Correcting and querying AD group membership

Hi Folks,

Here’s one…

We’ve recently created a whole bunch of new AD groups, whose names all start with ‘ROLE-G…’ There are 27 of these groups and they are the only groups that start with ‘ROLE-G’.

Every user in the domain should belong to one (and strictly no more than one) of these groups.

I need to do a couple of searches in order to:

  1. Identify users who have not yet been added to a ‘ROLE-G’ group.
  2. Identify users who have accidentally been added to more than one ‘ROLE-G’ group.

For the first search, I’ve tried:

Get-ADUser -f * -properties * | Where-Object {$_.memberof -notcontains ‘ROLE-G’}

No luck with that. It still returns users that are members of groups beginning with ‘ROLE-G’

I’ve used various comparison operators (i.e.-notcontains,-notlike) and still not having any luck.

I have no idea how to tackle the second search!

Try this:

foreach ($u in (Get-ADUser -Filter * -Properties MemberOf)) {
$b = @($U.MemberOf | Where {$_ -match “^CN=ROLE-G”})
Switch ($b.Count) {
0 {"$($u.Name) does not belong to the ROLE-G group"; Break}
1 {Break}
Default {"$($u.Name) belongs to $($b.Count) ROLE-G groups"}



(Sorry, can’t figure out how to make the formatting work.)


You are an absolute LEGEND!

I can’t thank you enough. That script did both tasks perfectly on the first try! (I was expecting to need at least two separate scripts and multiple replies to the thread and having to to-and-fro several times!).

It’s done exactly what I needed and you’ve saved me an enormous amount of work.

Thanks again.


[blush /]