Active Directory Active User Query

I need a command that will provide me a list of all enabled users in AD, but exclude User accounts that are members of a certain Security Group, such as "Domain Admin".  How can I modify the below command to include the exclusion?


Get-ADUser -LdapFilter "(&(!useraccountcontrol:1.2.840.113556.1.4.803:=2))" | Select-Object Name,UserPrincipalName |Sort-Object Name
LVL 1
fireguy1125Asked:
Who is Participating?
 
SubsunConnect With a Mentor Commented:
Try..
Get-ADUser -LdapFilter "(&(!useraccountcontrol:1.2.840.113556.1.4.803:=2))" -properties memberof | ?{$_.memberof -notmatch "CN=GroupName"}| Select-Object Name,UserPrincipalName |Sort-Object Name

Open in new window

Or
Get-ADUser -LdapFilter "(&(!useraccountcontrol:1.2.840.113556.1.4.803:=2))" -properties memberof | 
	?{($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -notcontains "GroupName"}| 
	Select-Object Name,UserPrincipalName |Sort-Object Name

Open in new window

0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Use the following syntax below to accomplish this...

Get-ADUser -filter * -properties * | ? {$_.Enabled -eq $true -and -ne (Get-ADGroup -Identity <groupname>)} | sort-object -property Name | select Name, UserPrincipalName

Open in new window


Will.
0
 
jss1199Commented:
and another filter to the LdapFilter to filter out those members that are memberof the group in questions.

I am mobile, but syntax should be something like:

-LdapFilter "(&(!useraccountcontrol:1.2.840.113556.1.4.803:=2))" AND (!(|(memberof=CN=YOURGROUPHERE,dc=domain,dc=com)
0
 
fireguy1125Author Commented:
Your first one worked perfect Subsun, thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.