Powershell Script To Find Users NOT in Security Group

by Danny
0 comment

READING TIME: 3 MINUTES

In this guide, I’m going to show you a simple Windows Powershell script you can use to find users that are NOT part of an Active Directory security group.

This can be extremely useful in a number of situations. For example, if you are rolling out a Active Directory lockout policy and adding it employees to it, you may want to check from to time to time make sure all new employees get added to your “Lockout” group successfully.

The script below queries Active Directory using the get-aduser command, so no need to import-module ActiveDirectory. This script can also be ran as a Standard Windows user account, and Powershell doesn’t need to be launched as an administrator.


Powershell Find Users NOT in Group Script

Here is the command you run will run.

Just open Powershell ISE and paste in the code. The only thing you need to change is the green text below and replace it with your own security group.

#Select the group you want
$group = get-adgroup SecurityGroup1

#Get all the active users. Filter using Where-Object where the DN of the group does not appear in the MemberOf Property. Then, formats it into an easy-to-view table.

get-aduser -Properties memberof -filter 'enabled -eq $true' | Where-Object {$group.DistinguishedName -notin $_.memberof} | Format-Table DistinguishedName

After running it, here is the output:

If you are using managed service accounts, this script will pull those users in as well. It isn’t limited to running against just the “Users” OU because it’s pulling all users in AD.


Powershell Script Find Users Not In Group Filter By Username

Alternatively, if you want it to display just the username, rather than the First and Last names, you can just Format-Table SamAccountName instead. Here’s the code and output for that.

#Select the group you want
$group = get-adgroup SecurityGroup1

#Get all the active users. Filter using Where-Object where the DN of the group does not appear in the MemberOf Property. Then, formats it into an easy-to-view table.

get-aduser -Properties memberof -filter 'enabled -eq $true' | Where-Object {$group.DistinguishedName -notin $_.memberof} | Format-Table SamAccountName

Wrapping Up

Hopefully this simple script helps you clean up your AD groups and ensure everyone is added where they are supposed to be! I recommend adding this to your Powershell Menu Gui for quick access and running it every once in a while to ensure no newly created users are missed from a particular group.


My Homelab Equipment

Here is some of the gear I use in my Homelab. I highly recommend each of them.

The full list of server components I use can be found on my Equipment List page.

0 comment

You may also like

Leave a Comment