Get ADUser sort by memberof not working for me

Question

I've a need to extract a list of all members in a particular OU who are members of the same group. Problem is it only works if I use -match, however that also picks up groups that have a similar name. If I use -eq it retrieves nothing, despite users being members of that particular group. Anyone who might be able to help me figure what I'm doing wrong?

The powershell script I've been using;

Get-ADUser -Filter * -SearchBase 'OU=NewUsers,DC=LOCAL' -properties memberof | Where-Object {$_.memberof -eq 'APP-KMD'} | Select SamAccountName

Answer 1

Apparently you can't match directly, but if you grab the matches on the given group and pull out the members of that group and compare them, it gives the expected output.

$brugere = Get-ADUser -Filter * -SearchBase 'OU=NewUsers,DC=LOCAL' -Properties * | Select-Object SamAccountName
$gruppemedlem = Get-ADGroupMember -Identity app-kmd | select SamAccountName

ForEach ($bruger in $brugere)
{   

If ($gruppemedlem.samaccountname -contains $bruger.SamAccountName) {
    Write-Host $bruger }
} 

Answer 2

Your Problem is with the comparison Operator, here are some of the Differences between these:

Number Comparison:

• eq (equal to)
• ne (not equal to)
• gt (greater than)
• lt (less than)
• le (less than or equal to)
• ge (greater than or equal to)

String Comparison:

• -like and -notLike (wildcard string comparison, wildcards being * and ?), not to be confused with the -contains operator.

Regex Comparison

• -match and -notMatch (Matching with regular expressions)

If you know the exact name of the Group you should probably use -like "GROUPNAME", this way you get only the Users of this group.

Answer 3

Remember that the value of memberOf attribute is a DN of a group, so you need to match with whole DN, not just CN of the group. You may get the DN of a group in a subquery and use it directly in a filter, i.e.:

Get-ADUser -LDAPFilter "(memberof=$(Get-ADGroup APP-KMD))" -SearchBase 'OU=NewUsers,DC=LOCAL' | Select SamAccountName

Answer 4

Old post, I know, but just wanted to throw my hat into the ring for others.

Maybe I missed something, but wouldn't it just be simpler to pipe Get-ADGroupMember -Identity "APP-KMD" through to Get-ADUser?

$ADUserParameters = 
@{
   "SearchBase" = "OU=NewUsers,DC=LOCAL"
   "Properties" = "SamAccountName"
   "Filter" = "*"
}
Get-ADGroupMember -Identity "APP-KMD" | Get-ADUser @ADUserParameters

Not exactly sure it's the most performant code, but it's at least limiting what you're sending through the pipeline to only members of that group, vs. all members of Get-ADUser through the entire SearchBase first.

EDIT: Disregard, it's waaay more performant to use -LDAPFilter as someone else pointed out - the following worked for me.

Get-ADUser -LDAPFilter "(memberof=$(get-adgroup 'YOUR-SEC-GROUP'))"

OR for better maintainability

$secGroup = Get-ADGroup "YOUR-SEC-GROUP"
Get-ADUser -LDAPFilter "(memberof=$secGroup)"