Solved

Active Directory Active User Query

Posted on 2013-12-17
4
438 Views
Last Modified: 2013-12-18
I need a command that will provide me a list of all enabled users in AD, but exclude User accounts that are members of a certain Security Group, such as "Domain Admin".  How can I modify the below command to include the exclusion?


Get-ADUser -LdapFilter "(&(!useraccountcontrol:1.2.840.113556.1.4.803:=2))" | Select-Object Name,UserPrincipalName |Sort-Object Name
0
Comment
Question by:fireguy1125
4 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39725082
Use the following syntax below to accomplish this...

Get-ADUser -filter * -properties * | ? {$_.Enabled -eq $true -and -ne (Get-ADGroup -Identity <groupname>)} | sort-object -property Name | select Name, UserPrincipalName

Open in new window


Will.
0
 
LVL 19

Expert Comment

by:jss1199
ID: 39725085
and another filter to the LdapFilter to filter out those members that are memberof the group in questions.

I am mobile, but syntax should be something like:

-LdapFilter "(&(!useraccountcontrol:1.2.840.113556.1.4.803:=2))" AND (!(|(memberof=CN=YOURGROUPHERE,dc=domain,dc=com)
0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 39725979
Try..
Get-ADUser -LdapFilter "(&(!useraccountcontrol:1.2.840.113556.1.4.803:=2))" -properties memberof | ?{$_.memberof -notmatch "CN=GroupName"}| Select-Object Name,UserPrincipalName |Sort-Object Name

Open in new window

Or
Get-ADUser -LdapFilter "(&(!useraccountcontrol:1.2.840.113556.1.4.803:=2))" -properties memberof | 
	?{($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -notcontains "GroupName"}| 
	Select-Object Name,UserPrincipalName |Sort-Object Name

Open in new window

0
 
LVL 1

Author Closing Comment

by:fireguy1125
ID: 39726645
Your first one worked perfect Subsun, thanks!
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is intended as a guide to using PowerShell as a more versatile and reliable form of application detection in SCCM.
A quick Powershell script I wrote to find old program installations and check versions of a specific file across the network.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question