In this guide, I’m going to show you a simple Windows Powershell script you can use to find users that are NOT part of an Active Directory security group.

This can be extremely useful in a number of situations. For example, if you are rolling out a Active Directory lockout policy and adding it employees to it, you may want to check from to time to time make sure all new employees get added to your “Lockout” group successfully.

The script below queries Active Directory using the get-aduser command, so no need to import-module ActiveDirectory. This script can also be ran as a Standard Windows user account, and Powershell doesn’t need to be launched as an administrator.

Powershell Find Users NOT in Group Script

Here is the command you run will run.

Just open Powershell ISE and paste in the code. The only thing you need to change is the green text below and replace it with your own security group.

#Select the group you want
$group = get-adgroup SecurityGroup1

#Get all the active users. Filter using Where-Object where the DN of the group does not appear in the MemberOf Property. Then, formats it into an easy-to-view table.

get-aduser -Properties memberof -filter 'enabled -eq $true' | Where-Object {$group.DistinguishedName -notin $_.memberof} | Format-Table DistinguishedName

After running it, here is the output:

If you are using managed service accounts, this script will pull those users in as well. It isn’t limited to running against just the “Users” OU because it’s pulling all users in AD.

Powershell Script Find Users Not In Group Filter By Username

Alternatively, if you want it to display just the username, rather than the First and Last names, you can just Format-Table SamAccountName instead. Here’s the code and output for that.

#Select the group you want
$group = get-adgroup SecurityGroup1

#Get all the active users. Filter using Where-Object where the DN of the group does not appear in the MemberOf Property. Then, formats it into an easy-to-view table.

get-aduser -Properties memberof -filter 'enabled -eq $true' | Where-Object {$group.DistinguishedName -notin $_.memberof} | Format-Table SamAccountName

Wrapping Up

Hopefully this simple script helps you clean up your AD groups and ensure everyone is added where they are supposed to be! I recommend adding this to your Powershell Menu Gui for quick access and running it every once in a while to ensure no newly created users are missed from a particular group.

My Homelab Equipment

Here is some of the gear I use in my Homelab. I highly recommend each of them.

The full list of server components I use can be found on my Equipment List page.

Hey there! I'm Danny, owner and writer of Smart Home Pursuits. I've worked as an IT Manager for 8 years and enjoy using my knowledge to make my smart home "smarter".

Similar Posts

How To Find Next Available Computer Name in Powershell

How To Find Next Available Computer Name in Powershell

ByDanny

In the IT world, it’s common practice to name all of the computers you join to the domain with the same naming convention. For example, we use company abbreviations-operating system-next in line number. The computers we join to the domain look like hsbw10p611, hsbw10p612, etc. Every new computer object gets the next incremented number. Typically,…

How To Run VMware Workstation Virtual Machine in the Background
| | |

How To Run VMware Workstation Virtual Machine in the Background

ByDanny

In this guide, I will show you how to run your Vmware Workstation VM in the background and automatically after reboot, using either a batch file in the Startup folder or Windows Task Scheduler. This means that after your host computer or server restarts, your VM will automatically startup without you needing to launch the…

Leave a Reply

Your email address will not be published. Required fields are marked *