I have been asked to write a script that can get all of our AD Users not currently in a Security Group. My issue being there are 9 Security groups numbering from 1-9.
I need the Script to check all 9 groups and if the AD user is NOT found in any of the groups export them into a report.
Try this one. I went a little different way than those before, but I think we can manage to get results with this one. I assumed that you have only these nine groups you were interrested and nothing else is named like this we can only search group āWebPolicyā from users.
Iāve come across an issue that I naively did not anticipate. Itās pulling back a lot more users than it should, after going into the users memberships, I remembered a lot of users are members of the WebPolicy groups via a RBAC group.
Is there a way I can search each ADUser memberships recursively, to check within there RBAC for a webpolicy.
However, I would safely assume every user within an RBAC group IS a member of a webpolicy as this was added upon creation of the RBACs and reviewed by out info sec team, this may mean we can check if a user is a member of an RBAC they WILL be in a webpolicy?
So you need to search these webpolicy groups from other groups? Then I suggess that you would do that and collect those groups and these webpolicy groups and put these groups into the where you look those groups from user. Did I explain this right?
So just to make myself clearer on what is I am trying to achieve here, I should of been a lot more clear to begin with.
-I need to search Get all AD Users within a specific OU that are ENABLED
-Use the RecursiveMatch parameter as a lot of the users are members of Role Based groups which contain the web policies.
-I need to check each user to see if its a member of 1 of 5 groups, WebPolicy1,2,3,4,5. (all beginning with web policy)
Nay: When you say āa lot of the users are members of Role Based groups which contain the web policies.ā do you mean that the AD users are members of role groups that are themselves members of the WebPolicy security groups, or are you saying that the WebPolicy security groups are members of the role groups? If youāre saying the former, then the following is what I got to work. You can parameterize it, if you want. If youāre saying the later, please clarify with further details on the issue.
#Array of web policy groups.
$WebPolicyGroups = 'WebPolicy1','WebPolicy2','WebPolicy3','WebPolicy4','WebPolicy5'
#Get list of the AD users in the OU you want to check.
$ADUsers = Get-ADUser -Filter * -SearchBase "OU=YourOU,DC=YourDomain,DC=com"
#Put together combined list of ObjectGuid values of the members of all web policy groups, recursively.
ForEach($WebPolicyGroup in $WebPolicyGroups)
{
$GroupMemberObjectGuids += Get-ADGroupMember $WebPolicyGroup -Recursive | Select-Object ObjectGuid
}
#Array of non-members.
$NonMembers = @()
#Check to see if the ObjectGuid of any of the AD users in $ADUsers matches that of one of the ObjectGuid values in $GroupMemberObjectGuids. If it's not listed, then the user is not a member, directly or indirectly (though nested groups under the Web Policy security groups), of any of the Web Policy security groups.
ForEach($ADUser in $ADUsers)
{
If(-not ($ADUser.ObjectGuid.ToString() -in ($GroupMemberObjectGuids | Select-Object -ExpandProperty ObjectGuid).Guid))
{
$Object = New-Object -TypeName PSObject -Property @{Name = $ADUser.Name;UserPrincipalName = $ADUser.UserPrincipalName;SamAccountName = $ADUser.SamAccountName}
$NonMembers += $Object
}
}
$NonMembers | Out-File -FilePath C:\WebPolicy-NonMembers.txt
Nay: Iām glad it worked for you. Iām working on creating a full blown, parameterized script so that you can provide either specify a comma-separated list of security groups, or provide them via a text file (so you donāt have to type the list over and over for various sets of security groupsā¦and other options. Iāll post it when Iāve got it done.