This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 95%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
I have this script that works nicely that shows me user accounts within an OU that are NOT part of a group. However, how do I update the script to?:
$users = Get-ADUser -Filter * -SearchBase "OU=USA,DC=company,DC=com"
$group = "VPN"
$members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty Name
$users | ForEach-Object {
$user = $_.Name
If ($members -notcontains $user) {
Write-Host "Accounting OU: $user DOES NOT exist in the VPN group"
}}
Hi @rerhart ,
maybe this is helpful (not tested):
# Get AD User with expiration date less than today
Get-ADUser $User -Properties * | Where-Object {$_.AccountExpirationDate -le (Get-Date)}
# Get enabled AD user only
Get-ADUser $User -Properties * | Where-Object {$_.Enabled -like “true”}
# Combined
Get-ADUser $User -Properties * | Where-Object {($_.AccountExpirationDate -le (Get-Date)) -and ($_.Enabled -like “true”)}
# Get-ADuser search Subtree of -Searchbase
Get-ADUser $User -Properties * -SearchBase "OU=USA,DC=company,DC=com" -SearchScope Subtree
# User not in Group
$notinGroup = get-adgroup "NONVPN "
Get-ADUser $User -Properties * | Where-Object {$notinGroup.DistinguishedName -notin $_.memberof}
----------
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten
What I need is this:
List all ENABLED and NON Expired users from OU=USA and OU=Europe that are NOT members of VPN, but ARE members of NONVPN. I've got this script but still isn't giving me what I need....
$grp1 = (Get-ADGroup 'VPN').DistinguishedName
$grp2 = (Get-ADGroup 'NONVPN').DistinguishedName
$date = (Get-Date)
$filter="Enabled -eq '$true' -and AccountExpirationDate -lt '$date' -and memberof -notlike '$grp1' -and memberof -like '$grp2' "
Get-Aduser -Filter $filter -SearchBase "OU=USA,DC=company,DC=com" | Select Name
Get-Aduser -Filter $filter -SearchBase "OU=Europe,DC=company,DC=com" | Select Name
Hi @rerhart ,
what is missing or what is wrong? "but still isn't giving me what I need." could you please explain with a little more details what in detail is "wrong".
----------
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten
It is returning back Enabled/Expired users that are members of the NONVPN group. If User Account A is Enabled and not Expired, and NOT in VPN, but IS in NONVPN, I do not want to see his name in the results. I only need results for:
Enabled and not Expired users that are NOT in the VPN group... but if they ARE in NONVPN group, then do not show in the results.
...and I have about 2-3 specific OUs to search, not the entire domain.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
The comparison on the expiration date should be "less than", not "less than or equal".
Accounts expire at the end of the day. So if the expiry date is today and you use the "-le" comparison operator with today's date you may get some unexpected accounts in the results.
I'm pretty sure the confusion came from your description and the code you used as an example. Easy enough to fix, though. Change the name of the group (in the code)!
Something like this:
$group = "VPN"
$OU = "OU=USA,DC=company,DC=com"
$now = (Get-Date).Date
$members = Get-ADGroupMember -Identity $group -Recursive |
Select-Object -ExpandProperty distinguishedName
Get-ADUser -Filter "enabled -eq 'true'" -SearchBase $OU |
Where-Object {$_.accountexpirationdate -lt $now} |
ForEach-Object {
If ($members -notcontains $_.distinguishedname) {
Write-Host "Accounting OU: $($_.name) DOES NOT exist in the $group group"
}
}
Ok, thanks. That works partially. It is still outputting expired user accounts.
Also, how can I add that if they are NOT part of group "NONVPN", do not display in the output?
I also need to search about 3 specific OUs, but I can run this 3 times for that and change $OU.
Some clarification, please:
Are there one, or two groups involved? Your 1st code example had the group "VPN" in it. Now there's also a group named "NONVPN"?
The way you state the NONVPN condition is by using a double negative. Would it be clearer to say that if they ARE a member of the group NONVPN that the account should be listed?
There's no need to run the script three times, but it would have been good to completely state the requirements in the first place!
Try this:
$vpn = "VPN"
$nonvpn = "NONVPN"
$OUs = "OU=USA,DC=company,DC=com", "OU=Europe,DC=company,DC=com"
$now = (Get-Date).Date # accouns expiring today are NOT YET expired!
$VPNmembers = Get-ADGroupMember -Identity $vpn -Recursive |
Select-Object -ExpandProperty distinguishedName
$NONVPNmembers = Get-ADGroupMember -Identity $nonvpn -Recursive |
Select-Object -ExpandProperty distinguishedName
$OUs |
Get-ADUser -Filter "enabled -eq 'true'" -SearchBase $_ |
Where-Object { (-not $_.accountexpirationdate) -OR ($_.accountexpirationdate -gt $now) } | # no expiry date or not expired
ForEach-Object {
If ($vpnmembers -notcontains $_.distinguishedname -AND $nonvpmmembers -contains $_.distinguishedname) {
Write-Host "Accounting OU: $($_.name) is ENABLED, NOT expired, DOES NOT exist in the $vpn group, but DOES exits in $nonvpn group"
}
}