LDAP Query -- Find Users who ONLY belong to "Domain Users" group

Question

I am new to AD and LDAP, and I am trying to find a list of users who only belong to the default "Domain Users" group, and no others.

Thanks!

Answer 1

Most methods do not reveal membership in the "primary" group. For most users, the "primary" group should be "Domain Users". Specifically, the memberOf attribute of user objects, and the member attribute of group objects, never reveals "primary" group membership. In most domains, the member attribute of the "Domain Users" group is empty, and it is safe to assume that all users belong to this group.

If you need to query for all users that have "Domain Users" designated as their "primary", search for all users whose primaryGroupID attribute is 513. The primaryGroupToken attribute of the group "Domain Users" is the same integer, 513. The LDAP syntax filter could be:

(primaryGroupID=513)

Or, to find all direct members of "Domain Users", plus all users that have this group designated as their "primary":

(|(memberOf=cn=Domain Users,cn=Users,dc=MyDomain,dc=com)(primaryGroupID=513))

To find all users that have some other group designated as their "primary", the filter could be:

(&(objectCategory=person)(objectClass=user)(!primaryGroupID=513))

Richard Mueller - MVP Directory Services

Answer 2

Looks like the answer is here.

(&(&(primaryGroupID=513)))

Apparently, the primary group is not revealed like all other groups. To check it, you have to search for their primary group. I tried it and a very large number of users returned.

GET-ADUSER -Filter * –Properties name,MemberOf | Select-Object name, @{n='GroupCount';e={ ($.memberof).count }} |Where-Object {$.GroupCount -lt 1}

Answer 3

I used:

(!(memberOf=*))

That returned the desired results.