I have modified the script found here: https://www.quest.com/community/one-identity/active-roles/f/active-roles-forum/9091/dynamic-groups-created-by-a-script
However what I do not get to work is the LDAP filter. I need to include all the user account from the searchbase and then exclude the accounts in the child OU - ServiceAccounts?
$JOBCODE = "Privilege"
$REGION = "Admin"
$GroupsOU = "OU=Groups,OU=Data Management,DC=my,DC=company,DC=co,DC=uk"
$SearchBase = "OU=ADManagement,DC=my,DC=company,DC=co,DC=uk"
$groupName = "G_POL_Privilege_Users"
#Create a new group and assign to variable $DN.
$DN=(New-QADGroup -Name $groupName -SamAccountName $groupName -ParentContainer $GroupsOU).DN
#Retrieve DN of New group, through ADSI.
$objGroup = $Null
$objGroup = [ADSI] "EDMS://$DN"
#Return a reference to membership rule collection for this group
$objRuleCollection = $objGroup.MembershipRuleCollection
#Create a new 'Include by Query' rule
$rule1 = New-Object -ComObject "EDSIManagedUnitCondition"
$rule1.Base = "EDMS://$SearchBase"
$rule1.Filter = '(&(|(&(objectCategory=person))(&(objectClass=user))(&(!(|(ou:dn:=ServiceAccounts)(&(objectCategory=person))(&(objectClass=user)))))))'
$rule1.Type = 1 # 'Include by Query'
#reference - unremark the line and copy as needed.
#$rule1.Type = 1 # Include object by query
#$rule1.Type = 2 # Exclude object by query
#$rule1.Type = 3 # Include directly
#$rule1.Type = 4 # Exclude directly
#$rule1.Type = 5 # Include members of the group selected
#$rule1.Type = 6 # Exclude members of the group.
#$rule1.Type = 7 # Keep membership even if member is deprovisioned. The deafult is to remove a member when a member is deprovisioned.
# Add the newly created rule to the rule collection