Newbie needs help - Shadow Groups

bjascob9 · February 7, 2017, 1:06pm

Hi, i’m new to using Powershell and am trying to create a script to automatically add all users with a specific attribute in AD to a Group and remove any from that group that do not have this attribute. I have just one section of a line that is not working and keeps giving errors. Any assistance would be great

Here is what i have:

#Import the AD module
ipmort-module ActiveDirectory

#Set your search OU and Group Variables
$OU=“OU=,DC=,DC=com”
$Group=“CN=GroupNameHere,OU=,DC=,DC=com”

#Pull current list of Group Members and remove anyone not a Regular Employee - This part works fine
Get-ADGroupMember –Identity $Group | Where-Object {$.extensionAttribute2 –NotMatch “Regular”} | ForEach-Object {Remove-ADPrincipalGroupMembership –Identity $ –MemberOf $Group –Confirm:$false}

#Adds any Regular employee to the Group that currently is not a member of it - This is where my issue is. The LDAPfilter to check if user already in a group is not working. I want to find any user with the attribute listed set to 'Regular" and add them to this group if they are not already in it.

Get-ADUser -Filter {extensionAttribute2 -like “Regular”} –SearchBase $OU –SearchScope Subtree –LDAPFilter “(!memberOf=$Group)” | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group}

techtim2003yahoo-com · February 7, 2017, 1:12pm

What happens when you break it down?

Get-ADUser -Filter {extensionAttribute2 -like "Regular"} –SearchBase $OU –SearchScope Subtree –LDAPFilter “(!memberOf=$Group)”

I would expect this to return all results. Worry about the later action after you get this core piece working. If I remember correctly (I am a bit of a newb myself) -like requires wildcards. so “regular”

bjascob9 · February 7, 2017, 1:18pm

This portion works fine running by itself: Get-ADUser -Filter {extensionAttribute2 -like “Regular”} –SearchBase $OU –SearchScope Subtree

once i add –LDAPFilter “(!memberOf=$Group)” it gives the below error:

Get-ADUser : Parameter set cannot be resolved using the specified named parameters.
At line:1 char:1

Get-ADUser -Filter {extensionAttribute2 -like “Regular”} –SearchBase …

  + CategoryInfo          : InvalidArgument: (:) [Get-ADUser], ParameterBindingException
  + FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.ActiveDirectory.Management.Commands.GetADUser

daniel-krebs · February 7, 2017, 1:37pm

Please post the error message. From a quick glance your last statement is not correct. You can’t combine -Filter and -LDAPFilter in the same command. Either settle on -Filter or -LDAPFilter.

daniel-krebs · February 7, 2017, 1:45pm

Example:

Get-ADUser -LDAPFilter "(&(extensionAttribute2=Regular*)(!memberOf=$Group))" –SearchBase $OU –SearchScope Subtree | ForEach-Object { Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group }

bjascob9 · February 7, 2017, 3:28pm

Thanks…That solved my issue. Really appreciate the help.

Topic		Replies	Views
failing ldapfilter in AD lookup PowerShell Help	2	145	September 27, 2019
Add user(s) to AdGroup with exceptions PowerShell Help	2	163	September 5, 2018
All users within OU automatically added to group. PowerShell Help	0	135	December 31, 2011
New to PS scripting-help with add user to AD group PowerShell Help	23	248	May 18, 2018
Getting Members of Groups in AD PowerShell Help	1	172	August 3, 2017

Newbie needs help - Shadow Groups

Related Topics