Newbie need help - multiple -or conditions in Where statement

This topic contains 3 replies, has 3 voices, and was last updated by  Curtis Smith 3 months, 3 weeks ago.

  • Author
    Posts
  • #73666

    Brian Jacobsen
    Participant

    Still new to PowerShell and trying to use it more often to automate many tasks. I'm currently stuck trying to create a script that add all users that match certain department attribute to a group and remove those not in the specific departments. The adding part works fine but i haven't been able to get the removal section to work. I need to use multiple -or statements and it just ends up removing all the users. Ultimately i would like to pull the list of departments that need access from a csv file and remove users not in the departments on the csv file but have been having to much trouble with that script. Any assistance would be great.

    Here is what i have so far. I don't get any errors but it ends up just removing all users so i think line 12 has issues. Just not sure what. And i realize my code is sloppy and there is probably a much better way to do this but i'm still a beginner and using what i can to make it work.

    #Import the AD module
    import-module ActiveDirectory
    
    #Set your search OU and Group Variables
    $OU="OU=TestOU,DC=contoso,DC=com"
    $Group="CN=TestGroup,OU=TestGroupsDC=contoso,DC=com"
    
    
    #Adds any Authorized employee to the Group that currently is not a member of it
    Get-ADUser -LDAPFilter "(&(|(department=167*)(department=204*)(department=205*)(department=212*)(department=216*)(department=226*)(department=227*)(department=*30*)(department=231*)(department=232*)(department=236*)(department=*40*)(department=241*)(department=242*)(department=244*)(department=*46*)(department=*54*)(department=*57*)(department=274*)(department=276*)(department=280*)(department=404*)(department=405*)(department=431*)(department=232*)(department=436*)(department=441*)(department=444*)(department=427*)(department=427*)(department=442*))(useraccountcontrol=512)(!memberOf=$Group))" –SearchBase $OU –SearchScope Subtree | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group}
    
    $membersToRemove = Get-ADGroupMember $Group | Get-ADUser -Properties * | ? { $_.department -notlike "167*" -or $_.department -notlike "204*"}
    Remove-ADGroupMember $Group $membersToRemove –Confirm:$false
  • #73684

    RShambo
    Participant
    $membersToRemove = Get-ADGroupMember $Group | Get-ADUser -Properties * | ? { $_.department -notlike "167*" -AND $_.department -notlike "204*"}

    Try changing the -OR to a -AND

    • #73687

      Brian Jacobsen
      Participant

      That worked. Thank a lot. For some reason i was thinking if i used -and it would only work if both conditions matched. I'ma ll set now.

  • #73702

    Curtis Smith
    Participant

    Hey Brian,
    Acutally, "For some reason i was thinking if i used -and it would only work if both conditions matched. I'ma ll set now." is a true statement, but it is also what you want.

    Think about it.

    If Department is 167 and you use -OR, you are telling PowerShell to remove it if:
    167 is not like 167 (which it is, so this evaluates false and does not cause it to be removed)
    -or
    167 is not like 204 (which it is not, so this evaluates true and it is removed)

    similarly:
    If Department is 204 and you use -OR, you are telling PowerShell to remove it if:
    204 is not like 167 (which it is not, so this evaluates true and it is removed)

    As you see with -OR when either one of them is true, the action is taken

    Now think about -AND. With -AND, like you said, both have to be true before the action will be taken
    If Department is 167 and you use -AND, you are telling PowerShell to remove it if:
    167 is not like 167 (which it is, so this evaluates false)
    -AND
    167 is not like 204 (which it is not, so this evaluates true)
    However, since both conditions have to match true with -AND, and the first one does not, this one does not get removed.

    Similarly:
    If Department is 204 and you use -AND, you are telling PowerShell to remove it if:
    204 is not like 167 (which it is not, so this evaluates true)
    -AND
    204 is not like 204 (which it is, so this evaluates false)
    However, since both conditions have to match true with -AND, and the first one does not, this one does not get removed.

    Lastly
    If Department is 300 and you use -AND, you are telling PowerShell to remove it if:
    300 is not like 167 (which it is not, so this evaluates true)
    -AND
    300 is not like 204 (which it is not, so this evaluates true)
    Since both match true, the condition is matched and this one does get removed.

    Hope that helps

You must be logged in to reply to this topic.