powershell not member of a security group

Hi,

I need to audit a security group and export a list of users not in the group, I have produced this but when testing it's not giving the correct results, can you see what I'm missing?

Get-ADUser -Filter * -SearchBase "OU=Test OU,OU=Users,DC=lab,DC=local" -Properties Enabled | where { -not $_.memberof -like '*DisableVPN*' } | Export-Csv C:\temp\export.csv

Open in new window

LVL 1
Ben SAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jose Gabriel Ortega CastroCEO Faru Bonon IT - EE Solution ExpertCommented:
It would be something like this:
 $UsersResult=@()
 $LikeGroup='DisableVPN' 
$DNOU = "OU=Test OU,OU=Users,DC=lab,DC=local"
 Get-ADUser -Filter {enabled -eq $true} -Properties Memberof -SearchBase $DNOU |%{
    $GMembership=$_.Memberof
    [bool]$TobeAdded= if( ($_.memberof | where{$_ -match $LikeGroup}).count -ge 1){$false}else{$true}
    if($TobeAdded){
        $UsersResult+=$_
    }
 }

 $UsersResult

Open in new window


You can filter directly in the Filter using the Enabled property to true.
Memberof is a property of the results in the GetAD, so if you select just the property "Enabled" it won't bring the "MemberOf" information and the rest of your cmdlet will fail.
Dont use Like, use Match or notmatch,
I usually don't use the asterisks, so generally in a match will find it if it's contained, the stars will force to do it, but It's generally in my experience not required.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Get-ADUser -Filter * -SearchBase "OU=Test OU,OU=Users,DC=lab,DC=local" -Properties Enabled, MemberOf | 
  where { $_.MemberOf -notcontains 'DisableVPN' } |
  Export-Csv C:\temp\export.csv

Open in new window

I didn't test if MemberOf is one of the default properties Get-ADUser returns anyway, but it never hearts to mention AD properties you want to use explicitly.
Ben SAuthor Commented:
Hi,
When I run this, I don't get any errors but my test user is listed in the export csv when it shouldn't, thank for the assistance

Get-ADUser -Filter * -SearchBase "OU=Test OU,OU=Users,DC=lab,DC=local" -Properties Enabled, MemberOf | 
  where { $_.MemberOf -notcontains 'DisableVPN' } |
  Export-Csv C:\temp\export.csv

Open in new window

Jose Gabriel Ortega CastroCEO Faru Bonon IT - EE Solution ExpertCommented:
Did you try my code?
Ohh forgot to add the csv part:

$CsvFile="C:\temp\export.csv"
$UsersResult=@()
 $LikeGroup='DisableVPN' 
$DNOU = "OU=Test OU,OU=Users,DC=lab,DC=local"
 Get-ADUser -Filter {enabled -eq $true} -Properties Memberof -SearchBase $DNOU |%{
    $GMembership=$_.Memberof
    [bool]$TobeAdded= if( ($_.memberof | where{$_ -match $LikeGroup}).count -ge 1){$false}else{$true}
    if($TobeAdded){
        $UsersResult+=$_
    }
 }
$UsersResult | Export-Csv $csvfile -NoTypeInformation

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
I thought I could go without pattern matching, but MemberOf lists canonical names. So we need to use -notmatch or -notlike.
Get-ADUser -Filter * -SearchBase "OU=Test OU,OU=Users,DC=lab,DC=local" -Properties Enabled, MemberOf | 
  where { $_.MemberOf -join ';' -notmatch '=DisableVPN,' } |
  Export-Csv C:\temp\export.csv

Open in new window

I'm not sure that you would NOT like to filter for enabled accounts only. Disabled accounts should not be of interest. If you want to filter, replace the filter expression as shown by Jose: -Filter {enabled -eq $true}
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.