Get-AdUsers from specific AD Groups and filtering results

Question

I am able to export to users that are not members of particular groups such as IT_Group like below. But, this script gives me all membership of users within memberof column in csv output. If they are members of any groups that matches "IT" they should be displayed within memberof column in csv output like below.

Also , If user is not member to any group that is beginning with IT_ then it will write "any IT group is not member" keyword within memberof column in csv output.

There are 3 security groups such as IT_Group,IT_Group1,IT_Group2

I have tried so far :

Get-ADUser -Filter {(emailaddress -like "*@contoso.com" -and Enabled -eq $false -and sAMAccountName -like "TEST*") -or (emailaddress -like "*@contoso.com" -and Enabled -eq $false -and sAMAccountName -like "PROD*")} -SearchBase "OU=USERS,DC=contoso,DC=com" -SearchScope Subtree -Properties * | Where { [string]$_.memberof -notmatch 'IT_Group'} | Select-Object name , samaccountname ,@{Name="MemberOf";Expression={($_.MemberOf | %{(Get-ADGroup $_).sAMAccountName}) -Join ";"}} |Export-CSV -Path "C:	mp\output.csv" -NoTypeInformation -Encoding UTF8

My Desired output :

name,samaccountname,memberof
User01,TEST1,IT_Test
User02,PROD1,IT_Prod
User03,TEST4,any IT group is not member

Theo · Accepted Answer

The -Filter should not be written as script block ({..}), but as a normal string.

This should do what you are after:

$filter = "(Enabled -eq 'False' -and EmailAddress -like '*@contoso.com') -and (SamAccountName -like 'TEST*' -or SamAccountName -like 'PROD*')"
Get-ADUser -Filter $filter -SearchBase "OU=USERS,DC=contoso,DC=com" -SearchScope Subtree -Properties EmailAddress, MemberOf | ForEach-Object {
    if ($_.MemberOf -match 'CN=IT_(Test|Prod)') {
        # the user is a member of any IT_Group, get the names of all groups for this user
        $groups = foreach ($grp in $_.MemberOf) { (Get-ADGroup -Identity $grp).Name }
        $_ | Select-Object Name, SamAccountName, @{Name = 'MemberOf'; Expression = {$groups -join ', '}}
    }
    else {
        # the user is not a member of any IT_Group
        $_ | Select-Object Name, SamAccountName, @{Name = 'MemberOf'; Expression = {'Not a member of any IT_Group'}}
    }
} | Export-CSV -Path "C:	mp\output.csv" -NoTypeInformation -Encoding UTF8

^{Parsing the name of an object from the DistinghuishedName is tricky, because there can be special characters in there. That is why this code uses the Get-ADGroup cmdlet to get the group names.}

If the SamAccountNames do not matter and you want to get ALL users in OU OU=USERS,DC=contoso,DC=com that are not Enabled AND have an EmailAddress ending in @contoso.com, than simply change the $filter variable to

$filter = "Enabled -eq 'False' -and EmailAddress -like '*@contoso.com'"

As per your latest comment, you would only want to list the groups IT_Test and/or IT_Prod for users that are member of any of these two groups, the code below should do that:

$filter = "(Enabled -eq 'False' -and EmailAddress -like '*@contoso.com') -and (SamAccountName -like 'TEST*' -or SamAccountName -like 'PROD*')"
Get-ADUser -Filter $filter -SearchBase "OU=USERS,DC=contoso,DC=com" -SearchScope Subtree -Properties EmailAddress, MemberOf | ForEach-Object {
    $testgroups = $_.MemberOf | Where-Object { $_ -match 'CN=IT_(Test|Prod)'}
    if ($testgroups) {
        # the user is a member of group IT_Test and/or IT_Prod, get the names of these groups for this user
        $groups = foreach ($grp in $testgroups) { (Get-ADGroup -Identity $grp).Name }
        $_ | Select-Object Name, SamAccountName, @{Name = 'MemberOf'; Expression = {$groups -join ', '}}
    }
    else {
        # the user is not a member of any IT_Group
        $_ | Select-Object Name, SamAccountName, @{Name = 'MemberOf'; Expression = {'Not a member of any IT_Group'}}
    }
} | Export-CSV -Path "C:	mp\output.csv" -NoTypeInformation -Encoding UTF8

Hope that helps

Get-AdUsers from specific AD Groups and filtering results

Answers (2)

Related Questions