Combining PowerShell Get-ADUser Filters

Question

Good afternoon, all.

I am trying to perform a search in P/S for SamAccountName that contains / starts with "svc_", and does not belong to a group called "disconnected", and write that to an Excel file.

What I am trying, at least for the syntax, doesn't result in anything. I know there are 300+ accounts that should show.

What am I declaring wrong?

get-aduser -filter * -properties *|? {$_.samaccountname -like "svc_" -and $_.MemberOf -eq "disconnected"}

I am also looking to do the same for those SamAccountName results that are not part of a group. I thought "-neq" would work (not equal), but I guess that value is wrong?

get-aduser -filter * -properties *|? {$_.samaccountname -like "svc_" -and $_.MemberOf -neq "disconnected"}

Once my mistakes are figured out, I will add | Export-Csv -Path $CSVfile -NoTypeInformation to have it write to a csv file.

Thank you in advance for all the assistance.

The MemberOf Property is an array. You cannot use `-eq` or `-neq`. You could use `-contains` and use the distinguished name of the group you're looking for — Olaf, Jun 29 '23 at 20:08
Regardless of that - you should not use `-filter * -properties *` for the `Get-AdUser` query. That puts a lot of unnecessary stress to your AD. Instead provide only the properties you need and use a `-Searchbase`. This might speed up your query as well. — Olaf, Jun 29 '23 at 20:10
@Olaf - I usually use that when I am trying to get a query to work. Once I confirm working, then I only include the stuff I need. — Charles Waters, Jun 29 '23 at 20:19

Santiago Squarzon · Accepted Answer · 2023-06-30T00:31:05.280

3

Don't filter with powershell when active-directory can do it for you, its many times more efficient that way:

$groupdn = (Get-ADGroup disconnected).DistinguishedName

# members of the group and start with `svc_`
Get-ADUser -LDAPFilter "(&(samAccountName=svc_*)(memberOf=$groupdn))" |
   Export-Csv path\to\membersofgroup.csv -NoTypeInformation

# not a member of the group and start with `svc_`
Get-ADUser -LDAPFilter "(&(samAccountName=svc_*)(!memberOf=$groupdn))" |
   Export-Csv path\to\notmembersofgroup.csv -NoTypeInformation

As for the problem with your current code:

$_.samaccountname -like "svc_"

Should use a wildcard after svc_:

$_.samaccountname -like "svc_*"

And:

$_.MemberOf -eq "disconnected"

Will never match since MemberOf is a collection of DistinguishedName.

Notes:

The above code only looks for user objects, if you need to find members of mentioned group of any objectClass, then you can change Get-ADUser to Get-ADObject.
This code only looks for direct members of the mentioned group, if you need to find the recursive members you can use a LDAP_MATCHING_RULE_IN_CHAIN. For this the filter would look like:

# recursive member of group
"(&(samAccountName=svc_*)(memberOf:1.2.840.113556.1.4.1941:=$groupdn))"

# not a member of the group or any nested group
"(&(samAccountName=svc_*)(!memberOf:1.2.840.113556.1.4.1941:=$groupdn))"

edited Jun 30 '23 at 00:31

answered Jun 29 '23 at 20:11

Santiago Squarzon

41,465
5
14
37

1

That did *exactly* what I was looking for. It never dawned on my to utilize LDAP. – Charles Waters Jun 29 '23 at 20:14
@CharlesWaters glad it did ;) glad you could learn something new too – Santiago Squarzon Jun 29 '23 at 20:19
Actually, I am seeing something wrong maybe? When I run the LDAP filter, I only get 8 results. When I check the actual AD Group, there are over 100 members in that group. – Charles Waters Jun 29 '23 at 20:36
does this group have nested groups perhaps ? or are those direct members? do all 100 members `samAccountName` start with `svc_` ? Perhaps you're looking to filter by the object `Name` instead of `samAccountName` so maybe changing `(samAccountName=svc_*)` to `(Name=svc_*)` might help – Santiago Squarzon Jun 29 '23 at 20:43
It's a combination of both. All the direct users yes - all start with svc_ for their SamAccountName (login name used to hit the server). Their Display name, depending on who built the account though, is all over the board. If I just do a "Get-ADGroupMember "disconnected" | ft SamAccountName, I see all the correct members, whether they are nested groups or actual SAN's. – Charles Waters Jun 29 '23 at 20:57
@CharlesWaters ok but note that `Get-ADUser` will only bring you user objects that are a member of, if you want all object classes the change `Get-ADUser` to `Get-ADObject` that way you will get any member of the group starting with `svc_` no matter their `objectClass` hope that makes sense – Santiago Squarzon Jun 29 '23 at 21:02
1

So come to find out, when I run your script on my 2012 R2 D/C, I get the results I mentioned. I switched over to a 2016 D/C, and I see all 197 reported by the LDAPFilter. An actual "Get-ADGroupMember" shows 212, so that's not too bad to rectify. I appreciate the assistance, and I will play around with it on the correct server to get the exact results I need! I Just don't get the nested group results with either Get-ADUser or Get-ADObject – Charles Waters Jun 29 '23 at 21:21

Combining PowerShell Get-ADUser Filters

1 Answers1