PowerShell module and ActiveDirectory - find users who are not members of specific groups

Question

PowerShell module and ActiveDirectory - find users who are not members of specific groups

Last week I met PowerShell and ActiveDirectory for the first time. I would like to find a list of users who are not admins or domain administrators.

So far, I know how to get all the properties for all ActiveDirectory users with the following command / operation:

Get-ADUser -Filter * -Properties *

What I would like to do is print only the usernames of current ActiveDirectory users who are not admins or domain admins.

Here is the pseudo-code / Powershell code of what I'm trying to do:

$users = Get-ADUser -Filter * -Properties *
foreach($u in $users){
    if ($u isn't an administrator OR $u isn't a domain administrator){ 
        Write-Host "User Name:" $u.Name
    }
}

Get-ADUser -Filter * -Properties *, MemberOf , , , . AdminCount , Google ( - DomainAdminCount?).

PowerShell ActiveDirectory, , .

2 , PowerShell . .

+5

powershell active-directory

Rob 12 . '13 4:37

4

, , . , , . , .

$Internet_Users = Get-ADGroup -Filter {Name -like "Internet_Users" }
Get-ADUser -Filter { -not (memberof -eq $Internet_Users) -and (enabled -eq "True" -and objectclass -eq "user")} |Select Name | Export-CSV "C:\Users\YOURNAME\Documents\Enabled_Users_Without_Internet_Users_Group.csv"

+1

Day 02 . '16 16:29

BartekB :

## This variable gets all the users that are Domain Administrators
$DomainsAdminsDn = (Get-ADGroup 'Domain Admins').DistinguishedName

## This variable gets all the users that are Administrators
$AdministratorsDn = (Get-ADGroup 'Administrators').DistinguishedName

## This line will get all the users that are not "Domain Administrators" or "Administrators"
Get-ADUser -Filter {(memberOf -ne $AdministratorsDn) -and (memberOf -ne $DomainsAdminsDn)}

, (, , ). 10 , PowerShell && , , .

0

Rob Mar 12 '13 at 8:23

source share

It turns out that "domain users" are processed specially, so if you try to find people not in this group, this will not work.

Based on the code: http://powershell.org/wp/forums/topic/find-users-not-in-a-group/

Import-Module ActiveDirectory
$users = Get-ADUser -Filter {Enabled -eq $true} -Properties MemberOf, PrimaryGroup
$dugDn = (Get-ADGroup "Domain Users").DistinguishedName
foreach ($user in $users)
{
    Write-Verbose "Working on $($user.Name)"
    $groups = $user.MemberOf, $user.PrimaryGroup
    if ($groups -NotContains $dugDn)
    {
        Write-Host "$($user.SamAccountName) not in the domain users group"
    }
}

0

user6312452 May 09 '16 at 21:24

source share

BartekB · Accepted Answer · 2013-03-12T05:55:46+0000

, :

$DomainsAdminsDn = (Get-ADGroup 'Domain Admins').DistinguishedName
Get-ADUser -Filter { -not (memberof -eq $DomainsAdminsDn) }
# OR
Get-ADUser -LDAPFilter "(!(memberof=$DomainsAdminsDn))"

.

: , (). BTW, :

Get-ADUser -Filter { memberof -ne $DomainsAdminsDn }

, - , .

PowerShell module and ActiveDirectory - find users who are not members of specific groups

More articles: