AD users not is a particular security group

lee roberts 186 Reputation points
2021-09-08T11:47:47.593+00:00

I'm trying to get a list of all the users that have logged on in the last 60 days and are not in a particular security group.
Using a couple of other scripts i can get the number of users that have logged on and the number of members is the SG, But i need to know the who is not a member of the Sg as its for 365 licencing.

Running this gives me the list of all the users logged on in the last 60 days, so it works.
$OU = "DC=Domain,DC=com"
Get-ADUser -Filter * -SearchBase $OU -Properties Name,SamAccountName,LastLogonDate,DistinguishedName, memberOf |
Where-Object {($_.LastLogonDate -ge (Get-Date).AddDays(-60))

When I add this is exports users that are in the SG and some that aren't

-and ($_.memberOf -NotLike "GroupName") } | export-csv "C:\temp\userexport.csv"

Full Script:

$OU = "DC=Domain,DC=com"
Get-ADUser -Filter * -SearchBase $OU -Properties Name,SamAccountName,LastLogonDate,DistinguishedName, memberOf | 
Where-Object {($_.LastLogonDate -ge (Get-Date).AddDays(-60)) -and ($_.memberOf -NotLike "GroupName") } | export-csv "C:\temp\userexport.csv"
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,607 questions
{count} votes

Accepted answer
  1. Rich Matheisen 47,581 Reputation points
    2021-09-08T14:33:21.31+00:00

    Try this:

    $OU = "DC=Domain,DC=com"
    $dn = (Get-ADGroup "GroupName").distinguishedName
    Get-ADUser -Filter * -SearchBase $OU -Properties Name,SamAccountName,LastLogonDate,DistinguishedName, memberOf | 
        Where-Object {($_.LastLogonDate -ge (Get-Date).AddDays(-60)) -and ($_.memberOf -notcontains $dn) } | 
            Select-Object Name,SamAccountName,LastLogonDate,DistinguishedName |
                export-csv "C:\temp\userexport.csv" -NoTypeInformation
    

    If you have more than one domain controller in the domain "domain.com" you're going to get results that aren't entirely accurate because your using LastLogonDate, and that's a locally (i.e. per DC) "calculated" value of the LastLogonTimeStamp. To be entirely accurate you'll have to query each DC for each user for the user's "LastLogon" value. You'll then keep just the most recent date from among them.

    Here's a good reference (there are many more!): lastlogon-vs-lastlogontimestamp-vs.html

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
  1. Gopi Ponnusamy 41 Reputation points Microsoft Employee
    2021-09-08T14:34:41.04+00:00

    Hello,

    Try DN instead of Group name. it will work.
    ($_.memberOf -NotLike "GroupName")

    if you want to use groupname then convert DN to Group name then do validation.

    Let me know the status.

    0 comments No comments

  2. Rich Matheisen 47,581 Reputation points
    2021-09-08T20:06:48.063+00:00

    See if this works for you:

    $OU = "DC=Domain,DC=com"
    $groups = "a","b","c"
    [array]$dns =   $groups |
                        ForEach-Object{
                            $dns += (Get-ADGroup $_).DistinguishedName
                        }
    Get-ADUser -Filter * -SearchBase $OU -Properties Name,SamAccountName,LastLogonDate,DistinguishedName, memberOf | 
        Where-Object {($_.LastLogonDate -ge (Get-Date).AddDays(-60))} |
            ForEach-Object{
                $exportuser = $true
                foreach ($dn in $dns){
                    if ($_.memberof -contains $dn){       # user is a member of at least one group
                        $exportuser = $false
                        break
                    }
                }
                if ($exportuser){
                    $_                                  # emit user
                }
        } | Select-Object Name,SamAccountName,LastLogonDate,DistinguishedName |
                export-csv "C:\temp\userexport.csv" -NoTypeInformation
    
    0 comments No comments

  3. Limitless Technology 39,791 Reputation points
    2021-09-09T19:41:46.507+00:00

    Hello @lee roberts

    Additionally you may try this powershell command which uses LDAP filter

    Get-ADUsers -LDAPFilter "(&(!memberOf=cn=Group1,ou=myOU,dc=MyDomain,dc=com)(!memberOf=cn=Group2,ou=MyOU,dc=MyDomain,dc=com)(!memberOf=cn=Group3,ou=MyOU,dc=MyDomain,dc=com))"  
    

    You must specify the DN of groups.

    Thank you.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.