Quick way to Audit AD OU for users that are a members of a specified group

PtboGiser used Ask the Experts™
I have an OU containing a couple hundred users that are all to be removed from the default 'Domain Users' group upon account creation and placed in a custom primary group.  Occasionally another staff may forget to do this, so I'd like a quick an easy way to audit that OU and discover any users in it that are still memebers of Domain Users.

I have this where the search base is the OU in question:
Get-ADUser -filter {memberof -recursivematch "CN=Domain Users,OU=Users,DC=<domain>,DC=<domain>"} -SearchBase "OU=<ou>,OU=<ou>,OU=<ou>,DC=<domain>,DC=<domain>"

But it returns no results, even if there are users in the specified OU that are members of Domain Users.

Can somone correct my powershell script?  Or maybe advise a way I can do this from the Active Directory Users and Computers GUI?  Thanks!
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
dsget group "CN=Domain Users,OU=users,DC=Contoso,DC=Com" -members

Which will list the user memberof the domain users group.
The first thing I'd do is replace "OU=Users" with "CN=Users" in your filter.  "CN=Domain Users,CN=Users,DC=...".  Users is a container in AD, not an OU.
Top Expert 2013
Domain users is most likely going to be the primary group so memberof doesn't work here

The primary group is not part of memberof.  You can search using the primaryGroupID attribute.  513 is for domain users.  If you want to see a list of look at this KB article  http://support.microsoft.com/kb/243330/en-us

So for your query use:  (using adfind for my example but the same LDAP query should work in powershell)

adfind -default -f "&(objectcategory=person)(objectclass=user)(primarygroupid=513)" samaccountname


Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Venurajav, thanks, but I need to isolate my search to users in a specific OU, I can easily see the complete list of users on the Domain Users group through AD Users and Computers.

Dave_it, Thanks you are right, I missed that, but still no results

mkline71, Thanks, I modified my command to this:

Get-ADUser -filter {primaryGroupID -eq 513} -SearchBase "OU=<ou>,OU=<ou>,OU=<ou>,DC=<domain>,DC=<domain>"

And it works.  I changed one of my users to be a member of Domain Users, but have a different primary group (possibility I'd like to account for), and retested my original command as per Dave_it:

Get-ADUser -filter {memberof -recursivematch "CN=Domain Users,CN=Users,DC=<domain>,DC=<domain>"} -SearchBase "OU=<ou>,OU=<ou>,OU=<ou>,DC=<domain>,DC=<domain>"

And it works too.  Between those two commands, I think I am set.  Thanks for your help!
Top Expert 2013

Glad we were able to help out.




-See my final comment for the final Powershell commands I used

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial