failing ldapfilter in AD lookup

Ok I’m having issues with a ldapfilter using get-aduser or get-adcomputer. The filter is:

–LDAPFilter "(!memberOf=$ComputersGroup)"

But no matter what I do the script always finds existing members.

Basically I took this script and modified it to be my own:
https://ravingroo.com/458/active-directory-shadow-group-automatically-add-ou-users-membership/

$OU="OU=TheOUName,DC=yourdomain,DC=com"
$ShadowGroup="CN=ShadowGroupName,OU=TheOUName,DC=yourdomain,DC=com"
#Get-ADGroupMember –Identity $ShadowGroup | Where-Object {$_.distinguishedName –NotMatch $OU} | ForEach-Object {Remove-ADPrincipalGroupMembership –Identity $_ –MemberOf $ShadowGroup –Confirm:$false}

Get-ADUser –SearchBase $OU –SearchScope OneLevel –LDAPFilter "(!memberOf=$ShadowGroup)" | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ShadowGroup}

Here is an example of portion of the script:

$ADLocations = import-csv "C:\Scripts\ADAutomation\Sites.csv"

foreach ($ADLocation in $ADLocations)
{
# ==========================================================================
# Site
# ------------------------------------------
$GroupU = $ADLocation.Location +'-Users'
$GroupC = $ADLocation.Location +'-Computers'
$ComputersGroup = Get-ADGroup -SearchBase $ADLocation.GroupOU -Filter 'name -eq $GroupC' -Properties Distinguishedname | Select-Object Distinguishedname
$UsersGroup = Get-ADGroup -SearchBase $ADLocation.GroupOU -Filter 'name -eq $GroupU' -Properties Distinguishedname | Select-Object Distinguishedname
# ------------------------------------------
# Computer script
$ltName = $ADLocation.Location +'lt*'
$dtName = $ADLocation.Location +'dt*'
$vdName = $ADLocation.Location +'vd*'
$weName = $ADLocation.Location +'we*'
# ------------------------------------------
# User script
$loc =  '*- ' + $ADLocation.Location
# ------------------------------------------
Get-ADComputer –SearchBase $ADLocation.OU –LDAPFilter "(!memberOf=$ComputersGroup)" -Server server1.Domain.com:3268  | Where-Object {$_.name -like $ltName -or $_.name -like $dtName -or $_.name -like $vdName -or $_.name -like $weName} | Export-csv -append -path C:\Scripts\ADAutomation\pc.csv -NoTypeInformation
Get-ADUser –SearchBase $ADLocation.OU –LDAPFilter "(!memberOf=$UsersGroup)" -Properties memberof, office -Server server1.Domain.com:3268 | Where-Object {$_.Office -like "$loc" -and $_.Enabled -eq $true} | Export-csv -append -path C:\Scripts\ADAutomation\user.csv -NoTypeInformation

#Get-ADComputer –SearchBase $ADLocation.OU –LDAPFilter "(!memberOf=$ComputersGroup)" -Server server1.Domain.com:3268 | Where-Object {$_.name -like $ltName -or $_.name -like $dtName -or $_.name -like $vdName -or $_.name -like $weName} | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ComputersGroup}
#Get-ADUser –SearchBase $ADLocation.OU –LDAPFilter "(!memberOf=$UsersGroup)" -Properties office -Server server1.Domain.com:3268 | Where-Object {$_.Office -like "$loc" -and $_.Enabled -eq $true} | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $UsersGroup}
# ==========================================================================
}

I would like to reduce some of the processing and errors by not running through ALL the systems every time. If I can just do that that need to be added I think the script will significantly speed up.

I’m thinking of using some code from a different script to fix (eliminate) the ldapfilter and use another where-object filter.

One other thought is it seems like I could gain some efficiency also by removing the foreach from the end of the command and use Add-ADGroupMember.

Any thoughts…

Not one line pretty but what do you think?

of adding this:
Function to get proper memberships because of multiple domain lookup:

Function Get-ADGroupMemberFix {
    [CmdletBinding()]
    param(
        [Parameter(
            Mandatory = $true,
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true,
            Position = 0
        )]
        [string[]]
        $Identity
    )
    process {
        foreach ($GroupIdentity in $Identity) {
            $Group = $null
            $Group = Get-ADGroup -Identity $GroupIdentity -Properties Member
            if (-not $Group) {
                continue
            }
            Foreach ($Member in $Group.Member) {
                Get-ADObject $Member -Server server1.Domain.com:3268
            }
        }
    }
}

Then get members to variable:

$GroupU = $ADLocation.Location +'-Users'
$GroupC = $ADLocation.Location +'-Computers'
$ComputersGroup = Get-ADGroup -SearchBase $ADLocation.GroupOU -Filter 'name -eq $GroupC' -Properties Name,Distinguishedname | Select-Object Name,Distinguishedname
$existCompGroupMembers = Get-ADGroupMemberFix $ComputersGroup.name
$UsersGroup = Get-ADGroup -SearchBase $ADLocation.GroupOU -Filter 'name -eq $GroupU' -Properties Name,Distinguishedname | Select-Object Name,Distinguishedname
$existUserGroupMembers = Get-ADGroupMemberFix $UsersGroup.name

Then examine the data to end up with a final add command:

#Get-ADComputer –SearchBase $ADLocation.OU –LDAPFilter "(!memberOf=$ComputersGroup)" -Server server1.Domain.com:3268 | Where-Object {$_.name -like $ltName -or $_.name -like $dtName -or $_.name -like $vdName -or $_.name -like $weName} | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ComputersGroup -Server $ADLocation.serv}
$Comps = Get-ADComputer –SearchBase $ADLocation.OU –Filter 'enabled -eq $true' -Server server1.Domain.com:3268 | Where-Object {$_.objectGUID -notin $existCompGroupMembers.objectGUID}
$Comps2 = $Comps | Where-Object {$_.name -like $ltName -or $_.name -like $dtName -or $_.name -like $vdName -or $_.name -like $weName}
#$Comps2 | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ComputersGroup -Server $ADLocation.serv}
$Comps2 | export-csv -NoTypeInformation -Append -Path $coutlog
Add-ADGroupMember $ComputersGroup.Distinguishedname -Members $Comps2 -ErrorAction SilentlyContinue
#Get-ADUser –SearchBase $ADLocation.OU –LDAPFilter "(!memberOf=$UsersGroup)" -Properties office -Server server1.Domain.com:3268 | Where-Object {$_.Office -like "$loc" -and $_.Enabled -eq $true} | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $UsersGroup -Server $ADLocation.serv}
$Users = Get-ADUser –SearchBase $ADLocation.OU –Filter 'enabled -eq $true' -Server server1.Domain.com:3268 | Where-Object {$_.objectGUID -notin $existUserGroupMembers.objectGUID}
$Users2 = $Users | Where-Object {$_.name -like $ltName -or $_.name -like $dtName -or $_.name -like $vdName -or $_.name -like $weName}
$Users2 | export-csv -NoTypeInformation -Append -Path $uoutlog
#$User2 | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ComputersGroup -Server $ADLocation.serv}
Add-ADGroupMember $UsersGroup.Distinguishedname -Members $Users2 -ErrorAction SilentlyContinue

Again not as pretty because it is not in one line and a lot of work for what it sounds like should be a working ldapfilter. Anyone see anything glaring before I put this into test. I had to make a few updates from my last post so just edit the code. One thing I really do not like is if there are no members to add I get like 300 errors saying null so I have put in the -ErrorAction SilentlyContinue but it would be better to create a if statement to not even do the add if it is null. Maybe someday I will work on that.