trying to find if any disabled users have membership in a group

This topic contains 5 replies, has 4 voices, and was last updated by  Peter Johnson 2 years, 3 months ago.

  • Author
  • #38083

    brian catlin

    figured out this to find who was in the group:

    Get-ADGroupMember "companyGroup" | Select-Object SamAccountName

    this gave me a list but I found some users in it that was no longer with the company so I wanted to change it to find users who was not with the company anymore. So I thought why not use disabled users to find out who we should remove.

    the problem is that adgroupmember only has properties for


    so I went and first checked out the help

    get-help get-adgroupmember -full however that did not get me enough information to help me.

    I then thought maybe I am approaching this from the wrong way. I started thinking I needed to first get my users (even though it would use more processor) and from that distil it down to the group members so I tried this:

    Get-ADUser -Filter 'Enabled -eq $false'  -Properties SamAccountName |Select-Object SamAccountName

    and this did give me the disabled users that I needed.

    So then I tried to put it together but I am struggling now and its not working as witnessed below where I thought to use parenthesis first to make perform that operation then go to the next.

    Get-ADGroupMember "G_CompanyGroup" | Select-Object SamAccountName (Get-ADUser -Filter 'Enabled -eq $false'  -Properties SamAccountName |Select-Object SamAccountName)

  • #38084


    Try this approach: Get-ADUser -Filter 'Enabled -eq $false' | get-ADPrincipalGroupMembership

  • #38085

    Don Jones

    A GroupMember isn't a User, and doesn't have all the attributes of a User. That's what you're running into. A GroupMember essentially "points" to a User.

    I'm not sure doing this as a "one liner" is going to be useful, and it's making it a lot harder than it needs to be. But, in any event, what you're doing with Select-Object is incorrect and won't work.

    Get-ADGroupMember "G_CompanyGroup" |
    Where { (Get-ADUser $_.samAccountName).Enabled }

    Is basically the logic you're after. Get the group members. They, query each user. If the user is enabled, output them. If the user is not enabled, do not output them. To reverse the logic:

    Get-ADGroupMember "G_CompanyGroup" |
    Where { -not ((Get-ADUser $_.samAccountName).Enabled) }

    The problem is that you were trying to get AD to do two things at once, and it isn't designed for that. So get the group members, and then check each one.

  • #38086

    brian catlin

    Thanks you very much that worked. I will add all of this to my one notes so I can have it to study and look at further.

    As always I appreciate the help and Don I always go into shock when I see you post I think I have you elevated to deity status in regards to power shell so it feels funny when you actually take the time to post something.

    I do appreciate it and glad you mingle with the rest of us certainly makes me think that your not only a Master of PowerShell but also a good guy that likes to share knowledge.

    AK I appreciate you taking the time to post as well much respect!

  • #38087

    Don Jones

    LOL, you're more than welcome ;).

  • #38172

    Peter Johnson

    If you have access to the Quest ActiveRoles AD CMDlets this works as well:

    get-qadgroupmember -disabled

You must be logged in to reply to this topic.