Export users from AD with a specific group membership

Question

I'm working on a script that takes all the users in the AD and getting four specifics.

1. saMAccountName
2. Displayname
3. Comment
4. Specific group name (Group A)

Below is the code that I have now. It works, but it gives me all the groups, I only need one specific group (Group A) to be listed. If the user is not a member of this group, the user must be listed in the export but without the listing of the group

Get-ADGroup -Filter {name -like "Domain Users"} | 
Get-ADGroupMember | Where-Object { $_.objectClass -eq 'user' } | 
Get-ADUser -Properties comment,displayname,MemberOf | 
select saMAccountName,displayname,comment,@{Name="MemberOf";Expression={$_.MemberOf -Join ";"}} | 
Sort-Object SamAccountName | Export-csv -path C:\Install\Export-AD.csv -NoTypeInformation

Hope you have some tips and pointers for me on how to filter on the group name.

Answer 1

You could just add a comparison operation ( -like ) to your expression for MemberOf . You can see an example of this below. However, I would recommend against that single augmentation because of the inefficient nature of the Where-Object and the unnecessary queries that are happening here.

Get-ADGroup -Filter {name -like "Domain Users"} | Get-ADGroupMember | Where-Object { $_.objectClass -eq 'user' } | Get-ADUser -Properties comment,displayname,MemberOf | select saMAccountName,displayname,comment,@{Name="MemberOf";Expression={($_.MemberOf -like "Group A") -join ";"}} | Sort-Object SamAccountName | Export-csv -path C:\Install\Export-AD.csv -NoTypeInformation

I don't know how efficiently this runs in your AD. I tested this with a 722 member group, and it took 22.221 seconds to run.

I would try something like this instead as it will be significantly faster :

$GroupFilterDN = (Get-ADGroup "DOMAIN users").DistinguishedName
$GroupCheck = (Get-ADGroup "Group A").DistinguishedName
Get-ADUser -filter {(memberof -eq $GroupFilterDN -or PrimaryGroup -eq $GroupFilterDN) -and (ObjectClass -eq "user")} -Properties comment,displayname,MemberOf | 
select saMAccountName,displayname,comment,@{Name="MemberOf";Expression={$_.MemberOf.where({$_ -in $GroupCheck}) -join ";"}} | 
Sort-Object SamAccountName | Export-csv -path C:\Install\Export-AD.csv -NoTypeInformation

You need to replace the Group A string with your group name in the $GroupCheck variable. $GroupFilter contains the group you want to filter on. In your example, you wanted to filter on Domain Users. The variable holds the DN for that group. $GroupCheck contains the group for which you want to find members. The variable holds the DN for that group. In your example, you called this Group A. The PrimaryGroup check had to be added since in your example you are using Domain Users. Domain Users does not show up in the MemberOf property. The where({$_ -in $GroupCheck}) method is for when $GroupCheck has multiple groups. $GroupCheck currently would only have one group, but it could be tweaked to have multiple.

The code removes the requirement of using the Get-ADGroupMember command, which contains the Where-Object . Then it adds a comparison operation ( -eq ) for the MemberOf expression.

I tested the second block of code and it completed in 3.847 seconds with the same 722 member group.