A Script to audit AD to show every user, with every group they are in

Posted on 2009-04-01
Last Modified: 2013-12-24
I have been give the above task, i immediately thought of powershell, which i am still a novice at. I just prefer the one liners to get the job done.
I borrowed and burgled some code to get the below:

function func_Member_of()
# Builds a group membership for a given user, computer or group
# Returns only direct group membership

$input | ForEach-Object {
      if ($_.primaryGroupID) {
            $_.SID.Value -replace '-\d+$',"-$($_.PrimaryGroupID)" |Get-QADGroup -Connection $_.Connection
      if ($_.memberOf) {
            $_.memberOf | Get-QADGroup -Connection $_.Connection

 Get-QADUser -SizeLimit 0 -ErrorAction SilentlyContinue | func_Member_of | Select-Object -Property `
"name","Office","group","company" |Export-Csv c:\adgroup.csv

This unfortunately only returns the groups, no mention of the users or any of the other parameters i would like to sort on further down the line.
I figure that the fuction needs to be expanded to accommodate this.

If you have an answer thats not PS, thats fine.

Thanks in advance.
Question by:cplit
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 18

Expert Comment

ID: 24045665

if ($_.memberOf) {
            $_.memberOf | Get-QADGroup -Connection $_.Connection


if ($_.memberOf) {
            $_.memberOf | Get-QADObject -Connection $_.Connection

Author Comment

ID: 24045824
Hi BSonPosh,
That has cleaned up the group names, thanks for that.
There is still the issue of a long list of groups (approx 4000), but it still doesn't show the users.

All i have managed to show with this script is a long list of groups.
I also need to show the users relative to their group membership.

The script seems to order the groups the right way (per user), but the user has been omitted from the output.
LVL 18

Expert Comment

ID: 24045945
Doh!... not sure what I was thinking. memberof only contains groups :)
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

LVL 18

Expert Comment

ID: 24046035
if you are in a single domain try this

Get-QADUser -sl 0 -ea 0| Select-Object name,Office,group,company,TokenGroups | Export-Csv c:\adgroup.csv -NoType
LVL 18

Accepted Solution

BSonPosh earned 500 total points
ID: 24046083
whoops.. that doesn't work

try this
Get-QADUser -sl 0 -ea 0| Select-Object name,Office,group,company,@{n="Groups";e={$_.TokenGroups | %{$_.Name}}} | export-csv C:\temp\adgroup2.csv -NoType

Open in new window


Author Comment

ID: 24046424
Thanks so much for your prompt help.
That worked a treat

Thanks again

Author Closing Comment

ID: 31565595

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Recently I was talking with Tim Sharp, one of my colleagues from our Technical Account Manager team about MongoDB’s scalability. While doing some quick training with some of the Percona team, Tim brought something to my attention...
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question