ACL members selection

With help I already come closer to the end, and already know some more …

Somewhere I get stuck by try to filter out the group members of the SDHolder groups.
In this script sofar $Sam show me about 69 Samaccountnames that have a admincount set to 1, also it turns out that the inheritance of the security ACL is Disabled ($True)

With $Sam as a Variabele and the $SDPGroup as the ADGroups , I try to filter the Samaccountnames that are not member of 1 or more of $SDPGroup.

I tried these 2 possibilities to use , without succes

Foreach ($Group in $SDPGroup)

 Get-ADGroupMember -identity $Group | select name,samaccountname 

#Select the Users not in the $SDProp Groups
#Foreach($Account in $Sam.Samaccountname){
$Test = $Sam | Foreach { get-aduser $sam | Where-Object -FilterScript {$_.IdentityReference -notlike $SDPgroup }}

In this case I expected to find all of the users in the Variabele $SDPGroup, from this point I could then find out who are NOT in this SDPGroup.

I am aware that is far from efficient , but then how is the best way to find the users that are member and NOTmember of these groups…?

After this result I need to be able to Reset the Security ACL settings for the selected users and enable Inheritance…

I am cruious how I need to do this in a efficient way…

Pieter Bakker
18-12- 2020
Find Protected Accounts in AD (admin accounts)
(admincount =1 )
Where AdminSDholder groups are Not in ACL
Where security inheritance disabled ($true)
When the SDHolder groups are not in the ACL , then add them
Enable the inheritance
Restore ACL to default

#Find the DC 
$DC = (Get-ADDomainController).name

#export path to export the $users to a csv file
$exportpath = "D:\Users\adpiebak1d\Documents\PS-script\Output\SDProp.csv"

#These are the SDholderGroups groups
$SDPgroup = "DL_MGT_OU_System_AdminSDholder-del-usr", "DL_MGT_OU_System_AdminSDholder-mod-grp","DL_MGT_OU_System_AdminSDholder-mod-usr","DL_MGT_OU_System_AdminSDholder-sec-usr"

# Ou paths for the admin accounts
$AdminOus  = "OU=P01,OU=ADM,OU=Admin,DC=groningen,DC=ad,DC=groningen,DC=nl",
             "OU=Fujitsu,OU=Service Management,DC=groningen,DC=ad,DC=groningen,DC=nl",
             "OU=Fujitsu,OU=Service Management,DC=groningen,DC=ad,DC=groningen,DC=nl",
             "OU=ServiceDesk,OU=Service Management,DC=groningen,DC=ad,DC=groningen,DC=nl"

# Select users im AdminOU's, with Admincount and NTSec. property
$users = foreach ($ou in $adminOus) {
    Get-ADUser -Filter * -SearchBase $ou -Property admincount,ntsecuritydescriptor,memberof |
    Select-Object -Property *,

#Find Adminaccounts with admincount property = 1 (protected accounts) and the inheritance is disabled ($True)
$Sam = $users | Where-Object -FilterScript {$_.AdminCount -eq 1 -and $_.AreaAccessRulesProtected -eq $true } |select -Property samaccountname,memberof

#Find the users that are NOt a member of the ACL Groups of $Sam


#set-acl properties to inherited en restore default



If you already have the list of users, I think I would it would be most efficient to query the groups once and then check the users against the results:

$users = 'bob','fred','julie','willow','barry','sandra','lucy'
$groups = 'grp1','grp2','grp3'

$groupDetails = @{}

foreach ($group in $groups) {

    $groupDetails["$group"] = Get-ADGroupMember $group | Select -ExpandProperty sAMAccountName


foreach ($user in $users) {

    foreach ($key in $groupDetails.Keys) {

        if ($user -notin $groupDetails[$key]) {

            Write-Output "$user is not in group: $key"