Using PowerShell with AD Nested groups

Posted on 2010-03-28
Medium Priority
Last Modified: 2012-05-09

I am running Active Roles Management Shell 1.2.2 in our AD 2003 environment.

We have a situation where we have some DL's that contain several other DL's (i.e. nested groups), which in turn contain other nested groups and so on. This makes it difficult to gather a list of who is exactly in the top level group.

I had some questions I was hoping someone could help me with:

i) Is there a cmdlet I can use against a group that will return ALL the members of this group, regardless of which nested sub-group they are a member of?

ii) Is there a cmdlet I can use against a group that will return ALL of the members and also tell me which nested sub-group (if any) they belong to?

iii) Is there a cmdlet I can use against a group which will return all of the nested groups, regardless of the tier of nesting? For instance if I have:

Group1, which has members Group1a and Group1b. Group1b itself contains groups Group1ba and Group1bb.

I would like all groups returned, not just Group1 and Group1b.

Hope this makes sense?

Any help would be much appreciated!
Question by:kam_uk
1 Comment

Accepted Solution

dicconb earned 2000 total points
ID: 28973783
Hi kam_uk,

The key to your various questions is the "-indirect" option of the Get-QADGroupMember cmdlet.  This includes matches from groups that are nested within the group you specify.

Requirements i) and iii) are pretty simple (See examples A and B in attached code).  

Unfortunately requirement ii) is a bit more tricky, as Get-QADGroupMember cmdlet doesn't tell us which specific nested group caused a given account to be returned. It is necessary to use some custom code to determine the parent group (see example C in attached code).

Each example returns a variable containing the relevant objects ($users, $groups1, $users2).  You can pipe these variables into other commands as necessary, or customise the Format-Table commands to output the attributes you're interested in.

Hope this helps,

#Ensure Activeroles snap-in is loaded
add-pssnapin quest.activeroles.admanagement -ea SilentlyContinue

#Parent group for all commands below
$rootgroup = "Group1"

#Example A
Write-Host "Return all user accounts in a group, regardless of level of nesting:"
$users = get-qadgroupmember $rootgroup -indirect -type User
$users | Format-Table Name -auto 

#Example B
Write-Host "Return all group accounts in a group, regardless of level of nesting:"
$groups1 = get-qadgroupmember $rootgroup -indirect -type Group
$groups1 | Format-Table Name -auto

#Example C
Write-Host "Return all user accounts in a group (as above), and specify which nested groups they're a member of:"
$groups2 = get-qadgroupmember $rootgroup -indirect -type group
$users2 = get-qadgroupmember $rootgroup -indirect -type user

foreach ($user in $users2) {
    $parentgroups = @()
    $memberships = $user.MemberOf
    foreach ($membership in $memberships) {
        foreach ($othergroup in $groups2) {
            If ($membership -eq $othergroup.DN) {
                $parentgroups += $othergroup
$user | Add-Member -membertype "Noteproperty" -Name "ParentGroups" -Value $parentgroups
$users2 | Sort-Object ParentGroups | Format-Table Name, ParentGroups -auto

#If running script in a powershell console window, pause when finished
If (!($host.name -match "ISE")) {Write-Host "Press and key to continue...";$null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown");Write-Host ""}

Open in new window


Featured Post

Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My attempt to use PowerShell and other great resources found online to simplify the deployment of Office 365 ProPlus client components to any workstation that needs it, regardless of existing Office components that may be needing attention.
A walk-through example of how to obtain and apply new DID phone numbers to your cloud PBX enabled users that are configured in Office 365. Whether you have 1, 10 or 100+ users in your tenant, it's quite easy to get them phone-enabled and making/rece…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Loops Section Overview
Suggested Courses

594 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question