Get-ADUser - Filter child OU's and users where surname is empty

Question

I am trying to run a command where I get all active directory users in the parent OU (Users) and filter out the child OU's (Admin accounts, service accounts, disabled accounts) as well as filter out any user account that does not have a surname in the surname field.

At the moment I have

Get-ADUser -Filter{enabled -eq $true} -SearchBase 'OU=Users,OU=Company,DC=CompanyName,DC=local' | Where-Object { $_.DistinguishedName -notlike "*,$Disabled" } | Where {$_.Surname -notlike "$Null"} | select samAccountName

When I add another child OU after 'Disabled' there is an error

Where-Object : A positional parameter cannot be found that accepts argument 'Where'.

Please may someone advise on how to filter out additional child OU's?

Answer 1

I would use a regex -notmatch so it would be possible to combine all OU Distinguished names in just one variable.

Something like this:

$Admins   = 'OU=Administrators,OU=Company,DC=CompanyName,DC=local'
$Service  = 'OU=ServiceAccounts,OU=Company,DC=CompanyName,DC=local'
$Disabled = 'OU=DisabledUsers,OU=Company,DC=CompanyName,DC=local'

# build a regex string from the above OU DistinguishedNames
$Exclude = '({0}|{1}|{2})$' -f [regex]::Escape($Admins), [regex]::Escape($Service), [regex]::Escape($Disabled)

Get-ADUser -Filter 'Enabled -eq $true' -SearchBase 'OU=Users,OU=Company,DC=CompanyName,DC=local' | 
Where-Object { ![string]::IsNullOrWhiteSpace($_.Surname) -and $_.DistinguishedName -notmatch $Exclude } | 
Select-Object SamAccountName

---

As per your comment:

$Admins   = 'OU=Administrators,OU=Company,DC=CompanyName,DC=local'
$Service  = 'OU=ServiceAccounts,OU=Company,DC=CompanyName,DC=local'
$Disabled = 'OU=DisabledUsers,OU=Company,DC=CompanyName,DC=local'

# the group you want to add the users to
$TargetGroup = 'Company Team'

# build a regex string from the above OU DistinguishedNames
$Exclude = '({0}|{1}|{2})$' -f [regex]::Escape($Admins), [regex]::Escape($Service), [regex]::Escape($Disabled)

$users = Get-ADUser -Filter 'Enabled -eq $true' -SearchBase 'OU=Users,OU=Company,DC=CompanyName,DC=local' | 
         Where-Object { ![string]::IsNullOrWhiteSpace($_.Surname) -and $_.DistinguishedName -notmatch $Exclude }

# get the AD group as object
$GroupObject = Get-ADGroup -Filter "Name -eq '$TargetGroup'"

# now add these users that have Surnames to the security group  all in one go
try {
    Write-Host "Adding $(@($users).Count) users to group $TargetGroup"
    $GroupObject | Add-ADGroupMember -Members $users -ErrorAction Stop -Verbose
}
catch {
    Write-Warning "Error: $($_.Exception.Message)"
}

# or if you prefer loop through the users and add each one individually then use this instead
# foreach ($user in $users) {
    # try {
        # Write-Host "Adding user $($users.Name) to group $TargetGroup"
        # $GroupObject | Add-ADGroupMember -Members $user -ErrorAction Stop -Verbose
    # }
    # catch {
        # Write-Warning "Error adding user $($users.Name) to group $($TargetGroup): $($_.Exception.Message)"
    # }
# }

Answer 2

Good day Smoore

The problem is you are using multiple Where-object cmdlets but you only need one and separate them using () and adding the -and option, also to refer to $null value you don't need to use the "" marks

Get-ADUser -Filter {Enabled -eq $true} -SearchBase "OU=Users,OU=Company,DC=CompanyName,DC=local" | Where-Object {($_.DistinguishedName -notlike "*,$Disabled*") -and ($_.Surname -notlike $Null)} | select samAccountName

With this options you should be able to get all the users you want

Have a nice day!