I am trying to find if any servers in our enviroment have NOT been applied to a particular group. I have a list of groups that we use to patch our Windows Servers on partiular days / nights / manual etc..., i am trying to check if any server in our enviroment was incorrectly put on the domain and missed this step - does not have a Patching Group Member.

so far i i have:

$servers = get-adcomputer -Filter 'ObjectClass -eq "Computer"' -properties *
foreach ($server in $servers) {
   if($server.OperatingSystem -match "Windows Server 2008" -or $server.operatingsystem match "Windows Server 2003" ) {
   $server.Name, $server.OperatingSystem, $server.memberof
   }
}

Above lists all servers that run Windows in our enviroment and the Members assigned to that Computer Object. Say we have 3 particular groups that manage how these servers are patched.

group1, group2, group 3

Every server from the script above should return servers with group1, group2 or group3. I would like to return all the servers that DONT have group1, group2 or group3 applied.

Please can someone point me in the right direction.

Thank you.

Let's work with this:

$groups = @("Terminal Server License Servers","Exchange Trusted Subsystem","Cert Publishers")
$regex = '^({0})' -f ($groups -join '|')
get-adcomputer -Filter {OperatingSystem -like "Windows Server 200*"} -properties * | 
    Where-Object{($_.MemberOf | Get-ADGroup).Name -notmatch $regex} |
    Select-Object Name,OperatingSystem,MemberOf

Take the groups and turn them into an array. Join the array members into a regex string which will match the full names of groups. Move the If statement into a -Filter to return only what you want which would make it more efficient. The MemberOf is a list of DistinguishedNames. Get the just the group name from Get-AdGroup. You could easily use string manipulation to extract the name from the dn. I just find this easier. Havent done anything, beyond a Select-Object, with the results but you could pipe into a ForEach-Object and process accordingly.