1

First up, I am not a script writer, so I apologise if this sounds like a real newbie question.

I am trying to write a Powershell query to list all user accounts within a certain OU sub-tree who do not belong to at least one of 4 groups.

As far as I can tell you cannot query this directly on the AD User object, so you need to iterate through the groups to get the membership, but I'm not clear on how to go about this across multiple groups.

I have put together a script that can find all users, add them to a temporary group and then remove them if they belong to one of the four other groups, but this looks like a horrible way to approach it, so I am hoping someone has a better solution.

Here's what I currently have (don't laugh) :-(

Import-Module ActiveDirectory
$groupname = "TempGroup"
$excludegroup1 = "Group1"
$excludegroup2 = "Group2"
$excludegroup2 = "Group4"
$excludegroup2 = "Group4"
$users = Get-ADUser -Filter * -SearchBase "ou=xxx,dc=xxx,dc=xxx" -SearchScope Subtree
foreach($user in $users)
{
  Add-ADGroupMember -Identity $groupname -Member $user.samaccountname -ErrorAction SilentlyContinue
}
$members = Get-ADGroupMember -Identity $groupname
$excludemembers = Get-ADGroupMember -Identity $excludegroup1
foreach($member in $excludemembers)
{
 Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
$members = Get-ADGroupMember -Identity $groupname
$excludemembers = Get-ADGroupMember -Identity $excludegroup2
foreach($member in $excludemembers)
{
 Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
$members = Get-ADGroupMember -Identity $groupname
$excludemembers = Get-ADGroupMember -Identity $excludegroup3
foreach($member in $excludemembers)
{
 Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
$members = Get-ADGroupMember -Identity $groupname
$excludemembers = Get-ADGroupMember -Identity $excludegroup4
foreach($member in $excludemembers)
{
 Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}

All help gratefully accepted.

4

2 回答 2

2

Active Directory 中的所有用户、计算机、组和联系人(可能还有其他对象)都有一个名为memberof的属性。该属性包含该实体所属的整个林中所有组的可分辨名称,正如属性名称所暗示的那样。

鉴于此信息,您现在可以构建一个 ldap 搜索查询来查找不属于这些组中的至​​少一个成员的所有实体:

(!(|(memberof=CN=Group1,dc=domain,dc=com)(memberof=CN=Group3,dc=domain,dc=com)(memberof=CN=Group3,dc=domain,dc=com)))

必要时可包括其他条件。

如果您需要首先获取这些组的专有名称,您可以在过滤器中对它们进行硬编码,或者对这些组进行正常的 Powershell 搜索,然后读取它们的专有名称。

您可以通过命令的-LDAPFilter参数使用 ldap 查询。

于 2013-09-13T15:45:17.437 回答
0

如果有人感兴趣,这是我现在拥有的代码。它使用一个组,每次运行都会刷新该组,因为这样我可以简单地双击用户进入他们的对象并将他们添加到他们缺少的组中。

Import-Module ActiveDirectory
$groupname = "NotInGroups"
$members = Get-ADGroupMember -Identity $groupname
foreach($member in $members)
{
 Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
$users = Get-ADUser -Filter {((memberof -notlike "CN=Group1,DC=domain,DC=local") -AND (memberof -notlike "CN=Group2,DC=domain,DC=local") -AND (memberof -notlike "CN=Group3,DC=domain,DC=local") -AND (memberof -notlike "CN=Group4,DC=domain,DC=local"))} -SearchBase "ou=users,dc=domin,dc=local" -SearchScope Subtree
foreach($user in $users)
{
  Add-ADGroupMember -Identity $groupname -Member $user.samaccountname -ErrorAction SilentlyContinue
}
于 2013-09-16T01:42:03.300 回答