Newbie needs help - Shadow Groups

This topic contains 5 replies, has 3 voices, and was last updated by  Brian Jacobsen 1 year, 4 months ago.

  • Author
  • #63684

    Brian Jacobsen

    Hi, i'm new to using Powershell and am trying to create a script to automatically add all users with a specific attribute in AD to a Group and remove any from that group that do not have this attribute. I have just one section of a line that is not working and keeps giving errors. Any assistance would be great

    Here is what i have:

    #Import the AD module
    ipmort-module ActiveDirectory

    #Set your search OU and Group Variables

    #Pull current list of Group Members and remove anyone not a Regular Employee – This part works fine
    Get-ADGroupMember –Identity $Group | Where-Object {$_.extensionAttribute2 –NotMatch "Regular"} | ForEach-Object {Remove-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group –Confirm:$false}

    #Adds any Regular employee to the Group that currently is not a member of it – This is where my issue is. The LDAPfilter to check if user already in a group is not working. I want to find any user with the attribute listed set to 'Regular" and add them to this group if they are not already in it.

    Get-ADUser -Filter {extensionAttribute2 -like "Regular"} –SearchBase $OU –SearchScope Subtree –LDAPFilter “(!memberOf=$Group)” | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group}

  • #63685


    What happens when you break it down?

    Get-ADUser -Filter {extensionAttribute2 -like "Regular"} –SearchBase $OU –SearchScope Subtree –LDAPFilter “(!memberOf=$Group)”

    I would expect this to return all results. Worry about the later action after you get this core piece working. If I remember correctly (I am a bit of a newb myself) -like requires wildcards. so "*regular*"

    • #63687

      Brian Jacobsen

      This portion works fine running by itself: Get-ADUser -Filter {extensionAttribute2 -like "Regular"} –SearchBase $OU –SearchScope Subtree

      once i add –LDAPFilter “(!memberOf=$Group)” it gives the below error:

      Get-ADUser : Parameter set cannot be resolved using the specified named parameters.
      At line:1 char:1
      + Get-ADUser -Filter {extensionAttribute2 -like "Regular"} –SearchBase ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : InvalidArgument: (:) [Get-ADUser], ParameterBindingException
      + FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.ActiveDirectory.Management.Commands.GetADUser

  • #63691

    Daniel Krebs

    Please post the error message. From a quick glance your last statement is not correct. You can't combine -Filter and -LDAPFilter in the same command. Either settle on -Filter or -LDAPFilter.

  • #63694

    Daniel Krebs


    Get-ADUser -LDAPFilter "(&(extensionAttribute2=Regular*)(!memberOf=$Group))" –SearchBase $OU –SearchScope Subtree | ForEach-Object { Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group }
    • #63709

      Brian Jacobsen

      Thanks..That solved my issue. Really appreciate the help.

You must be logged in to reply to this topic.