hi friends

in my Active Directory, in default "Users" container, have created a group named "helpdesks".

i have also some OUs and SubOus which each contains some users.

i need to get all users in my entire domain which are not member of helpdesks group.

Get-ADUser -SearchBase -Filter {memberof -notlike  'cn=helpdesks,cn=users,dc=mydomain,dc=lab' } | select name

Get-ADUser -SearchBase 'dc=mydomain,dc=lab' -searchscope subtree -Filter {memberof -notlike  'cn=helpdesks,cn=users,dc=mydomain,dc=lab' } | select name

but all commands get only these 3 accounts : administrator , Guest , krbtgt

( and not those accounts which are in ou-users , users-marketing subou & any other locations )

strange !

any idea

thanks in advanced

• Edited by john.s2011 Saturday, January 31, 2015 10:36 AM

one interesting thing is that the following Ldapfilter works, but AD filter seems doesn't work:

$helpdesks = 'cn=helpdesks,cn=users,dc=hp,dc=lab'
Get-ADUser -SearchBase 'dc=hp,dc=lab' -ldapFilter "(!memberof = $helpdesks )" | select distinguishedname

and this is Microsoft's statement about AD filters v.s Ldapfilters:

To search for and retrieve more than one user, use the Filter or LDAPFilter parameters. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter

!!!!!!!!

• Edited by john.s2011 Saturday, January 31, 2015 12:56 PM

That was one I didn't actively know.  Thinking about it I realize it would be that way.

I am sure that Richard knows this but, for completeness, I would also add that it is true any time there is only one group in the list.  Make any group the primary and remove all other groups.  The same rules will apply.

A similar but broader statement is: "The 'memberOf' attribute of any user with only a Primary Group defined will be empty"