Active Directory中的所有用户，计算机，组和联系人(可能还有其他对象)都具有名为 memberof 的属性.正如该属性的名称所暗示的那样，此属性包含该实体所属的整个林中所有组的专有名称.

鉴于此信息，您现在可以构建ldap搜索查询，以查找不是这些组中至少一个组的成员的所有实体:

(！(|(memberof = CN = Group1，dc = domain，dc = com)(memberof = CN = Group3，dc = domain，dc = com)(memberof = CN = Group3，dc = domain，dc = com)，dc = com)))

必要时还可以包括其他条件.

如果您需要首先获取这些组的专有名称，则可以在过滤器中对它们进行硬编码，或者对这些组进行常规的Powershell搜索，然后读取其专有名称.

您可以通过命令的 -LDAPFilter 使用ldap查询参数.

First up, I am not a script writer, so I apologise if this sounds like a real newbie question.

I am trying to write a Powershell query to list all user accounts within a certain OU sub-tree who do not belong to at least one of 4 groups.

As far as I can tell you cannot query this directly on the AD User object, so you need to iterate through the groups to get the membership, but I'm not clear on how to go about this across multiple groups.

I have put together a script that can find all users, add them to a temporary group and then remove them if they belong to one of the four other groups, but this looks like a horrible way to approach it, so I am hoping someone has a better solution.

Here's what I currently have (don't laugh) :-(

Import-Module ActiveDirectory
$groupname = "TempGroup"
$excludegroup1 = "Group1"
$excludegroup2 = "Group2"
$excludegroup2 = "Group4"
$excludegroup2 = "Group4"
$users = Get-ADUser -Filter * -SearchBase "ou=xxx,dc=xxx,dc=xxx" -SearchScope Subtree
foreach($user in $users)
{
  Add-ADGroupMember -Identity $groupname -Member $user.samaccountname -ErrorAction SilentlyContinue
}
$members = Get-ADGroupMember -Identity $groupname
$excludemembers = Get-ADGroupMember -Identity $excludegroup1
foreach($member in $excludemembers)
{
 Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
$members = Get-ADGroupMember -Identity $groupname
$excludemembers = Get-ADGroupMember -Identity $excludegroup2
foreach($member in $excludemembers)
{
 Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
$members = Get-ADGroupMember -Identity $groupname
$excludemembers = Get-ADGroupMember -Identity $excludegroup3
foreach($member in $excludemembers)
{
 Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
$members = Get-ADGroupMember -Identity $groupname
$excludemembers = Get-ADGroupMember -Identity $excludegroup4
foreach($member in $excludemembers)
{
 Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}

All help gratefully accepted.

All users, computers, groups and contacts (and possibly other objects) in Active Directory have a property called memberof. This property contains the distinguished names of all groups from the whole forest that this entity is a member of, as the attribute's name implies.

Given this information, you can now construct an ldap search query to find all entities that are not members of at least one of those groups:

(!(|(memberof=CN=Group1,dc=domain,dc=com)(memberof=CN=Group3,dc=domain,dc=com)(memberof=CN=Group3,dc=domain,dc=com)))

Other conditions may be included as necessary.

If you need to obtain the distinguished names of those groups first, you can either hard-code them in your filter or do a normal Powershell search for the groups and then read their distinguished names.

You can use the ldap query via the command's -LDAPFilter parameter.