Search code examples
powershellactive-directoryuser-management

Find users who don't belong to multiple groups

My company uses Microsoft Intune. We've got 4 groups in an on-premise AD that controls the conditional access. We'll just call them AllowGroup1, AllowGroup2, BlockGroup1, and BlockGroup2. What I want know find is all users that are not in all of the groups. The result I'm wanting to find is any User object that is not in the mentioned groups. That way I can provide proof that our entire system is compliant. See below for the Powershell code I've borrowed from this post List AD Users who do not belong to one of several groups

I'm running these tests on my home domain controller. The problem I'm having is that the script isn't looking in the entire domain for users. Specifically, there is an OU in my personal DC that is called Home (I created the OU) and there are 2 user objects in a child OU called Users that this script isn't pulling from. I am running this script with a user that is in the Enterprise Admins group so I know it has sufficient privilege's. It's supposed to search AD via PowerShell for users not in multiple groups and place those users in a group called NotInGroup

To further elaborate, some users will be in AllowGroup1 and in BlockGroup2. Some users will be in BlockGroup1 and BlockGroup2. I want to find all users that are not in any of the groups listed above.

Import-Module ActiveDirectory
$groupname = "NotInGroup"
$members = Get-ADGroupMember -Identity $groupname

    foreach($member in $members)
    {
     Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
    }
    $users = Get-ADUser -Filter 
    {
        ((memberof -notlike "CN=AllowGroup1,OU=Intune,OU=Groups,DC=domain,DC=local") 
    -AND (memberof -notlike "CN=AllowGroup2,OU=Intune,OU=Groups,DC=domain,DC=local")
    -AND (memberof -notlike "CN=BlockGroup1,OU=Intune,OU=Groups,DC=domain,DC=local") 
    -AND (memberof -notlike "CN=BlockGroup2,OU=Intune,OU=Groups,DC=domain,DC=local"))
     } 
    -SearchBase "dc=domain,dc=local" -SearchScope Subtree
    
    foreach($user in $users)
    {
    Add-ADGroupMember -Identity $groupname -Members $user.samaccountname -ErrorAction SilentlyContinue
    }
Solution

  • I don't think a complex filter like that would work and I would opt for using a regex.

    Perhaps something like

    # get users not in groups 'AllowGroup1', 'AllowGroup2', 'BlockGroup1', 'BlockGroup2'
$regex = 'CN=(AllowGroup[12]|BlockGroup[12])'
$users = Get-ADUser -Filter * -Properties MemberOf | Where-Object { ($_.MemberOf -join ';') -notmatch $regex }

    Or you could try using the LDAPFilter parameter:

    $filter = '(!(|(memberof=CN=AllowGroup1,OU=Intune,OU=Groups,DC=domain,DC=local)
               (memberof=CN=AllowGroup2,OU=Intune,OU=Groups,DC=domain,DC=local)
               (memberof=CN=BlockGroup1,OU=Intune,OU=Groups,DC=domain,DC=local)
               (memberof=CN=BlockGroup2,OU=Intune,OU=Groups,DC=domain,DC=local)))'
$users = Get-ADUser -LDAPFilter $filter

    Both parameters Filter and LDAPFilter are expecting a string, not a scriptblock