Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Powershell: Find user who are member of a certain group that resides in some OU

Posted on 2013-12-03
13
Medium Priority
?
4,358 Views
Last Modified: 2013-12-10
Hi,

I have this script. I feed it usernames from a csv and it returns only the groupsnames the user is member of, who's names begin with "CTX"

Import-Module ActiveDirectory

$users = Import-CSV "C:\Temp\Migrate.csv" -Delimiter ';' | Select -ExpandProperty samaccountname
Get-ADUser -filter * -Properties memberof | Where {$_.memberof -match "CTX" -and $users -contains $_.samaccountname } | ForEach `
{
    $username = $_.samaccountname
    Get-ADPrincipalGroupMembership $username |
        Where {$_.name -like "CTX*"} |
        Select @{n="sAMAccountname";e={$username}},@{n="Groupname";e={$_.name}}
		
} | Export-CSV C:\Temp\Members.csv 

Open in new window


Th script works great. But, the organizational structure of the company I'm working at is changing and a few hundred new "CTX" groups are created, due to a new naming convention. For the time being, the old and new groups reside side by side in two different OU's.
Th problem is that users are member of both the "old" and the "new" group, so my output is heavily contaminated.
I would like the script to point to a specific OU, when looking for the groups a user is member of.
Can this be done and does anyone know how ?

Thanks in advance
0
Comment
Question by:Loyall
  • 5
  • 3
  • 3
  • +1
13 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 39693355
Add -SearchBase parameter to Get-ADUser in line 4.. so cmdlet will look users only in that specific OU.
Get-ADUser -SearchBase "OU=Accounts,OU=RootOU,DC=Domain,DC=com" -Properties memberof | Where {$_.memberof -match "CTX" -and $users -contains $_.samaccountname } | ForEach `

Open in new window

0
 
LVL 35

Expert Comment

by:YZlat
ID: 39693375
you could also add -SearchBase switch to your command. try something like that:

Import-Module ActiveDirectory

$users = Import-CSV "C:\Temp\Migrate.csv" -Delimiter ';' | Select -ExpandProperty samaccountname
Get-ADUser -SearchBase "OU=Test, ...." -filter * -Properties memberof | Where {$_.memberof -match "CTX" -and $users -contains $_.samaccountname } | ForEach `
{
    $username = $_.samaccountname
    Get-ADPrincipalGroupMembership $username -SearchBase "OU=Test, ...." |
        Where {$_.name -like "CTX*"} |
        Select @{n="sAMAccountname";e={$username}},@{n="Groupname";e={$_.name}}
		
} | Export-CSV C:\Temp\Members.csv 

Open in new window

0
WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

 
LVL 2

Author Comment

by:Loyall
ID: 39693525
Hi,

It's not the users that are in a specific OU.
It's the groups they are member of...
0
 
LVL 41

Accepted Solution

by:
footech earned 2000 total points
ID: 39693558
You would have to modify the Where-Object filter on line 8 to match against the DistinguishedName of the group.  Something like the below.
        Where {$_.name -like "CTX*" -and $_.DistinguishedName -match "OU=newOU,DC=domain,DC=com"} |

Open in new window

0
 
LVL 35

Expert Comment

by:YZlat
ID: 39693569
you need to add -SearchBase switch to Get-ADPrincipalGroupMembership
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39693574
Try changing $_.memberof -match "CTX" to
?{$_.memberof -match ".*CTX.*OU=Group,OU=Test,DC=Domain,DC=com"}
Replace OU=Group,OU=Test,DC=Domain,DC=com with your OU's DistinguishedName
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39693582
I don't think there is a  -SearchBase parameter for Get-ADPrincipalGroupMembership..
0
 
LVL 2

Author Closing Comment

by:Loyall
ID: 39693823
Perfect solution. Thanks !
0
 
LVL 2

Author Comment

by:Loyall
ID: 39697628
Hmm, was testing it in a small test environment where it seemed to work. Now testing it in real life and the script gives also the groups from other OU's..

Situation:
OU_with_groups
                 OU_with_new_groups
                 OU_with_special_groups

I'm running the script against the "OU_with_groups", where the targeted CTX groups are, but it also gives me results from the nested OU_with_new_groups, OU_with_special_groups where different, not neede CTX groups are situated.

Script:
Import-Module ActiveDirectory

$users = Import-CSV "C:\Temp\Migration_CSV.csv" -Delimiter ';' | Select -ExpandProperty samaccountname
Get-ADUser -filter * -Properties memberof | Where {$_.memberof -match "CTX" -and $users -contains $_.samaccountname } | ForEach `
{
    $username = $_.samaccountname
    Get-ADPrincipalGroupMembership $username |
        Where {$_.name -like "CTX*" -and $_.DistinguishedName -match "OU=OU_with_groups,OU=Groups,OU=Company,DC=domain,DC=local"} |
        Select @{n="sAMAccountname";e={$username}},@{n="CTXGroup";e={$_.name}}
		
} | Export-CSV C:\Temp\CSV\01_CTXMembers.csv 

Open in new window

0
 
LVL 41

Expert Comment

by:footech
ID: 39704026
Try the following.
Import-Module ActiveDirectory

$users = Import-CSV "C:\Temp\Migration_CSV.csv" -Delimiter ';' | Select -ExpandProperty samaccountname
Get-ADUser -filter * -Properties memberof | Where {$_.memberof -match "CTX" -and $users -contains $_.samaccountname } | ForEach `
{
    $username = $_.samaccountname
    Get-ADPrincipalGroupMembership $username |
        Where {$_.name -like "CTX*" -and $_.DistinguishedName -match "(?<!,OU=.+?),OU=OU_with_groups,OU=Groups,OU=Company,DC=domain,DC=local"} |
        Select @{n="sAMAccountname";e={$username}},@{n="CTXGroup";e={$_.name}}
		
} | Export-CSV C:\Temp\CSV\01_CTXMembers.csv

Open in new window

0
 
LVL 2

Author Comment

by:Loyall
ID: 39704149
Thank you !
I will give it a try tomorrow and let you know.
0
 
LVL 2

Author Comment

by:Loyall
ID: 39708485
Hi Footech,

Tried it and it works perfect !
Thank you very, very much !
0

Featured Post

WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
A walk-through example of how to obtain and apply new DID phone numbers to your cloud PBX enabled users that are configured in Office 365. Whether you have 1, 10 or 100+ users in your tenant, it's quite easy to get them phone-enabled and making/rece…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question