Filtering out group membership: Unknown error

by knuckle_sandwich at 2013-04-15 03:36:30

Hello everyone, I’m very new to PS and having major headaches. i won’t apologize for my noobness, just have pitty pls :slight_smile:

So I need to filter out members of an OU who are in GRP1 but not in GRP2.
I tested this line in my test environment and it worked:

get-aduser -Properties MemberOf -f {MemberOf -eq ‘GRP1_FQDN’} -searchbase “OU_FQDN” | Where {!($.MemberOf -eq ‘GRP2_FQDN’)}

All happy I tried it in the PROD env today and it failed miserably. No errors neither. Just no results. But hte conditions are met, I’m sure of it.
But if it was a syntax problem I would get errors no? Anybody can suggest a way?

Thanks a lot
Luka
by tmmuessig at 2013-04-15 05:00:23
Looks like you are not telling it to actually get any users to evaluate.

try this

get-aduser * -properties MemberOf -filter ‘MemberOf -eq “GRP1_FQDN”’ -searchbase "OU_FQDN | where {!($
.memberof -eq ‘GRP2_FQDN’)}
by ArtB0514 at 2013-04-15 08:33:27
You might also read over what you’ve written to see if that’s what you really mean. Your filter is chosing only users who belong to only a single group (GRP1_FQDN). That will certainly exclude any users belonging to GRP2_FQDN, so the Where-Object clause is therefore redundant. So, I think you probably want to use -contains instead of -eq. (See Get-Help about_Comparison_Operators)
by coderaven at 2013-04-15 09:05:23
The issue looks like you just need to user the full group DN in your filter. The MemberOf attribute is an array of group DNs that the user is a member. Also, try to put your entire filter together to remove your |.
get-aduser -Properties memberof -filter {MemberOf -eq 'CN=Domain Admins,CN=Users,DC=YOUR,DC=DOMAIN,DC=ORG -AND MemberOf -ne "CN=Bad Group,OU=Groups,DC=YOUR,DC=DOMAIN,DC=ORG}
Why your command returns nothing is because it is a valid filter with no results. You may need to be careful with the not equal it may return all results because it may have success on the other groups. If that does not work for you we can get it right!

Let me know if that helps
by knuckle_sandwich at 2013-04-15 14:03:44
Guys thanks a lot for your time, I really appreciate it. (Just think that it took me the whole weekend to produce this line of text, just to bump in no output as soon as I got to work).
Anyway, as you say in your signature Coderaven, a world of possibilities is disclosing in front of me and I’m really excited. If I could just complete this first task!

Will try out your suggestions and let you know, thanks again!

@ ArtB0514 : Indeed, that was my intention. Basically my organization roled out new proxy settings, they want me to check that every single user in a particular OU, who should have access to internet (membership in the GRP1), also has GRP2 (group which supplies the correct internet settings).
by knuckle_sandwich at 2013-04-15 14:37:10
[quote=“coderaven”]The issue looks like you just need to user the full group DN in your filter. The MemberOf attribute is an array of group DNs that the user is a member. Also, try to put your entire filter together to remove your |.
get-aduser -Properties memberof -filter {MemberOf -eq 'CN=Domain Admins,CN=Users,DC=YOUR,DC=DOMAIN,DC=ORG -AND MemberOf -ne "CN=Bad Group,OU=Groups,DC=YOUR,DC=DOMAIN,DC=ORG}
Why your command returns nothing is because it is a valid filter with no results. You may need to be careful with the not equal it may return all results because it may have success on the other groups. If that does not work for you we can get it right!
Let me know if that helps[/quote]

Allan this one worked fine in my test environment, will check this tomorrow!
by knuckle_sandwich at 2013-04-16 01:55:35
[quote=“coderaven”]The issue looks like you just need to user the full group DN in your filter. The MemberOf attribute is an array of group DNs that the user is a member. Also, try to put your entire filter together to remove your |.
get-aduser -Properties memberof -filter {MemberOf -eq 'CN=Domain Admins,CN=Users,DC=YOUR,DC=DOMAIN,DC=ORG -AND MemberOf -ne "CN=Bad Group,OU=Groups,DC=YOUR,DC=DOMAIN,DC=ORG}
[/quote]

Worked like a charm, definitevly better with no pipes in the code.
Thanks a lot for the help!