0

I'm trying to change AD properties (Windows VPN, i.e. Routing and Remote dial-in service) of users that are members of some AD group. It is Ok here. But at the same time I need to exclude changing properties of those users that have additional membership in some other groups. Let's say all users are in "Office" group. I can disable VPN to them all with the script below. But in the group also located users which are additionally members of "VPN always on" group. How to exclude they from script action.

Here it is my working script (without exclusion):

Get-ADGroupMember -Identity "Office" | where {$_.objectclass -eq "user"} | foreach { Set-ADUser -Identity $($_.distinguishedName) -clear msnpallowdialin}
Mathias R. Jessen
  • 157,619
  • 12
  • 148
  • 206
Eugene G
  • 27
  • 4

1 Answers1

0

There almost certainly a better way of doing this but...

Remove the -WhatIf to actually make the changes

Get-ADGroupMember -Identity "Office" | where {$_.objectclass -eq "user"} | ForEach {
    Get-ADUser -Identity $_ -Properties memberof , msnpallowdialin | Where-Object {!($_.memberof -like "*VPN USer Group*")} | Set-ADUser -Clear msnpallowdialin -whatif
}
Scepticalist
  • 3,737
  • 1
  • 13
  • 30
  • Thank you for quick response! Unfortunately, the script requires "Filter:" to go further. I tried different filters and other variants of the script, but with no luck. I also tried to implement your idea of **$_.memberof** in different ways. But no luck. I can get script to work witn no errors and even **msnpallowdialin** changes, but I cannot get exclusion to work. Tried also create variables with **$badlists** (excluded groups) and different **foreach** types. Also with no luck. – Eugene G Apr 26 '19 at 08:09
  • Apologies,, forgot to add Identity parameter - see edited script above. – Scepticalist Apr 26 '19 at 08:27
  • Very weird. A **like** operator works, but **notlike** not. But I need it. Seems like **notlike** just do not "see" corresponding text in **memberof** string. Tested a lot. Other operators like (not)match, (not)contains etc. not working too. Any ideas or workarounds? – Eugene G Apr 26 '19 at 12:52
  • Now it works! It was a good idea to change **notlike** with **{!(..-like)}**. I forgot about this method at all. Now the script successfully resets VPN to all users of "Office" group and do not touches users of excluded group. Thank you! – Eugene G Apr 26 '19 at 19:08