Find Users NOT in a Group


Somehow, some way, a user ended up not in the “Domain Users” group and it caused some problems, so I’m trying to find any other user from a particular OU is not in “Domain Users.”

I thought this would work:

$DomUserDN = (get-adgroup 'Domain Users').distinguishedname

$problems = get-aduser -properties MemberOf -SearchBase "OU=Users,OU=MySite,DC=Domain,DC=com" -LDAPFilter "(!(memberof=$DomUserDN))"


$problems = get-aduser -properties memberof -SearchBase "OU=Users,OU=MySite,DC=Domain,DC=com" -Filter {(memberOf -ne $DomUserDN)}

However, it still includes a bunch of users that are actually in “Domain Users,” but not every user. The result is consistent; the same ‘wrong’ results come out each time.

What I think is going on is MemberOf returns a truncated list of each user’s groups, at least if one just does a Get-ADUser at the command prompt. To get the full list I can pipe the Get-ADUser to Select -ExpandProperty, but that just spits out a list of strings.

Any advice would be appreciated. There’s a parallel approach using Compare-Object I’m working on, but it’s annoying me that this doesn’t work the way I expected it to. =)

I don’t like the “filter” of get-aduser … actually to be completely honest I don’t like the behavior of get-aduser at all … it’s always felt contrary compared to other/newer functions. Because of this I tend to pipe it to where-object for filtering as it works more predictably for me.

That and make sure you’re using get-adgroupmember … not group :slight_smile:
So …

$groupmembers = get-adgroupmember "Domain Users" 

get-aduser -filter * -properties * | where-object {$groupmembers.distinguishedname -notcontains $_.distinguishedname}

I’m not sure if it’s on purpose or not, but the memberof property omits the “primary group”. So you could probably merge the PrimaryGroup property with the memberof property to get a complete list, but Justin’s method of looking at it from the group’s perspective seems to be the most reliable way of doing it.

I’ve got it stuck in my head (so I could be wrong) that “memberof” is just a cache for performance and not actually “used” (at least not an attribute any security query will ever use), and thus it doesn’t include the primary group because that already exists in another attribute. Again … lots of stuff rattling up stairs so I may be completely wrong.

look at the primarygroup attribute.

I appreciate the comments.

For whatever reason at this place, “Domain Users” is not the primary group for a bunch of folks, and because of the way PrimaryGroup and MemberOf work, this is an incorrect approach to this.

The Compare-Object approach worked for me after getting around the limit inherent to Get-ADGroupMember.

You could do something like this …

$ou = "OU=Users,OU=MyOu,DC=MyCompany,DC=local"
$users = Get-ADUser -Filter {Enabled -eq $true} -SearchBase $ou -Properties MemberOf, PrimaryGroup
$dugDn = (Get-ADGroup "Domain Users").DistinguishedName
foreach ($user in $users)
    Write-Verbose "Working on $($user.Name)"
    $groups = $user.MemberOf, $user.PrimaryGroup
    if ($dugDn -notin $groups)
        Write-Error -Message "$($user.SamAccountName) not in the domnain users group"