq $true} | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $UsersGroup}
    # ==========================================================================

    I would like to reduce some of the processing and errors by not running through ALL the systems every time. If I can just do that that need to be added I think the script will significantly speed up.

  • #180171

    Topics: 7
    Replies: 11
    Points: 92
    Rank: Member

    I'm thinking of using some code from a different script to fix (eliminate) the ldapfilter and use another where-object filter.

    One other thought is it seems like I could gain some efficiency also by removing the foreach from the end of the command and use AddADGroupMember.

    Any thoughts...

  • #180186

    Topics: 7
    Replies: 11
    Points: 92
    Rank: Member

    Not one line pretty but what do you think?

    of adding this:
    Function to get proper memberships because of multiple domain lookup:

    Function Get-ADGroupMemberFix {
                Mandatory = $true,
                ValueFromPipeline = $true,
                ValueFromPipelineByPropertyName = $true,
                Position = 0
        process {
            foreach ($GroupIdentity in $Identity) {
                $Group = $null
                $Group = Get-ADGroup -Identity $GroupIdentity -Properties Member
                if (-not $Group) {
                Foreach ($Member in $Group.Member) {
                    Get-ADObject $Member -Server

    Then get members to variable:

    $GroupU = $ADLocation.Location +'-Users'
    $GroupC = $ADLocation.Location +'-Computers'
    $ComputersGroup = Get-ADGroup -SearchBase $ADLocation.GroupOU -Filter 'name -eq $GroupC' -Properties Name,Distinguishedname | Select-Object Name,Distinguishedname
    $existCompGroupMembers = Get-ADGroupMemberFix $
    $UsersGroup = Get-ADGroup -SearchBase $ADLocation.GroupOU -Filter 'name -eq $GroupU' -Properties Name,Distinguishedname | Select-Object Name,Distinguishedname
    $existUserGroupMembers = Get-ADGroupMemberFix $

    Then examine the data to end up with a final add command:

    #Get-ADComputer –SearchBase $ADLocation.OU –LDAPFilter "(!memberOf=$ComputersGroup)" -Server | Where-Object {$ -like $ltName -or $ -like $dtName -or $ -like $vdName -or $ -like $weName} | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ComputersGroup -Server $ADLocation.serv}
    $Comps = Get-ADComputer –SearchBase $ADLocation.OU –Filter 'enabled -eq $true' -Server | Where-Object {$_.objectGUID -notin $existCompGroupMembers.objectGUID}
    $Comps2 = $Comps | Where-Object {$ -like $ltName -or $ -like $dtName -or $ -like $vdName -or $ -like $weName}
    #$Comps2 | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ComputersGroup -Server $ADLocation.serv}
    $Comps2 | export-csv -NoTypeInformation -Append -Path $coutlog
    Add-ADGroupMember $ComputersGroup.Distinguishedname -Members $Comps2 -ErrorAction SilentlyContinue
    #Get-ADUser –SearchBase $ADLocation.OU –LDAPFilter "(!memberOf=$UsersGroup)" -Properties office -Server | Where-Object {$_.Office -like "$loc" -and $_.Enabled -eq $true} | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $UsersGroup -Server $ADLocation.serv}
    $Users = Get-ADUser –SearchBase $ADLocation.OU –Filter 'enabled -eq $true' -Server | Where-Object {$_.objectGUID -notin $existUserGroupMembers.objectGUID}
    $Users2 = $Users | Where-Object {$ -like $ltName -or $ -like $dtName -or $ -like $vdName -or $ -like $weName}
    $Users2 | export-csv -NoTypeInformation -Append -Path $uoutlog
    #$User2 | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ComputersGroup -Server $ADLocation.serv}
    Add-ADGroupMember $UsersGroup.Distinguishedname -Members $Users2 -ErrorAction SilentlyContinue

    Again not as pretty because it is not in one line and a lot of work for what it sounds like should be a working ldapfilter. Anyone see anything glaring before I put this into test. I had to make a few updates from my last post so just edit the code. One thing I really do not like is if there are no members to add I get like 300 errors saying null so I have put in the -ErrorAction SilentlyContinue but it would be better to create a if statement to not even do the add if it is null. Maybe someday I will work on that.

You must be logged in to reply to this topic.