AD dynamic group on premise AD

Efff dd 536 Reputation points
2021-02-25T14:34:34.343+00:00

Hello
looking for a way to create a dynamic group, looking at an existing OU in AD. but exclude any account that is disabled.
if i have to created a scheduled task under windows to kick off a PowerShell script, that's fine.
not user what syntax to use to exclude disabled accounts.

Get-ADUser -Filter * -SearchBase ‘OU=Users,OU=NY,OU=USA,DC=theitbros,DC=com’|
ForEach-Object -process {Add-ADGroupMember -identity "NY Users" -Members $_.SamAccountName}

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,118 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,362 questions
0 comments
Accepted answer
  1. Ian Xue (Shanghai Wicresoft Co., Ltd.) 29,571 Reputation points Microsoft Vendor
    2021-02-26T03:04:04.637+00:00

    Hi,

    The -Filter parameter can get the enabled/disabled users for you. 

    $enabled = Get-ADUser -Filter {enabled -eq $true} -SearchBase ‘OU=Users,OU=NY,OU=USA,DC=theitbros,DC=com’  
$disabled = Get-ADUser -Filter {enabled -eq $false} -SearchBase ‘OU=Users,OU=NY,OU=USA,DC=theitbros,DC=com’  
Remove-ADGroupMember -identity "NY Users"  -Members $disabled -Confirm:$false  
Add-ADGroupMember -identity "NY Users" -Members $enabled

    Best Regards,
    Ian Xue

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bill Stewart 181 Reputation points
    2021-02-25T17:04:39.483+00:00

    The below will get all users starting at the search base that are enabled (i.e., not disabled): 

    Get-ADUser -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -SearchBase "OU=...."
    0 comments
  2. Rich Matheisen 44,776 Reputation points
    2021-02-25T19:16:34.907+00:00

    To remove any disabled users from the group, try this: 

    # build a hash of all group member distinguishedNames  
$m = @{}  
(Get-ADGroup -Identity "NY Users").members |  
    ForEach-Object{  
        $m.$_ = ""  
    }  
# get the distinguishedName of all disabled users  
(Get-ADUser -Filter {Enabled = $false} -SearchBase "OU=Users,OU=NY,OU=USA,DC=theitbros,DC=com").distinguishedName |  
    ForEach-Object{  
        if ($m.ContainsKey($_)){    # is the disabled user a member of the group?  
            $d += $_  
        }  
    }  
Remove-ADGroupMember -Identity "NY Users" -Members $d   # remove disabled members from group

    Note: I no longer have an AD to test this with.

    0 comments