Active Directory - a script to find all users that aren't in a set of groups?

Question

I have a set of 10 AD groups. What I'd like is to programmatically find out which users in the AD domain are NOT members of those 10 groups. There is only one domain. I know it's possible to perform ADO SQL queries in a vbscript but I was wondering (hoping, praying) if someone had a canned script?

I suppose a hacky way might be:

1. Dump all users from the 10 groups
2. Dump all users from the domain
3. Run a windiff on the 2 dumps

Any ideas?

Answer 1

System.DirectoryServices provides the ability to write LDAP queries. something like this: (&(objectclass=User)(!memberof=cn=group1,...)(!memberof=cn=group2,...)(!memberof=cn=group3,...))

Each memberof condition has to be explicitly spelled out, I believe.

I am just answering quickly, so I don't have 100% of the code to show you.

Answer 2

For anyone interested, this worked:

(&(objectCategory=Person)
    (&
        (!memberOf=CN=group1,dc=company,dc=local)
        (!memberOf=CN=group2,dc=company,dc=local)
        (!memberOf=CN=group3,dc=company,dc=local)
    )
)