How to filter ADuser with multiple security groups

I don’t need an entire script. Just trying to work out how to filter get-aduser with multiple security groups.
Not looking for users who are members of multiple groups. I have 3 different security groups that I want to use as filters to AD and I want to export to one list that will have ADuser data (SamAccountName, DisplayName, lastLogonTimestamp…)

Is it possible to filter AD on 3 or more security groups like i’m wanting?

Thanks in advance for any wisdom!

Hi, welcome to the forum :wave:

It won’t be possible to use the -filter parameter of Get-ADUser like that, if that’s what you’re asking?

My approach would be to build the list (an array) of users by querying the three groups first (Get-ADGroupMember).
If the user can be a member of more than one of the groups, select the unique users once you’ve built your list.

Then use that list you’ve built as input to Get-ADUser.

Is it possible to query the 3 groups at one time?

Depending on what you’re looking for actually the answer might be yes.

Do you want to get all users who are members of all three groups?

If that’s the case you can use Get-ADUser with the parameter -Properties MemberOf and filter with a Where-Object if the groups listed in the MemberOf property contain the three groups you’re looking for. Easy, huh? :wink:

No, Get-ADGroupMember doesn’t accept an array for the group identity but you can run it three times and add the results to the same array so when you run Get-ADUser you’re processing the members of all three groups at the same time.

1 Like

This is incorrect. You can filter on the memberOf but it only works with -eq or -ne and does not work with wildcards. So if you know the DistinguishedName of the groups, you can build a filter. I’ll assume you have the names handy and show you how to build the filter using them.

    $groupnamelist = 'A group', 'Another group', 'Top Secret HR Group'

    $groupfilter = ($groupnamelist | ForEach-Object {"name -eq '$_'"}) -join ' -or '

    $grouplist = Get-ADGroup -Filter $groupfilter

    # If there is more than one group, $userfilter should contain a string formatted like "memberof -eq 'CN=A Group,OU=Some OU,DC=DOMAIN,DC=LOCAL' -or memberof -eq 'CN=Another Group,OU=Some OU,DC=DOMAIN,DC=LOCAL'"
    # A single group would be the same without any -or  "memberof -eq 'CN=A Group,OU=Some OU,DC=DOMAIN,DC=LOCAL'"
    $userfilter = ($grouplist | ForEach-Object{"memberof -eq '$($_.distinguishedname)'"}) -join ' -or '

    Get-ADUser -Filter $userfilter

You can change the group name lookup filter to -like with wildcards if you want. Just remember any filter with DistinguishedName is limited to -eq or -ne and no wildcards.

You can also build the same type of lookup using -LDAPFilter as well.

You can use Select-Object -Unique after the Get-ADUser call to remove duplicates.

1 Like

Thank you Doug! So would it looks something like this for a finished product?

$groupnamelist = 'Idam_Sec_AllEmployees', 'Idam_Sec_AllContractors', 'Idam_Sec_AllVendors'

    $groupfilter = ($groupnamelist | ForEach-Object {"name -eq '$_'"}) -join ' -or '

    $grouplist = Get-ADGroup -Filter $groupfilter

    $userfilter = ($grouplist | ForEach-Object{"memberof -eq 'CN=Idam_Sec_AllEmployees,OU=IDMS Managed SG,OU=Resources,DC=clinlan,DC=local' -or memberof -eq 'CN=Idam_Sec_AllContractors,OU=IDMS Managed SG,OU=Resources,DC=clinlan,DC=local' -or memberof -eq 'CN=Idam_Sec_AllVendors,OU=IDMS Managed SG,OU=Resources,DC=clinlan,DC=local'"}) -join ' -or '

    Get-ADUser -Filter $userfilter

You only needed to change the list of groups in this example.

When you say i just need to change the list of groups, do you mean to the real group names or something different? Sorry, just want to make sure i understand. I’m still a noob as you can see :smiley:

Thanks Doug, always happy to be corrected :slight_smile:

Quite a convoluted solution though.

This works for me:

$groups = 'group1','group2','group3'
$groups | Get-ADGroupMember | Select-Object -Unique | Get-ADUser

Just input your group names at the top. The rest was good as is. Then, check Matt’s suggestion. Compare them. Do they produce the same results? Do they differ in run time? Do you prefer one to another. I’ve personally been burned by Get-ADGroupMember’s still existing bugs, so I try to limit its use.

Thank you Doug for everything.

I have the group names listed up top:

Is this adequate?

Or do i need to put them again down in this section, after '$_ ?

# This is the list of groups. 
$groupnamelist = 'A group', 'Another group', 'Top Secret HR Group'

$groupfilter = ($groupnamelist | ForEach-Object {"name -eq '$_'"}) -join ' -or '

$grouplist = Get-ADGroup -Filter $groupfilter

$userfilter = ($grouplist | ForEach-Object{"memberof -eq '$($_.distinguishedname)'"}) -join ' -or '

Get-ADUser -Filter $userfilter

Thus

$groupnamelist = 'Idam_Sec_AllEmployees', 'Idam_Sec_AllContractors', 'Idam_Sec_AllVendors'

$groupfilter = ($groupnamelist | ForEach-Object {"name -eq '$_'"}) -join ' -or '

$grouplist = Get-ADGroup -Filter $groupfilter

$userfilter = ($grouplist | ForEach-Object{"memberof -eq '$($_.distinguishedname)'"}) -join ' -or '

Get-ADUser -Filter $userfilter

Comments are comments. The comment simply explained what $userfilter SHOULD contain. Not “populate it yourself manually, by hand”. The example of what should be in the variable was for you to actually compare against your $userfilter… just to make sure it looks right. Don’t overcomplicate things. Also, if you can’t take each of these steps and run them individually and inspect the results on your own, I strongly recommend you stop right now and go (re)learn the very basics of powershell. You should be extremely familiar with commands like Get-Member, Get-Help, Get-Command, Select-Object, Format-List, Format-Table.

Ah! Now i understand what you were saying. Thanks for being patient with me. I did go and brush up on powershell 101 (get-help foreach-object -examples helped) and then when back and re-read everything. I was worried i didn’t need the groups names down below and that was why i asked to make sure. I appreciate you hanging in there with me.

Did it achieve your desired results? What about Matt’s suggestion? Knowing that will benefit us all!

@matt-bloomfield @krzydoug , both scripts work fine and provide the same results. Matt’s is a easier to understand and is quicker to run:
Matt’s script: Elapsed time in ms: 383
Doug’s script: Elapsed time in ms: 996

Thank you both for helping me so quickly and both providing great examples of how to do something 2 different ways. I do truly appreciate the help.

Awesome, thanks for taking the time to add these details!