All groups starting with DLP_* except one

Hi All,

I have a powershell script shown below.

[pre]

Get-ADUser -SearchBase “OU=MyDomain Users and Computers,DC=My,DC=domain,DC=in” -Filter * -properties memberof |
Where-Object {!($.memberof -match ‘DLP_CO’) -or `
!($.memberof -match ‘DLP_EA’) -or `
!($.memberof -match ‘DLP_EM’) -or `
!($.memberof -match ‘DLP_GL’) -or `
!($.memberof -match ‘DLP_HI’) -or `
!($.memberof -match ‘DLP_LO’) -or `
!($.memberof -match ‘DLP_NE’) -or `
!($.memberof -match ‘DLP_NI’) -or `
!($.memberof -match ‘DLP_NW’) -or `
!($.memberof -match ‘DLP_SE’) -or `
!($.memberof -match ‘DLP_WA’) -or `
!($.memberof -match ‘DLP_WM’) -or `
!($.memberof -match ‘DLP_WX’) -or `
!($.memberof -match ‘DLP_YH’) -or `
!($.memberof -match ‘DLP_USB’) -or `
!($.memberof -match ‘DLP_PHONE’) -or `
!($.memberof -match ‘DLP_SD’) -and `
($.memberof -match ‘DLP_MOD_USB’) -and `
(($.SamAccountName.Substring(0,3)) -in @(“co-”,“ea-”,“em-”,“gl-”,“hi-”,“lo-”,“ne-”,“ni-”,“nw-”,“se-”,“wa-”,“wm-”,“wx-”,“yh-”))} |
Select-Object @{ expression={$.SamAccountName}; label=‘Username’ }, `
@{ expression={“Enabled”}; label=‘MODUSBAccess’ }, `
@{ expression={“Enabled”}; label=‘DVDAccess’ }, `
@{ expression={“Enabled”}; label=‘SDAccess’ } | Export-CSV “C:\Scripts\fullaccess-members.csv”

[/pre]

Now in this instead of putting all groups starting with DLP I want to put all groups starting with DLP_ except one DLP_MOD_USB. Is there a better way of doing this?

Usually there is one … … try this one:

Get-ADUser -SearchBase “OU=MyDomain Users and Computers,DC=My,DC=domain,DC=in” -Filter * -properties memberof |

Where-Object {!($.memberof -match 'DLP’) -and ($.memberof -notmatch ‘DLP_MOD_USB’) -and

(($.SamAccountName.Substring(0, 3)) -in @(“co-”, “ea-”, “em-”, “gl-”, “hi-”, “lo-”, “ne-”, “ni-”, “nw-”, “se-”, “wa-”, “wm-”, “wx-”, “yh-”))} |

Select-Object @{ expression = {$_.SamAccountName}; label = ‘Username’ },

@{ expression = {“Enabled”}; label = ‘MODUSBAccess’ },

@{ expression = {“Enabled”}; label = ‘DVDAccess’ },

@{ expression = {“Enabled”}; label = ‘SDAccess’ } |

Export-CSV “C:\Scripts\fullaccess-members.csv”

And BTW: You should read the following great blog post about line continuation: Bye Bye Backtick: Natural Line Continuations in PowerShell.

Thanks Olaf for your help. The change seems to work except for one part. I get a list of users who are member of DLP_MOD_USB and DLP_PHONE, I should be getting list of only users who are members of DLP_MOD_USB. Any clue what may be wrong. Mind you the same seems to be the case before the change as well.

Wait … what? … now you confused me completely. I thought you wanted to list only user NOT members of DLP_MOD_USB?!

Ok let me explain again :)). From the AD search criteria i have selected I need users who are members of only and only DLP_MOD_USB not member of any other DLP_ group.

Ah … ok … I’ve got this wrong before.

So why don’t you pull the members of this particular group by using Get-ADGroupMember then?

I am confused on what your are looking for so I provided two options.

#Option 1
# Get DLP groups except DLP_MOD_USB group first then get list of users from each group
$sammatch = '^co-|^ea-|^em-|^gl-|^hi-|^lo-|^ne-|^ni-|^nw-|^se-|^wa-|^wm-|^wx-|^yh-'
$sbase = "OU=MyDomain Users and Computers,DC=My,DC=domain,DC=in"
 
Get-ADGroup -Filter {Name -like 'DLP_*' -AND Name -ne 'DLP_MOD_USB'} -SearchBase $sbase |
Get-ADGroupMember | Where-Object {
$_.SamAccountName -match $sammatch -AND $_.ObjectClass -eq 'user'} |
Get-ADUser -Properties MemberOf

#Option 2
# Get list of users in group DLP_MOD_USB ONLY
$sammatch = '^co-|^ea-|^em-|^gl-|^hi-|^lo-|^ne-|^ni-|^nw-|^se-|^wa-|^wm-|^wx-|^yh-'
$sbase = "OU=MyDomain Users and Computers,DC=My,DC=domain,DC=in"

Get-ADGroup -Identity 'DLP_MOD_USB' -SearchBase $sbase |
Get-ADGroupMember | Where-Object {
$_.SamAccountName -match $sammatch -AND $_.ObjectClass -eq 'user'} |
Get-ADUser -Properties MemberOf

Thanks Olaf your first option was what I was looking for. Works perfectly.

Actually in that original code, backticks were completely unnecessary. Operators and commas continue lines.

Get-ADUser -SearchBase "OU=MyDomain Users and Computers,DC=My,DC=domain,DC=in" -Filter * -properties memberof |
Where-Object {!($_.memberof -match 'DLP_CO') -or 
!($_.memberof -match 'DLP_EA') -or 
!($_.memberof -match 'DLP_EM') -or 
!($_.memberof -match 'DLP_GL') -or 
!($_.memberof -match 'DLP_HI') -or 
!($_.memberof -match 'DLP_LO') -or 
!($_.memberof -match 'DLP_NE') -or 
!($_.memberof -match 'DLP_NI') -or 
!($_.memberof -match 'DLP_NW') -or 
!($_.memberof -match 'DLP_SE') -or 
!($_.memberof -match 'DLP_WA') -or 
!($_.memberof -match 'DLP_WM') -or 
!($_.memberof -match 'DLP_WX') -or 
!($_.memberof -match 'DLP_YH') -or 
!($_.memberof -match 'DLP_USB') -or 
!($_.memberof -match 'DLP_PHONE') -or 
!($_.memberof -match 'DLP_SD') -and 
($_.memberof -match 'DLP_MOD_USB') -and 
(($_.SamAccountName.Substring(0,3)) -in @("co-","ea-","em-","gl-","hi-","lo-","ne-","ni-","nw-","se-","wa-","wm-","wx-","yh-"))} |
Select-Object @{ expression={$_.SamAccountName}; label='Username' }, 
@{ expression={"Enabled"}; label='MODUSBAccess' }, 
@{ expression={"Enabled"}; label='DVDAccess' }, 
@{ expression={"Enabled"}; label='SDAccess' } | Export-CSV "C:\\Scripts\\fullaccess-members.csv"

Thanks again for pointing that out. Yup its seems to work without the back ticks.