This question has come up twice over the last few weeks on the AD section at Experts Exchange so that means time for an entry.
The question is suppose I have some groups and I want to find out if users are not members of any of the groups.
Example:
GroupA, GroupB, GroupC, GroupD - So how do I find out what users are not members of those groups?
Two quick ways that I like to use are ADFIND and Powershell. I know there are other methods.
The first is to use ADFIND by MVP Joe Richards
adfind -default -f "&(objectcategory=person)(objectclass=user)(!memberof=DN of groupA)(!memberof=DN of groupB)(!memberof= DN of group C)(!memberof= DN of groupD)" samaccountname memberof -nodn
The other method is to use PowerShell. For this example you will need the Quest AD cmdlets. Thanks to Dmitry Sotnikov for those
get-qaduser -sizelimit 0 -notmemberof groupa, groupb, groupc, groupd | ft -wrap samaccountname, memberof
In my examples I've outputted the memberof field just so you can verify the commands do what you want and don't have users that are members of those groups, you can take that out if you want.
UPDATE: Joe Richards wrote a great blog entry about DN Formats in AD
As you can see from Joe's post you can also use the GUID of the group instead of the DN in the adfind/LDAP query.
Want to quickly find the GUID of your group...ADFIND once again :)
adfind -sc g:GroupName objectGUID
Thanks
Mike
Posts
And PoSH way to figure out the GUID of a group
ReplyDeleteget-QADgroup groupname | select objectGUID