Find Users NOT in a Group

This topic contains 6 replies, has 5 voices, and was last updated by Profile photo of Bob McCoy Bob McCoy 1 year, 3 months ago.

  • Author
  • #36425
    Profile photo of Jdominioni .
    Jdominioni .


    Somehow, some way, a user ended up not in the "Domain Users" group and it caused some problems, so I'm trying to find any other user from a particular OU is not in "Domain Users."

    I thought this would work:

    $DomUserDN = (get-adgroup 'Domain Users').distinguishedname
    $problems = get-aduser -properties MemberOf -SearchBase "OU=Users,OU=MySite,DC=Domain,DC=com" -LDAPFilter "(!(memberof=$DomUserDN))"
    $problems = get-aduser -properties memberof -SearchBase "OU=Users,OU=MySite,DC=Domain,DC=com" -Filter {(memberOf -ne $DomUserDN)}

    However, it still includes a bunch of users that are actually in "Domain Users," but not every user. The result is consistent; the same 'wrong' results come out each time.

    What I think is going on is MemberOf returns a truncated list of each user's groups, at least if one just does a Get-ADUser at the command prompt. To get the full list I can pipe the Get-ADUser to Select -ExpandProperty, but that just spits out a list of strings.

    Any advice would be appreciated. There's a parallel approach using Compare-Object I'm working on, but it's annoying me that this doesn't work the way I expected it to. =)

  • #36426
    Profile photo of Justin King
    Justin King

    I don't like the "filter" of get-aduser .... actually to be completely honest I don't like the behavior of get-aduser at all ... it's always felt contrary compared to other/newer functions. Because of this I tend to pipe it to where-object for filtering as it works more predictably for me.

    That and make sure you're using get-adgroupmember .... not group 🙂
    So ...

    $groupmembers = get-adgroupmember "Domain Users" 
    get-aduser -filter * -properties * | where-object {$groupmembers.distinguishedname -notcontains $_.distinguishedname}
  • #36427
    Profile photo of Jeremy Murrah
    Jeremy Murrah

    I'm not sure if it's on purpose or not, but the memberof property omits the "primary group". So you could probably merge the PrimaryGroup property with the memberof property to get a complete list, but Justin's method of looking at it from the group's perspective seems to be the most reliable way of doing it.

  • #36428
    Profile photo of Justin King
    Justin King

    I've got it stuck in my head (so I could be wrong) that "memberof" is just a cache for performance and not actually "used" (at least not an attribute any security query will ever use), and thus it doesn't include the primary group because that already exists in another attribute. Again ... lots of stuff rattling up stairs so I may be completely wrong.

  • #36438
    Profile photo of Dan Potter
    Dan Potter

    look at the primarygroup attribute.

  • #36442
    Profile photo of Jdominioni .
    Jdominioni .

    I appreciate the comments.

    For whatever reason at this place, "Domain Users" is not the primary group for a bunch of folks, and because of the way PrimaryGroup and MemberOf work, this is an incorrect approach to this.

    The Compare-Object approach worked for me after getting around the limit inherent to Get-ADGroupMember.

  • #36445
    Profile photo of Bob McCoy
    Bob McCoy

    You could do something like this ...

    $ou = "OU=Users,OU=MyOu,DC=MyCompany,DC=local"
    $users = Get-ADUser -Filter {Enabled -eq $true} -SearchBase $ou -Properties MemberOf, PrimaryGroup
    $dugDn = (Get-ADGroup "Domain Users").DistinguishedName
    foreach ($user in $users)
        Write-Verbose "Working on $($user.Name)"
        $groups = $user.MemberOf, $user.PrimaryGroup
        if ($dugDn -notin $groups)
            Write-Error -Message "$($user.SamAccountName) not in the domnain users group"

You must be logged in to reply to this topic.