0

Im looking for a way to identify users who are member of one of few groups (a,b,c) but also are not in a specific group (d), an exception group, to later on perform some tasks on them (filling in specific attribute based on value of samaccountname).

For now, I managed to list user accounts who are member of specific group and follow another condition of having smart card enforcement as false:

$groups = "a","b","c"
foreach ($group in $groups) {
  Get-ADGroupMember -Identity $group |
    Get-ADUser -Properties 'smartcardlogonrequired' |
    where {$_.smartcardlogonrequired -eq $false}
}

I thought of following. Defining group of exceptions by

$exceptions = (Get-ADGroup 'd').distinguishedname
foreach ($group in $groups) {
  Get-ADGroupMember -Identity $group |
    Get-ADUser -Properties 'smartcardlogonrequired' |
    where {$_.smartcardlogonrequired -eq $false} |
    Get-ADUser –Filter {-not(memberof –eq $d}
}

However, it doesn't really do the trick, and im sure theres a better way.

Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
BoleslawA
  • 7
  • 1
  • 5

1 Answers1

0

Get a list of the distinguished names of the members of group "d" and filter on users whose distinguished name is not part of that list:

$exceptions = Get-ADGroupMember 'd' | Select-Object -Expand DistinguishedName
foreach ($group in $groups) {
  Get-ADGroupMember -Identity $group |
    Get-ADUser -Properties 'smartcardlogonrequired' |
    Where-Object {
      $_.smartcardlogonrequired -eq $false -and
      $exceptions -notcontains $_.DistinguishedName
    }
}
Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328