w3hello.com logo
Home PHP C# C++ Android Java Javascript Python IOS SQL HTML videos Categories
List AD users who do not belong to one of several groups

All users, computers, groups and contacts (and possibly other objects) in Active Directory have a property called memberof. This property contains the distinguished names of all groups from the whole forest that this entity is a member of, as the attribute's name implies.

Given this information, you can now construct an ldap search query to find all entities that are not members of at least one of those groups:

(!(|(memberof=CN=Group1,dc=domain,dc=com)(memberof=CN=Group3,dc=domain,dc=com)(memberof=CN=Group3,dc=domain,dc=com)))

Other conditions may be included as necessary.

If you need to obtain the distinguished names of those groups first, you can either hard-code them in your filter or do a normal Powershell search for the groups and then read their distinguished names.

You can use the ldap query via the command's -LDAPFilter parameter.





© Copyright 2018 w3hello.com Publishing Limited. All rights reserved.