List multiple exclusions

Hi all,

It’s been a while since my last post, but, I have a business need to create a clone of an AD user members security groups to a couple of new hires. I have the code written that I need to do this, however, there are multiple AD security groups that can NOT be added and I need them excluded in the script. I am using where {$_ -notlike as my filtering system but from trial and error, it appears that only works to filter out ONE AD security group and not multiple.

Does anyone have any suggestions? I am still relatively new to powershell. I’ll need help as soon possible, thanks!
Code is below (names modified for confidentiality):

This is the code that works but does NOT have multiple exclusions:

Get-ADUser -Identity xyuser -Properties memberof |
Select-Object -ExpandProperty memberof |
Where{$_ -notlike '*TEST1*'}|
Add-ADGroupMember -Members xyuser -Confirm -Verbose

This is the code that has the exclusions, but does not work. The output gives the intended AD user all the security groups:

Get-ADUser -Identity xyuser -Properties memberof |
Select-Object -ExpandProperty memberof |
Where{$_ -notlike '*TEST1*','*TEST2*','*TEST3*'}|
Add-ADGroupMember -Members xyuser -Confirm -Verbose

I actually think I may have figured it out:

Get-ADUser -Identity xyuser -Properties memberof |
Select-Object -ExpandProperty memberof |
Where{$_ -notlike '*TEST1*'}|
Where{$_ -notlike '*TEST2*'}|
Where{$_ -notlike '*TEST3*'}|
Add-ADGroupMember -Members xyuser -Confirm -Verbose

This worked for me when I ran it on my 2012R2 DEV Lab server…
Any suggestions for better code are welcome, however!

How about using -NotMatch ?

{$_ -notMatch "TEST1|TEST2|TEST3"}

match works, But it will exclude if a Group name contains that word, you can try -notcontains and -notin as well.

$Exclude = 'a','b','c'
'c' -notin $Exclude

#Or

$Exclude -notcontains 'c'

You can also chain multiple exlusions with an operator like -and or -or :wink:

Get-ADUser -Identity xyuser -Properties memberof |
Where-Object {_.memberof -notlike '*TEST1*' -and .memberof -notlike ‘TEST2’ -and
$
.memberof -notlike ‘TEST3’} |
Add-ADGroupMember -Members xyuser -Confirm -Verbose

[quote quote=144950][/quote]

Olaf–I tried your suggestion and it doesn’t seem to work as intended. After running it in my environment, all it does it copy the AD security groups completely, instead of making any exclusions in the suggested operators.

[quote quote=144933]How about using -NotMatch ?

PowerShell
3 lines
<textarea class="ace_text-input" wrap="off" autocorrect="off" autocapitalize="off" spellcheck="false" style="opacity: 0; height: 18px; width: 6.59781px; left: 44px; top: 0px;"></textarea>
1
2
3
{$_ -notMatch "TEST1|TEST2|TEST3"}
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[/quote]

Iain, I tried this as well and it resulted in the same as the above: all groups went through the pipeline with the exclusions.

What exactly are you running? These seem to work:

get-aduser user1 -Properties memberof | 
  select-object -expandproperty memberof | 
  where-object {$_ -notmatch 'group1|group2'} | 
  Add-ADGroupMember -members user2 -whatif

get-aduser user1 -Properties memberof | 
  select-object -expandproperty memberof | 
  where-object {$_ -notlike '*group1*' -and $_ -notlike '*group2*'} | 
  Add-ADGroupMember -members user2 -whatif

get-aduser user1 -Properties memberof | 
  select-object -expandproperty memberof | 
  where-object {$_ -notin 'group1fullname','group2fullname'} | 
  Add-ADGroupMember -members user2 -whatif

@br456.have you tried -notin / -notcontinas ?