?
Solved

How do I get the member of the users from the active directory group.

Posted on 2010-08-22
11
Medium Priority
?
665 Views
Last Modified: 2012-05-10
Hi Experts,

I need to get the name of the members from the active directory group. In our active directory we have got lots of group and lots of members. I need to find out which users is in which group.

Is there a way to find out in a table format. Please help me . Our AD has lots of OU as well. Powershell guru please help me.
0
Comment
Question by:koala-london
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +4
11 Comments
 
LVL 17

Accepted Solution

by:
Steve earned 600 total points
ID: 33498495
0
 
LVL 17

Assisted Solution

by:Steve
Steve earned 600 total points
ID: 33498497
0
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 300 total points
ID: 33498529
Run this command from command-line on a server or workstation with Administrative Tools installed

dsquery group -name verw_is | dsget group -members -expand |dsget user -fn -ln -samid -email -desc >c:\members.txt

and import it to Excel sheet.

0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 4

Assisted Solution

by:Bart-Vandyck
Bart-Vandyck earned 300 total points
ID: 33498553


In powershell it is prettey to list all members of group. Feed it a list with group names and export it to a csv, xml file,...


$group = [ADSI]"LDAP://CN=<groupname>,OU=<OU-Name>,DC=<domain>,DC=<domain>"
$group.member

Open in new window

0
 

Author Comment

by:koala-london
ID: 33498766
Hi iSiek

I got error "target object for this command is missing". we have lots of DC in our domain. I am abit new to powershell and script. could you provide me a complete command please?
0
 
LVL 2

Assisted Solution

by:johnnytanki
johnnytanki earned 300 total points
ID: 33498792
1. Save the below as EnumGroup.vbs.
2. Run cscript //nologo EnumGroup.vbs "cn=Sales,ou=West,dc=MyDomain,dc=com" > Sales.txt where "cn=Sales,ou=West,dc=MyDomain,dc=com"  is your desired group


Option Explicit

Dim objGroup, strDN, objMemberList
Dim adoConnection, adoCommand, objRootDSE, strDNSDomain

' Dictionary object to track group membership.
Set objMemberList = CreateObject("Scripting.Dictionary")
objMemberList.CompareMode = vbTextCompare

' Check for required argument.
If (Wscript.Arguments.Count < 1) Then
    Wscript.Echo "Required argument  " _
        & "of group missing."
    Wscript.Echo "For example:" & vbCrLf _
        & "cscript //nologo EnumGroup.vbs " _
        & """cn=Test Group,ou=Sales,dc=MyDomain,dc=com"""
    Wscript.Quit(0)
End If

' Bind to the group object with the LDAP provider.
strDN = Wscript.Arguments(0)
On Error Resume Next
Set objGroup = GetObject("LDAP://" & strDN)
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "Group not found" & vbCrLf & strDN
    Wscript.Quit(1)
End If
On Error GoTo 0

' Retrieve DNS domain name from RootDSE.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Setup ADO.
Set adoConnection = CreateObject("ADODB.Connection")
Set adoCommand = CreateObject("ADODB.Command")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Enumerate group membership.
Wscript.Echo "Members of group " & objGroup.sAMAccountName
Call EnumGroup(objGroup, "  ")

' Clean Up.
adoConnection.Close
Set objGroup = Nothing
Set objRootDSE = Nothing
Set adoCommand = Nothing
Set adoConnection = Nothing

Sub EnumGroup(ByVal objADGroup, ByVal strOffset)
    ' Recursive subroutine to enumerate group membership.
    ' objMemberList is a dictionary object with global scope.
    ' objADGroup is a group object bound with the LDAP provider.
    ' This subroutine outputs a list of group members, one member
    ' per line. Nested group members are included. Users are also
    ' included if their primary group is objADGroup. objMemberList
    ' prevents an infinite loop if nested groups are circular.

    Dim strFilter, strAttributes, adoRecordset, intGroupToken
    Dim objMember, strQuery, strNTName

    ' Retrieve "primaryGroupToken" of group.
    objADGroup.GetInfoEx Array("primaryGroupToken"), 0
    intGroupToken = objADGroup.Get("primaryGroupToken")

    ' Use ADO to search for users whose "primaryGroupID" matches the
    ' group "primaryGroupToken".
    strFilter = "(primaryGroupID=" & intGroupToken & ")"
    strAttributes = "sAMAccountName"
    strQuery = ";" & strFilter & ";" _
        & strAttributes & ";subtree"
    adoCommand.CommandText = strQuery
    Set adoRecordset = adoCommand.Execute
    Do Until adoRecordset.EOF
        strNTName = adoRecordset.Fields("sAMAccountName").Value
        If (objMemberList.Exists(strNTName) = False) Then
            objMemberList.Add strNTName, True
            Wscript.Echo strOffset & strNTName & " (Primary)"
        Else
            Wscript.Echo strOffset & strNTName & " (Primary, Duplicate)"
        End If
        adoRecordset.MoveNext
    Loop
    adoRecordset.Close

    For Each objMember In objADGroup.Members
        If (objMemberList.Exists(objMember.sAMAccountName) = False) Then
            objMemberList.Add objMember.sAMAccountName, True
            If (UCase(Left(objMember.objectCategory, 8)) = "CN=GROUP") Then
                Wscript.Echo strOffset & objMember.sAMAccountName & " (Group)"
                Call EnumGroup(objMember, strOffset & "  ")
            Else
                Wscript.Echo strOffset & objMember.sAMAccountName
            End If
        Else
            Wscript.Echo strOffset & objMember.sAMAccountName & " (Duplicate)"
        End If
    Next
    Set objMember = Nothing
    Set adoRecordset = Nothing
End Sub

0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33498808
I'm sorry, I didn't remove my group name from command :)
Replace Verw_IS group name please by your own group name which you want to examine :]
0
 
LVL 42

Expert Comment

by:sedgwick
ID: 33499017
change $grouName to your required AD group name.
$grouName = "GUI"
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.Filter = "(&(objectCategory=group) (name=$grouName))"
$distName = $objSearcher.FindOne().GetDirectoryEntry().distinguishedName
$ADGroup = [ADSI]"LDAP://$distName"
write-host $ADGroup.member

Open in new window

0
 

Author Comment

by:koala-london
ID: 33499566
Thanks Guys. I'm gonna try it and let you know
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 33519045

What do you actually want to see in the output?

There are a number of methods to get information about group members. These are in addition to the approach sedgwick has used.

Chris
# Quest CmdLets
Get-QADGroupMember "Your Group"

# Exchange CmdLets (mail enabled groups only)
Get-DistributionGroupMember "Your Group"

# AD CmdLets
Get-ADGroupMember "Your Group"

Open in new window

0
 

Author Closing Comment

by:koala-london
ID: 33678680
all thanks
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My attempt to use PowerShell and other great resources found online to simplify the deployment of Office 365 ProPlus client components to any workstation that needs it, regardless of existing Office components that may be needing attention.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question