0

My company uses Microsoft Intune. We've got 4 groups in an on-premise AD that controls the conditional access. We'll just call them AllowGroup1, AllowGroup2, BlockGroup1, and BlockGroup2. What I want know find is all users that are not in all of the groups. The result I'm wanting to find is any User object that is not in the mentioned groups. That way I can provide proof that our entire system is compliant. See below for the Powershell code I've borrowed from this post List AD Users who do not belong to one of several groups

I'm running these tests on my home domain controller. The problem I'm having is that the script isn't looking in the entire domain for users. Specifically, there is an OU in my personal DC that is called Home (I created the OU) and there are 2 user objects in a child OU called Users that this script isn't pulling from. I am running this script with a user that is in the Enterprise Admins group so I know it has sufficient privilege's. It's supposed to search AD via PowerShell for users not in multiple groups and place those users in a group called NotInGroup

To further elaborate, some users will be in AllowGroup1 and in BlockGroup2. Some users will be in BlockGroup1 and BlockGroup2. I want to find all users that are not in any of the groups listed above.

Import-Module ActiveDirectory
$groupname = "NotInGroup"
$members = Get-ADGroupMember -Identity $groupname

    foreach($member in $members)
    {
     Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
    }
    $users = Get-ADUser -Filter 
    {
        ((memberof -notlike "CN=AllowGroup1,OU=Intune,OU=Groups,DC=domain,DC=local") 
    -AND (memberof -notlike "CN=AllowGroup2,OU=Intune,OU=Groups,DC=domain,DC=local")
    -AND (memberof -notlike "CN=BlockGroup1,OU=Intune,OU=Groups,DC=domain,DC=local") 
    -AND (memberof -notlike "CN=BlockGroup2,OU=Intune,OU=Groups,DC=domain,DC=local"))
     } 
    -SearchBase "dc=domain,dc=local" -SearchScope Subtree
    
    foreach($user in $users)
    {
    Add-ADGroupMember -Identity $groupname -Members $user.samaccountname -ErrorAction SilentlyContinue
    }
Adrian Mole
  • 49,934
  • 160
  • 51
  • 83
bobthespoon
  • 3
  • 1

1 Answers1

0

I don't think a complex filter like that would work and I would opt for using a regex.

Perhaps something like

# get users not in groups 'AllowGroup1', 'AllowGroup2', 'BlockGroup1', 'BlockGroup2'
$regex = 'CN=(AllowGroup[12]|BlockGroup[12])'
$users = Get-ADUser -Filter * -Properties MemberOf | Where-Object { ($_.MemberOf -join ';') -notmatch $regex }

Or you could try using the LDAPFilter parameter:

$filter = '(!(|(memberof=CN=AllowGroup1,OU=Intune,OU=Groups,DC=domain,DC=local)
               (memberof=CN=AllowGroup2,OU=Intune,OU=Groups,DC=domain,DC=local)
               (memberof=CN=BlockGroup1,OU=Intune,OU=Groups,DC=domain,DC=local)
               (memberof=CN=BlockGroup2,OU=Intune,OU=Groups,DC=domain,DC=local)))'
$users = Get-ADUser -LDAPFilter $filter

Both parameters Filter and LDAPFilter are expecting a string, not a scriptblock

Theo
  • 57,719
  • 8
  • 24
  • 41
  • Gotcha. I thing I was running into using the incorrect syntax with the -notlike instead of the (!(. Appreciate the help! – bobthespoon Oct 30 '20 at 18:36
  • @bobthespoon Glad to hear this helped you. Being new to the platform you may not know this, but it is customary to accept the answer that solved your question by clicking the checkmark icon to the left of the answer. This helps other people with a similar question finding it more easily. – Theo Oct 30 '20 at 20:20