2

I'm working on a script that compares an AD user's group memberships to an existing list. One of the things I want to check for is if the user does not belong to any of the groups on the list and only to the default "Domain Users" group that all domain users are a part of, then it should output a message like, "TestUser01 is not a member of any of the groups"

Is there an operator that can check to see if that is the only value that exists? My script may be a bit odd since it's not testing against objects but the string equivalent of the object value, so that may be where my problem lies. I'm not quite sure. Partial output of the script is below. I did it this way because it was the only way I could compare the group names. When I tried comparing the object.name values, I could not make it work:

#gets a list of all groups in a given OU and stores the objects in the $groups variable $groups = Get-ADGroup -Filter * -SearchBase 'OU=TUNE_TEST_GROUPS,OU=TUNE_TEST,DC=tune,DC=priv' -Properties name | select name #pipe each group object into a foreach loop and output a string value of the same group name and stores it into the $groups_string variable $groups_string = $groups | % {$_.name} #gets a list of all users in a given OU and stores the objects in the $users variable $users = Get-ADUser -Filter * -SearchBase 'OU=TUNE_TEST_USERS,OU=TUNE_TEST,DC=tune,DC=priv' #hash table containing the $table properties $props=@{ "Username" = "" "Groupname" = "" } #empty array to store each user/group output object $table=@() #iterates through every user in the $users variable and retrieves their group memberships foreach ($user in $users) { #selects each group name and stores it in the $groupMembership variable $groupMembership = Get-ADPrincipalGroupMembership $user | select name #compares the names of each user's group to the baseline group name. $groupMembership | foreach ($_) { #If there is a match add the group name and the username to the $results hash table if ($groups_string -contains $_.name) { $props."Groupname" = $_.name $props."Username" = $user.Name #create a new PS object and supply the properties of the $results hash table to each object $objresults = New-Object psobject -Property $props #add each object to the $table array $table += $objresults } } } #display/output the $table array and format it to fit $table | ft -AutoSize

I've deleted the else statement since that's what I am currently trying to figure out. Right now, I can only get it to output the username and the group name when there is a match. What I need to accomplish/figure out, is to make it so that my other test users who are not part of any groups except the domain users group, appear on the report as not being a part of any of the main groups. During my tests, the only time I was able to make this happen was when the same message would also appear for my other test users. This does not make sense to the person looking at the report because those test users do belong to groups on the main group list, but because they are a part of Domain Users, an object get's outputted saying they're not a part of any of the main groups when it iterates through the Domain Users group.

I played around with some different combinations of comparison operators but could not get any to work properly. Any suggestions would be appreciated.

Improve this question
5
  • It seems the easy route would be if ($groupMembership.Count -le 1 -and $groupMembership[0].Name -ne "allDomainUsers") {# Do stuff; } else { write-host "$user does not have any rights!"; } Commented May 16, 2016 at 22:31
  • @AustinFrench Doesn't look like it. I tried something similar before I wrote the post and it didn't output what I wanted. I also gave your suggestion a try, it appears to do the same thing that I had. It outputs all the groups that match the main query but also displays the message saying TestUser01 is not a part of any groups from the main group query whenever it hit's that default Domain Users group for each user. Commented May 16, 2016 at 22:56
  • Also, in your code block you're using .count and [0].name on the $groupMembership variable. In mine i have each object in that variable piped through to a for-loop so i changed the syntax to if ($_.count -le 1 -and $_[0].name -ne "Domain Users")...still same result as what I had though. Commented May 16, 2016 at 22:59
  • How is this question different from your previous one? Instead of checking for an empty result you just need to check that the result contains only the "Domain Users" group and nothing else. Commented May 17, 2016 at 12:00
  • @AnsgarWiechers - that's basically what I'm asking. If there's a cmdlet or operator that checks an object or variable to see if it contains only the "Domain Users" group and nothing else. Maybe I can just count the number of groups a user belongs to and if it is -lt 1 -and contains "Domain Users" then output the message saying it's not a part of any group? And yes, I realize it's like my other question. I thought it was resolved in that post until I tested it again. Commented May 17, 2016 at 14:39

2 Answers 2

Reset to default
1

Use Compare-Object just like I told you in response to your previous question, expand the InputObject property to get the (group) objects that are equal in both arrays, then expand the objects' Name property.

$common = Compare-Object $userGroups $groups -IncludeEqual -ExcludeDifferent | Select-Object -Expand InputObject | Select-Object -Expand Name

Now you can check if the result contains only the name Domain Users like this:

if ($common -contains 'Domain Users' -and $common.Count -eq 1) { ... } else { ... }

or like this:

if ($common.GetType().Name -eq 'String' -and $common -eq 'Domain Users') { ... } else { ... }

You could also just select the first object's name from the list:

$common = Compare-Object $userGroups $groups -IncludeEqual -ExcludeDifferent | Select-Object -Expand InputObject | Select-Object -First 1 -Expand Name if ($common -eq 'Domain Users') { ... } else { ... }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Thanks Ansgar. I tried variations of your suggestion and I could not get it working for what I need. I ended up mixing parts of my original script with the script I posted above and came out with the script below:

#queries all groups in a specified OU $groups = Get-ADGroup -Filter * -SearchBase 'OU=TUNE_TEST_GROUPS,OU=TUNE_TEST,DC=tune,DC=priv' #iterates through each group object and outputs just the string value of the name property $groups_string = $groups | % {$_.name} #queries all users in a specified OU $users = Get-ADUser -Filter * -SearchBase 'OU=TUNE_TEST_USERS,OU=TUNE_TEST,DC=tune,DC=priv' foreach ( $user in $users ) { #iterates through each user, find their group memberships, and outputs just the name property value $userGroups = Get-ADPrincipalGroupMembership $user | select name #if user belongs to more than one group, add following string if ( $userGroups.Count -gt 1){ "{0} is a member of the following groups:" -f $user.SamAccountName #iterates through each group, if group name matches group name in original query, output the matching group name $userGroups | foreach ($_) { if ($groups_string -contains $_.name){ "`t{0}" -f $_.Name} } } #if user belongs to 1 or lesser groups perform the next check elseif ( $userGroups.Count -le 1 ) { #iterates through each group, if group name in check matches "Domain Users", output string saying user doesn't belong to any groups $userGroups | foreach ($_) { if ($_.name -contains "Domain Users") { "{0} is not a member of any groups" -f $user.SamAccountName} } } }

This actually works well for what I need. I was able to test by adding a few of the test users to different groups out of those in the base OU I was querying. I can confirm it only outputs the groups I care about, those that match groups in the baseline query. It also allows me to output a message saying that a user doesn't belong to any of the baseline groups when they are only a part of the default Domain Users group, and it also excludes the other users from this check who are a part of Domain Users by default but also belong to groups on the baseline check. Posting final script for anyone who's interested.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.