Export ad users not in a group

C

ChesterLife2013-09-13 10:54:15

PowerShell

ChesterLife, 2013-09-13 10:54:15

Here is a script that unloads all ad users who are members of the "zapret_usb" group:

Import-module ActiveDirectory
Get-ADGroupMember -Identity zapret_USB -Recursive |
Get-ADObject -Properties name, title, department, company |
Format-Table name, title, department, company -autosize |
Out-String -Width 4096 > c:\export.csv
$host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") | out-null

Is there a way to dump all ad users that are NOT in the "ban_usb" group?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

G

greeensnake, 2013-09-13
@ChesterLife

The other day I was concerned about a similar issue, as a first approximation I came up with the following solution:
$allusers = Get-ADuser filter *
$vipusers = Get-ADGroupMember -Identity <some group> -Recursive
Compare-Object $allusers $vipusers

N

Nikolai Turnaviotov, 2013-09-14
@foxmuldercp

I would do it in reverse:
1. “USB ban” group
2. If the USB usage is prohibited, we roll up the policy for disabling USB host devices in Windows, you don’t have to go into the BIOS, when you relogin the usb device as an administrator, you can turn it on

Y

Yaroslav Eremin, 2013-11-25
@YaroslavEremin

$a = Get-ADGroupMember zapret_USB
$b = get-aduser -Filter *
ForEach ($i in $a) {
$b = $b | Where-Object { -not($_.SamAccountName -eq $i.SamAccountName) }
}