Find Users NOT in a Group

This topic contains 6 replies, has 5 voices, and was last updated by  Bob McCoy 2 years, 4 months ago.

  • Author
  • #36425

    Jdominioni .


    Somehow, some way, a user ended up not in the "Domain Users" group and it caused some problems, so I'm trying to find any other user from a particular OU is not in "Domain Users."

    I thought this would work:

    $DomUserDN = (get-adgroup 'Domain Users').distinguishedname
    $problems = get-aduser -properties MemberOf -SearchBase "OU=Users,OU=MySite,DC=Domain,DC=com" -LDAPFilter "(!(memberof=$DomUserDN))"
    $problems = get-aduser -properties memberof -SearchBase "OU=Users,OU=MySite,DC=Domain,DC=com" -Filter {(memberOf -ne $DomUserDN)}

    However, it still includes a bunch of users that are actually in "Domain Users," but not every user. The result is consistent; the same 'wrong' results come out each time.

    What I think is going on is MemberOf returns a truncated list of each user's groups, at least if one just does a Get-ADUser at the command prompt. To get the full list I can pipe the Get-ADUser to Select -ExpandProperty, but that just spits out a list of strings.

    Any advice would be appreciated. There's a parallel approach using Compare-Object I'm working on, but it's annoying me that this doesn't work the way I expected it to. =)

  • #36426

    Justin King

    I don't like the "filter" of get-aduser .... actually to be completely honest I don't like the behavior of get-aduser at all ... it's always felt contrary compared to other/newer functions. Because of this I tend to pipe it to where-object for filtering as it works more predictably for me.

    That and make sure you're using get-adgroupmember .... not group 🙂
    So ...

    $groupmembers = get-adgroupmember "Domain Users" 
    get-aduser -filter * -properties * | where-object {$groupmembers.distinguishedname -notcontains $_.distinguishedname}
  • #36427

    Jeremy Murrah

    I'm not sure if it's on purpose or not, but the memberof property omits the "primary group". So you could probably merge the PrimaryGroup property with the memberof property to get a complete list, but Justin's method of looking at it from the group's perspective seems to be the most reliable way of doing it.

  • #36428

    Justin King

    I've got it stuck in my head (so I could be wrong) that "memberof" is just a cache for performance and not actually "used" (at least not an attribute any security query will ever use), and thus it doesn't include the primary group because that already exists in another attribute. Again ... lots of stuff rattling up stairs so I may be completely wrong.

  • #36438

    Dan Potter

    look at the primarygroup attribute.

  • #36442

    Jdominioni .

    I appreciate the comments.

    For whatever reason at this place, "Domain Users" is not the primary group for a bunch of folks, and because of the way PrimaryGroup and MemberOf work, this is an incorrect approach to this.

    The Compare-Object approach worked for me after getting around the limit inherent to Get-ADGroupMember.

  • #36445

    Bob McCoy

    You could do something like this ...

    $ou = "OU=Users,OU=MyOu,DC=MyCompany,DC=local"
    $users = Get-ADUser -Filter {Enabled -eq $true} -SearchBase $ou -Properties MemberOf, PrimaryGroup
    $dugDn = (Get-ADGroup "Domain Users").DistinguishedName
    foreach ($user in $users)
        Write-Verbose "Working on $($user.Name)"
        $groups = $user.MemberOf, $user.PrimaryGroup
        if ($dugDn -notin $groups)
            Write-Error -Message "$($user.SamAccountName) not in the domnain users group"

You must be logged in to reply to this topic.