Foreach user in Group

$GroupList = Get-ADObject -Filter {(ObjectClass -eq "group") -and (name -like "O365*")} -SearchBase "OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se" -Properties * | Select-Object distinguishedname | Out-String

$result = ForEach($group in $GroupList){
Get-ADUser -LDAPFilter "(&(memberof=$group)(!userAccountControl:1.2.840.113556.1.4.803:=2))" | select-object sAMAccountName
}

Variable $GroupList gets populated with the following:

distinguishedname

CN=O365_E1_Basic,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
CN=O365_E1_Exchange,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
CN=O365_E1_OneDrive,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
CN=O365_E1_Teams,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
CN=O365_E3_All,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
CN=O365_E3_Exchange,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
CN=O365_E3_OneDrive,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
CN=O365_E3_Pro,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
CN=O365_E3_Teams,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
CN=O365_EMS,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se
CN=O365_Powerbi_access_url,OU=Office365,OU=My-Groups,DC=DC,DC=dcname,DC=se

 

What i expect the foreach loop to do is to extract each user from each group. Any ideas/hints where the problem might be?

Thanks.

Is there a special reason why you’re not using Get-ADGroupMember do get the members of the AD groups?

You say “what I expect to happen is xyz” but I don’t see where you said what is actually happening? It definitely seems like you’re making it harder on yourself, any particular reason you are using LDAPFilter as opposed to Filter? Either should work but one takes more brain power and time. Also, you run the risk of getting locked out accounts as well as inactive with the definition (!userAccountControl:1.2.840.113556.1.4.803:=2) See the link below for more info on that.

https://hi.service-now.com/kb_view.do?sysparm_article=KB0679975

 

Also if you are trying to find users that are indirectly members of the group, add the -RecursiveMatch LDAP filter attribute.

Do you get any output if you just run

$result = ForEach($group in $GroupList){
Get-ADUser -Filter "memberOf $group" | select-object sAMAccountName
}

I would run something like this just as a quick sanity check.

Change your line 3 above from

$result = ForEach($group in $GroupList){

to

$result = ForEach($group in $GroupList.distinguishedname){

Well that looked promising Sam, but he won’t be able to reference that property as he turned it into only a string with out-string

$GroupList = Get-ADObject -Filter {(ObjectClass -eq "group") -and (name -like "domain admins")} -Properties * |
Select-Object distinguishedname | Out-String

$grouplist
distinguishedname
-----------------
CN=Domain Admins,CN=Users,DC=Domain,DC=LOCAL

$GroupList.distinguishedname

 

What I recommend is changing this

Select-Object distinguishedname | Out-String

to

Select-Object -expandproperty distinguishedname

 

That should give you the actual distinguished name value(s) in the list. Then your query worked.

$GroupList = Get-ADObject -Filter {(ObjectClass -eq "group") -and (name -like "domain admins")}| Select-Object -ExpandProperty distinguishedname

$result = ForEach($group in $GroupList){
Get-ADUser -LDAPFilter "(&(memberof=$group)(!userAccountControl:1.2.840.113556.1.4.803:=2))" | select-object sAMAccountName
}

$result.Count

10

That is too many domain admins, that’s for sure!

Ahh so simple but still so far :slight_smile: thanks for the input.

Select-Object -ExpandProperty distinguishedname

-ExpandProperty - Was actually the only thing missing. Guess i should drink more coffee to clear my head…