0

List all users that have mailboxes but are not in a group called Metalogix*. I need a PowerShell script that will check whether specific user is a part of certain group or not and if the user is part of any of those groups.

I already have working script:

Import-Module ActiveDirectory
$Users = Get-Mailbox -ResultSize "unlimited" 
$Group = "Metalogix*"

foreach ($user in $Users) {
    $Check = Get-ADPrincipalGroupMembership -Identity $User.sAMAccountName |
             ? { $_.Name -like $Group }

    if ($Check -eq $null) {
        Write-Output "$User.sAMAccountName is NOT part of this group"
    } else {
        $Results = Get-Mailbox -Identity $User.sAMAccountName |
                   select Name, sAMAccountName, PrimarySmtpAddress, Database |
                   Export-csv "c:\results1.csv" -NTI -Append
    }
}

But script doesn't list groups recursively, e.g tester4-6 are members of 'Test Group 2', which is a member of 'Test Group 1'. The rest are direct. Just I can see direct membership, not recursive membership.

2nd question : I want to get all users with samaccountname that begins with "STR" prefix.

Test Group 1
tester1
tester2
   ->    Test Group 2
         tester4
         tester6
Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
Arbelac
  • 1,698
  • 6
  • 37
  • 90
  • I have couple scripts on my Github that do recursive searches on AD group members you might be able to modify to your needs. https://github.com/trebleCode/theposhadmin My Get-NestedMembers and Get-UserMemberships scripts might help. They prompt for file selection but you should be able to mod to your needs. Also check another post from here about a similar issue: https://stackoverflow.com/questions/23885149/get-recursive-group-membership-of-all-ad-users-using-powershell For the 2nd piece: `Get-ADUser -Filter {samaccountname -like "STR*"}` Use Group-Object – trebleCode Jan 06 '18 at 19:47
  • with Select to group by principal name if that's what you're trying to report on – trebleCode Jan 06 '18 at 19:47

2 Answers2

0

I'd probably use a recursive function. Something like this:

function Test-GroupMembership {
    Param(
        [Parameter(Mandatory=$true)]
        [string]$Identity,
        [Parameter(Mandatory=$true)]
        [string]$Name
    )

    $groups = Get-ADPrincipalGroupMembership -Identity $Identity
    if ($groups | Where-Object { $_.Name -like $Name }) {
        return $true
    } elseif ($groups -ne $null) {
        foreach ($g in $groups) {
            if (Test-GroupMembership -Identity $g -Name $Name) {
                return $true
            }
        }
    }
    return $false
}
Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
0

Get-ADPrincipalGroupMembership isn't recursive, but Get-ADGroupMember is.

$Users = Get-Mailbox -ResultSize "unlimited"
$Group = 'Metalogix*'
$GroupMembers = Get-ADGroupMember -Identity $Group | Get-ADGroupMember -Recursive | Select-Object -ExpandProperty samAccountName

foreach ($User in $Users) {
    if ($User -in $GroupMembers) {
        Write-Output "User $User is in group $Group."
    }
    else {
        Write-Output "User $User is not in group $Group."
    }
}

This is also more efficient because you're only fetching group membership once.

I'm away from my servers, so treat the above as pseudocode.

Bacon Bits
  • 30,782
  • 5
  • 59
  • 66
  • I want to get all users with samaccountname that begins with "STR" prefix. how can I do that? thanks again – Arbelac Jan 07 '18 at 05:34