Newbie needs help - Shadow Groups

Hi, i’m new to using Powershell and am trying to create a script to automatically add all users with a specific attribute in AD to a Group and remove any from that group that do not have this attribute. I have just one section of a line that is not working and keeps giving errors. Any assistance would be great

Here is what i have:

#Import the AD module
ipmort-module ActiveDirectory

#Set your search OU and Group Variables

#Pull current list of Group Members and remove anyone not a Regular Employee - This part works fine
Get-ADGroupMember –Identity $Group | Where-Object {$.extensionAttribute2 –NotMatch “Regular”} | ForEach-Object {Remove-ADPrincipalGroupMembership –Identity $ –MemberOf $Group –Confirm:$false}

#Adds any Regular employee to the Group that currently is not a member of it - This is where my issue is. The LDAPfilter to check if user already in a group is not working. I want to find any user with the attribute listed set to 'Regular" and add them to this group if they are not already in it.

Get-ADUser -Filter {extensionAttribute2 -like “Regular”} –SearchBase $OU –SearchScope Subtree –LDAPFilter “(!memberOf=$Group)” | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group}

What happens when you break it down?

Get-ADUser -Filter {extensionAttribute2 -like "Regular"} –SearchBase $OU –SearchScope Subtree –LDAPFilter “(!memberOf=$Group)”

I would expect this to return all results. Worry about the later action after you get this core piece working. If I remember correctly (I am a bit of a newb myself) -like requires wildcards. so “regular

This portion works fine running by itself: Get-ADUser -Filter {extensionAttribute2 -like “Regular”} –SearchBase $OU –SearchScope Subtree

once i add –LDAPFilter “(!memberOf=$Group)” it gives the below error:

Get-ADUser : Parameter set cannot be resolved using the specified named parameters.
At line:1 char:1

  • Get-ADUser -Filter {extensionAttribute2 -like “Regular”} –SearchBase …
  •   + CategoryInfo          : InvalidArgument: (:) [Get-ADUser], ParameterBindingException
      + FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.ActiveDirectory.Management.Commands.GetADUser

Please post the error message. From a quick glance your last statement is not correct. You can’t combine -Filter and -LDAPFilter in the same command. Either settle on -Filter or -LDAPFilter.


Get-ADUser -LDAPFilter "(&(extensionAttribute2=Regular*)(!memberOf=$Group))" –SearchBase $OU –SearchScope Subtree | ForEach-Object { Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group }

Thanks…That solved my issue. Really appreciate the help.