Solved

Powershell: Find user who are member of a certain group that resides in some OU

Posted on 2013-12-03
13
3,439 Views
Last Modified: 2013-12-10
Hi,

I have this script. I feed it usernames from a csv and it returns only the groupsnames the user is member of, who's names begin with "CTX"

Import-Module ActiveDirectory

$users = Import-CSV "C:\Temp\Migrate.csv" -Delimiter ';' | Select -ExpandProperty samaccountname
Get-ADUser -filter * -Properties memberof | Where {$_.memberof -match "CTX" -and $users -contains $_.samaccountname } | ForEach `
{
    $username = $_.samaccountname
    Get-ADPrincipalGroupMembership $username |
        Where {$_.name -like "CTX*"} |
        Select @{n="sAMAccountname";e={$username}},@{n="Groupname";e={$_.name}}
		
} | Export-CSV C:\Temp\Members.csv 

Open in new window


Th script works great. But, the organizational structure of the company I'm working at is changing and a few hundred new "CTX" groups are created, due to a new naming convention. For the time being, the old and new groups reside side by side in two different OU's.
Th problem is that users are member of both the "old" and the "new" group, so my output is heavily contaminated.
I would like the script to point to a specific OU, when looking for the groups a user is member of.
Can this be done and does anyone know how ?

Thanks in advance
0
Comment
Question by:Loyall
  • 5
  • 3
  • 3
  • +1
13 Comments
 
LVL 35

Expert Comment

by:YZlat
ID: 39693352
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39693355
Add -SearchBase parameter to Get-ADUser in line 4.. so cmdlet will look users only in that specific OU.
Get-ADUser -SearchBase "OU=Accounts,OU=RootOU,DC=Domain,DC=com" -Properties memberof | Where {$_.memberof -match "CTX" -and $users -contains $_.samaccountname } | ForEach `

Open in new window

0
 
LVL 35

Expert Comment

by:YZlat
ID: 39693375
you could also add -SearchBase switch to your command. try something like that:

Import-Module ActiveDirectory

$users = Import-CSV "C:\Temp\Migrate.csv" -Delimiter ';' | Select -ExpandProperty samaccountname
Get-ADUser -SearchBase "OU=Test, ...." -filter * -Properties memberof | Where {$_.memberof -match "CTX" -and $users -contains $_.samaccountname } | ForEach `
{
    $username = $_.samaccountname
    Get-ADPrincipalGroupMembership $username -SearchBase "OU=Test, ...." |
        Where {$_.name -like "CTX*"} |
        Select @{n="sAMAccountname";e={$username}},@{n="Groupname";e={$_.name}}
		
} | Export-CSV C:\Temp\Members.csv 

Open in new window

0
 
LVL 2

Author Comment

by:Loyall
ID: 39693525
Hi,

It's not the users that are in a specific OU.
It's the groups they are member of...
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 39693558
You would have to modify the Where-Object filter on line 8 to match against the DistinguishedName of the group.  Something like the below.
        Where {$_.name -like "CTX*" -and $_.DistinguishedName -match "OU=newOU,DC=domain,DC=com"} |

Open in new window

0
 
LVL 35

Expert Comment

by:YZlat
ID: 39693569
you need to add -SearchBase switch to Get-ADPrincipalGroupMembership
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 40

Expert Comment

by:Subsun
ID: 39693574
Try changing $_.memberof -match "CTX" to
?{$_.memberof -match ".*CTX.*OU=Group,OU=Test,DC=Domain,DC=com"}
Replace OU=Group,OU=Test,DC=Domain,DC=com with your OU's DistinguishedName
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39693582
I don't think there is a  -SearchBase parameter for Get-ADPrincipalGroupMembership..
0
 
LVL 2

Author Closing Comment

by:Loyall
ID: 39693823
Perfect solution. Thanks !
0
 
LVL 2

Author Comment

by:Loyall
ID: 39697628
Hmm, was testing it in a small test environment where it seemed to work. Now testing it in real life and the script gives also the groups from other OU's..

Situation:
OU_with_groups
                 OU_with_new_groups
                 OU_with_special_groups

I'm running the script against the "OU_with_groups", where the targeted CTX groups are, but it also gives me results from the nested OU_with_new_groups, OU_with_special_groups where different, not neede CTX groups are situated.

Script:
Import-Module ActiveDirectory

$users = Import-CSV "C:\Temp\Migration_CSV.csv" -Delimiter ';' | Select -ExpandProperty samaccountname
Get-ADUser -filter * -Properties memberof | Where {$_.memberof -match "CTX" -and $users -contains $_.samaccountname } | ForEach `
{
    $username = $_.samaccountname
    Get-ADPrincipalGroupMembership $username |
        Where {$_.name -like "CTX*" -and $_.DistinguishedName -match "OU=OU_with_groups,OU=Groups,OU=Company,DC=domain,DC=local"} |
        Select @{n="sAMAccountname";e={$username}},@{n="CTXGroup";e={$_.name}}
		
} | Export-CSV C:\Temp\CSV\01_CTXMembers.csv 

Open in new window

0
 
LVL 39

Expert Comment

by:footech
ID: 39704026
Try the following.
Import-Module ActiveDirectory

$users = Import-CSV "C:\Temp\Migration_CSV.csv" -Delimiter ';' | Select -ExpandProperty samaccountname
Get-ADUser -filter * -Properties memberof | Where {$_.memberof -match "CTX" -and $users -contains $_.samaccountname } | ForEach `
{
    $username = $_.samaccountname
    Get-ADPrincipalGroupMembership $username |
        Where {$_.name -like "CTX*" -and $_.DistinguishedName -match "(?<!,OU=.+?),OU=OU_with_groups,OU=Groups,OU=Company,DC=domain,DC=local"} |
        Select @{n="sAMAccountname";e={$username}},@{n="CTXGroup";e={$_.name}}
		
} | Export-CSV C:\Temp\CSV\01_CTXMembers.csv

Open in new window

0
 
LVL 2

Author Comment

by:Loyall
ID: 39704149
Thank you !
I will give it a try tomorrow and let you know.
0
 
LVL 2

Author Comment

by:Loyall
ID: 39708485
Hi Footech,

Tried it and it works perfect !
Thank you very, very much !
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script checks a path to see if a folder exists. If the folder does exist you will get output "The folder has previously been created. No action taken" If not it will create the folder. Then adds one user modify permission to the folder. It …
I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now