Foreach user in Group

Welcome Forums General PowerShell Q&A Foreach user in Group

Viewing 6 reply threads
  • Author
    Posts
    • #216621
      Participant
      Topics: 3
      Replies: 11
      Points: 62
      Rank: Member
      $GroupList = Get-ADObject -Filter {(ObjectClass -eq "group") -and (name -like "O365*")} -SearchBase "OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se" -Properties * | Select-Object distinguishedname | Out-String
      
      $result = ForEach($group in $GroupList){
      Get-ADUser -LDAPFilter "(&(memberof=$group)(!userAccountControl:1.2.840.113556.1.4.803:=2))" | select-object sAMAccountName
      }

      Variable $GroupList gets populated with the following:

      distinguishedname
      —————–
      CN=O365_E1_Basic,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
      CN=O365_E1_Exchange,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
      CN=O365_E1_OneDrive,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
      CN=O365_E1_Teams,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
      CN=O365_E3_All,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
      CN=O365_E3_Exchange,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
      CN=O365_E3_OneDrive,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
      CN=O365_E3_Pro,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
      CN=O365_E3_Teams,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
      CN=O365_EMS,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
      CN=O365_Powerbi_access_url,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se

       

      What i expect the foreach loop to do is to extract each user from each group. Any ideas/hints where the problem might be?

      Thanks.

    • #216645
      Participant
      Topics: 4
      Replies: 2231
      Points: 5,414
      Helping Hand
      Rank: Community MVP

      Is there a special reason why you’re not using Get-ADGroupMember do get the members of the AD groups?

    • #216729
      Participant
      Topics: 3
      Replies: 324
      Points: 1,056
      Helping Hand
      Rank: Community Hero

      You say “what I expect to happen is xyz” but I don’t see where you said what is actually happening? It definitely seems like you’re making it harder on yourself, any particular reason you are using LDAPFilter as opposed to Filter? Either should work but one takes more brain power and time. Also, you run the risk of getting locked out accounts as well as inactive with the definition (!userAccountControl:1.2.840.113556.1.4.803:=2) See the link below for more info on that.

      https://hi.service-now.com/kb_view.do?sysparm_article=KB0679975

       

      Also if you are trying to find users that are indirectly members of the group, add the -RecursiveMatch LDAP filter attribute.

      Do you get any output if you just run

      
      $result = ForEach($group in $GroupList){
      Get-ADUser -Filter "memberOf $group" | select-object sAMAccountName
      }
      

      I would run something like this just as a quick sanity check.

    • #216765
      Participant
      Topics: 12
      Replies: 519
      Points: 1,194
      Helping Hand
      Rank: Community Hero

      Change your line 3 above from

      $result = ForEach($group in $GroupList){
      

      to

      $result = ForEach($group in $GroupList.distinguishedname){
      
    • #216798
      Participant
      Topics: 3
      Replies: 324
      Points: 1,056
      Helping Hand
      Rank: Community Hero

      Well that looked promising Sam, but he won’t be able to reference that property as he turned it into only a string with out-string

      
      $GroupList = Get-ADObject -Filter {(ObjectClass -eq "group") -and (name -like "domain admins")} -Properties * |
      Select-Object distinguishedname | Out-String
      
      $grouplist
      distinguishedname
      -----------------
      CN=Domain Admins,CN=Users,DC=Domain,DC=LOCAL
      
      $GroupList.distinguishedname
      
       
      
      

      What I recommend is changing this

      
      Select-Object distinguishedname | Out-String
      
      

      to

      
      Select-Object -expandproperty distinguishedname
      
      

       

      That should give you the actual distinguished name value(s) in the list. Then your query worked.

      
      $GroupList = Get-ADObject -Filter {(ObjectClass -eq "group") -and (name -like "domain admins")}| Select-Object -ExpandProperty distinguishedname
      
      $result = ForEach($group in $GroupList){
      Get-ADUser -LDAPFilter "(&(memberof=$group)(!userAccountControl:1.2.840.113556.1.4.803:=2))" | select-object sAMAccountName
      }
      
      $result.Count
      
      10
      
      
    • #216801
      Participant
      Topics: 3
      Replies: 324
      Points: 1,056
      Helping Hand
      Rank: Community Hero

      That is too many domain admins, that’s for sure!

    • #216873
      Participant
      Topics: 3
      Replies: 11
      Points: 62
      Rank: Member

      Ahh so simple but still so far ­čÖé thanks for the input.

      Select-Object -ExpandProperty distinguishedname

      -ExpandProperty┬á– Was actually the only thing missing. Guess i should drink more coffee to clear my head….

Viewing 6 reply threads
  • You must be logged in to reply to this topic.