Author Posts

April 20, 2016 at 1:19 pm

figured out this to find who was in the group:

Get-ADGroupMember "companyGroup" | Select-Object SamAccountName

this gave me a list but I found some users in it that was no longer with the company so I wanted to change it to find users who was not with the company anymore. So I thought why not use disabled users to find out who we should remove.

the problem is that adgroupmember only has properties for

distinguishedname
name
objectclass
objectguid
samaccountname
sid

so I went and first checked out the help

get-help get-adgroupmember -full however that did not get me enough information to help me.

I then thought maybe I am approaching this from the wrong way. I started thinking I needed to first get my users (even though it would use more processor) and from that distil it down to the group members so I tried this:

Get-ADUser -Filter 'Enabled -eq $false'  -Properties SamAccountName |Select-Object SamAccountName

and this did give me the disabled users that I needed.

So then I tried to put it together but I am struggling now and its not working as witnessed below where I thought to use parenthesis first to make perform that operation then go to the next.

Get-ADGroupMember "G_CompanyGroup" | Select-Object SamAccountName (Get-ADUser -Filter 'Enabled -eq $false'  -Properties SamAccountName |Select-Object SamAccountName)

April 20, 2016 at 1:25 pm

Try this approach: Get-ADUser -Filter 'Enabled -eq $false' | get-ADPrincipalGroupMembership

April 20, 2016 at 1:27 pm

A GroupMember isn't a User, and doesn't have all the attributes of a User. That's what you're running into. A GroupMember essentially "points" to a User.

I'm not sure doing this as a "one liner" is going to be useful, and it's making it a lot harder than it needs to be. But, in any event, what you're doing with Select-Object is incorrect and won't work.

Get-ADGroupMember "G_CompanyGroup" |
Where { (Get-ADUser $_.samAccountName).Enabled }

Is basically the logic you're after. Get the group members. They, query each user. If the user is enabled, output them. If the user is not enabled, do not output them. To reverse the logic:

Get-ADGroupMember "G_CompanyGroup" |
Where { -not ((Get-ADUser $_.samAccountName).Enabled) }

The problem is that you were trying to get AD to do two things at once, and it isn't designed for that. So get the group members, and then check each one.

April 20, 2016 at 1:50 pm

Thanks you very much that worked. I will add all of this to my one notes so I can have it to study and look at further.

As always I appreciate the help and Don I always go into shock when I see you post I think I have you elevated to deity status in regards to power shell so it feels funny when you actually take the time to post something.

I do appreciate it and glad you mingle with the rest of us certainly makes me think that your not only a Master of PowerShell but also a good guy that likes to share knowledge.

AK I appreciate you taking the time to post as well much respect!

April 20, 2016 at 1:55 pm

LOL, you're more than welcome ;).

April 22, 2016 at 9:02 am

If you have access to the Quest ActiveRoles AD CMDlets this works as well:

get-qadgroupmember -disabled