notcontains not working for User objects pulled from AD Groups

by

tl;dr

Don’t store the AD user objects themselves in your arrays, use their .SamAccountName property value instead (generally, pick a property that uniquely identifies the objects):

# ...
$SPSecUKUsers += $SPSecUser.SamAccountName
# ...
if ($SPSecUKUsers -notcontains $UKUser.SamAccountName) { # ...

See the next section, if you want to know why storing the objects themselves doesn’t work.

Alternatively – for faster lookups – use a hashtable:

$SPSecUKUsers = @{} # initialize hashtabe
# ...
# Create an entry for the object at hand, using its .SamAccountName
# as the entry *key*; you can store the object itself as the entry *value*.
# If all you need are lookups by SAM account name, however, you can just
# use a fixed value such as $true.
$SPSecUKUsers[$SPSecUser.SamAccountName] = $SPSecUser
# ...
if ($SPSecUKUsers.ContainsKey($UKUser.SamAccountName)) { # ...

About PowerShell’s containment (collection-membership) operators:

As Olaf and Lee_Dailey imply in the comments, PowerShell’s containment operators (-contains / notcontains and -in / -notin) check the comparison operand for reference equality (identity) with the elements of the input array, if those elements are instance of .NET reference types, with the exception of [string] instances. [string] instances and instance of value types are tested with
value equality (equivalence) – see Equality Comparisons.

You can think of these operators as an implicit loop over the input array’s elements, testing each against the comparison operand with the -eq operator (or, if you use the case-sensitive variant such as -ccontains, with -ceq), using reference equality or value equality, depending on the element type.

Important: Due to PowerShell’s flexible automatic type-conversion rules, which operand is the LHS in an -eq operation matters. Using -in or -contains means that the LHS of the implied -eq operation is the array element being tested against, as the following examples show:

 # `, 10` creates a single-element array
 '0xa' -in , 10       # equivalent of: 10 -eq '0xa' => $true
 , 10 -contains '0xa' # ditto

 # 
 10 -in , '0xa'        # equivalent of: '0xa' -eq 10 => $false
 , '0xa' -contains 10  # ditto

In the first 2 operations, the LHS being a number ([int]) forces the string RHS ([string]) to a number ([int]) too, and the hex “number string” '0xa' converts to an [int] with decimal value 10 too.

In the latter 2, the LHS being a string ([string]) forces the number 10 to become a string too, and '10' obviously doesn’t match '0xa'.

Value equality (equivalence) means that two objects have the same content, even though, with distinct value-type objects, that content is by definition stored in different memory locations.

Numeric types such as [int] and [double] are value types, for instance. As a rough rule of thumb, objects that have properties are often reference types.
You can check a given type’s .IsValueType property; e.g., [int].IsValueType returns $true.

Reference equality (identity) means that two values are only considered equal if they point to the very same object in memory, i.e., the same instance of a reference type.

Otherwise, they’re considered not equal, even if they represent what is conceptually the same entity, which is what happened in your case: two separate calls to Get-ADUser return distinct objects, even if you (in part) ask for the same users in both cases (Get-ADUser returns instance of type Microsoft.ActiveDirectory.Management.ADUser, which is a reference type).

Examples:

# Create a custom object...
$customObject = [pscustomobject] @{ one = 1; two = 2 }
# which is an instance of a reference type.
$customObject.GetType().IsValueType # -> $false

# Create an array comprising a value-type instance (1)
# and a reference-type instance (the custom object).
$arr = 1, $customObject 

# Look for the value-type instance.
$objectToLookFor = 1

$arr -contains $objectToLookFor # value equality -> $true

# Create another custom object, with the same properties as above.
$objectToLookFor = [pscustomobject] @{ one = 1; two = 2 }

# This lookup *fails*, because $objectToLookFor, despite having the same
# properties as the custom object stored in the array, is a *different object* 
$arr -contains $objectToLookFor # reference equality -> $false(!)

# If we look for the very same object stored in the array, the lookup
# succeeds.
$arr -contains $customObject # -> $true

More Related Contents:

  1. Renaming files by reformatting existing filenames – placeholders in replacement strings used with the -replace operator
  2. Unable to Pause or Sleep after Select-Object
  3. Powershell Invoke-WebRequest Fails with SSL/TLS Secure Channel
  4. How can I find the Upgrade Code for an installed MSI file?
  5. What’s the better (cleaner) way to ignore output in PowerShell? [closed]
  6. How to enter a multi-line command
  7. Add a where-object on a table construct?
  8. Is there a way to create an alias to a cmdlet in a way that it only runs if arguments are passed to the alias?
  9. Is there a way to make a PowerShell script work by double clicking a .ps1 file?
  10. How to redirect the output of a PowerShell to a file during its execution
  11. How can I make PowerShell handle [ or ] in file name well?
  12. What’s the difference between .replace and -replace in powershell?
  13. ‘kubectl patch’ works on Linux Bash but not in Windows Powershell ISE
  14. Ternary operator in PowerShell
  15. CMD pipe different form Powershell pipe?
  16. Why does the `using` scope work locally with Start-Job, but not Invoke-Command?
  17. Get-Content and show control characters such as `r – visualize control characters in strings
  18. Powershell send-mailmessage – email to multiple recipients
  19. Function Get-IniContent is not recognized – INI file support inPowerShell
  20. If Statement Against Dynamic Variable [duplicate]
  21. Copy file remotely with PowerShell
  22. Add Column to CSV Windows PowerShell
  23. Passing a function to Powershell’s (replace) function
  24. Parsing a Powershell variable
  25. Get-ADGroupMember : The size limit for this request was exceeded
  26. What does the & symbol in powershell mean?
  27. Write output to a text file in PowerShell
  28. Powershell Get-ChildItem -Filter operates differently to Where clause with same value
  29. Boolean literals in PowerShell
  30. Unix newlines to Windows newlines (on Windows)

Leave a Comment