Solved

How do I get the member of the users from the active directory group.

Posted on 2010-08-22
11
658 Views
Last Modified: 2012-05-10
Hi Experts,

I need to get the name of the members from the active directory group. In our active directory we have got lots of group and lots of members. I need to find out which users is in which group.

Is there a way to find out in a table format. Please help me . Our AD has lots of OU as well. Powershell guru please help me.
0
Comment
Question by:koala-london
  • 3
  • 2
  • 2
  • +4
11 Comments
 
LVL 17

Accepted Solution

by:
sgsm81 earned 200 total points
ID: 33498495
0
 
LVL 17

Assisted Solution

by:sgsm81
sgsm81 earned 200 total points
ID: 33498497
0
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 100 total points
ID: 33498529
Run this command from command-line on a server or workstation with Administrative Tools installed

dsquery group -name verw_is | dsget group -members -expand |dsget user -fn -ln -samid -email -desc >c:\members.txt

and import it to Excel sheet.

0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 4

Assisted Solution

by:Bart-Vandyck
Bart-Vandyck earned 100 total points
ID: 33498553


In powershell it is prettey to list all members of group. Feed it a list with group names and export it to a csv, xml file,...


$group = [ADSI]"LDAP://CN=<groupname>,OU=<OU-Name>,DC=<domain>,DC=<domain>"
$group.member

Open in new window

0
 

Author Comment

by:koala-london
ID: 33498766
Hi iSiek

I got error "target object for this command is missing". we have lots of DC in our domain. I am abit new to powershell and script. could you provide me a complete command please?
0
 
LVL 2

Assisted Solution

by:johnnytanki
johnnytanki earned 100 total points
ID: 33498792
1. Save the below as EnumGroup.vbs.
2. Run cscript //nologo EnumGroup.vbs "cn=Sales,ou=West,dc=MyDomain,dc=com" > Sales.txt where "cn=Sales,ou=West,dc=MyDomain,dc=com"  is your desired group


Option Explicit

Dim objGroup, strDN, objMemberList
Dim adoConnection, adoCommand, objRootDSE, strDNSDomain

' Dictionary object to track group membership.
Set objMemberList = CreateObject("Scripting.Dictionary")
objMemberList.CompareMode = vbTextCompare

' Check for required argument.
If (Wscript.Arguments.Count < 1) Then
    Wscript.Echo "Required argument  " _
        & "of group missing."
    Wscript.Echo "For example:" & vbCrLf _
        & "cscript //nologo EnumGroup.vbs " _
        & """cn=Test Group,ou=Sales,dc=MyDomain,dc=com"""
    Wscript.Quit(0)
End If

' Bind to the group object with the LDAP provider.
strDN = Wscript.Arguments(0)
On Error Resume Next
Set objGroup = GetObject("LDAP://" & strDN)
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "Group not found" & vbCrLf & strDN
    Wscript.Quit(1)
End If
On Error GoTo 0

' Retrieve DNS domain name from RootDSE.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Setup ADO.
Set adoConnection = CreateObject("ADODB.Connection")
Set adoCommand = CreateObject("ADODB.Command")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Enumerate group membership.
Wscript.Echo "Members of group " & objGroup.sAMAccountName
Call EnumGroup(objGroup, "  ")

' Clean Up.
adoConnection.Close
Set objGroup = Nothing
Set objRootDSE = Nothing
Set adoCommand = Nothing
Set adoConnection = Nothing

Sub EnumGroup(ByVal objADGroup, ByVal strOffset)
    ' Recursive subroutine to enumerate group membership.
    ' objMemberList is a dictionary object with global scope.
    ' objADGroup is a group object bound with the LDAP provider.
    ' This subroutine outputs a list of group members, one member
    ' per line. Nested group members are included. Users are also
    ' included if their primary group is objADGroup. objMemberList
    ' prevents an infinite loop if nested groups are circular.

    Dim strFilter, strAttributes, adoRecordset, intGroupToken
    Dim objMember, strQuery, strNTName

    ' Retrieve "primaryGroupToken" of group.
    objADGroup.GetInfoEx Array("primaryGroupToken"), 0
    intGroupToken = objADGroup.Get("primaryGroupToken")

    ' Use ADO to search for users whose "primaryGroupID" matches the
    ' group "primaryGroupToken".
    strFilter = "(primaryGroupID=" & intGroupToken & ")"
    strAttributes = "sAMAccountName"
    strQuery = ";" & strFilter & ";" _
        & strAttributes & ";subtree"
    adoCommand.CommandText = strQuery
    Set adoRecordset = adoCommand.Execute
    Do Until adoRecordset.EOF
        strNTName = adoRecordset.Fields("sAMAccountName").Value
        If (objMemberList.Exists(strNTName) = False) Then
            objMemberList.Add strNTName, True
            Wscript.Echo strOffset & strNTName & " (Primary)"
        Else
            Wscript.Echo strOffset & strNTName & " (Primary, Duplicate)"
        End If
        adoRecordset.MoveNext
    Loop
    adoRecordset.Close

    For Each objMember In objADGroup.Members
        If (objMemberList.Exists(objMember.sAMAccountName) = False) Then
            objMemberList.Add objMember.sAMAccountName, True
            If (UCase(Left(objMember.objectCategory, 8)) = "CN=GROUP") Then
                Wscript.Echo strOffset & objMember.sAMAccountName & " (Group)"
                Call EnumGroup(objMember, strOffset & "  ")
            Else
                Wscript.Echo strOffset & objMember.sAMAccountName
            End If
        Else
            Wscript.Echo strOffset & objMember.sAMAccountName & " (Duplicate)"
        End If
    Next
    Set objMember = Nothing
    Set adoRecordset = Nothing
End Sub

0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33498808
I'm sorry, I didn't remove my group name from command :)
Replace Verw_IS group name please by your own group name which you want to examine :]
0
 
LVL 42

Expert Comment

by:sedgwick
ID: 33499017
change $grouName to your required AD group name.
$grouName = "GUI"
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.Filter = "(&(objectCategory=group) (name=$grouName))"
$distName = $objSearcher.FindOne().GetDirectoryEntry().distinguishedName
$ADGroup = [ADSI]"LDAP://$distName"
write-host $ADGroup.member

Open in new window

0
 

Author Comment

by:koala-london
ID: 33499566
Thanks Guys. I'm gonna try it and let you know
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33519045

What do you actually want to see in the output?

There are a number of methods to get information about group members. These are in addition to the approach sedgwick has used.

Chris
# Quest CmdLets
Get-QADGroupMember "Your Group"

# Exchange CmdLets (mail enabled groups only)
Get-DistributionGroupMember "Your Group"

# AD CmdLets
Get-ADGroupMember "Your Group"

Open in new window

0
 

Author Closing Comment

by:koala-london
ID: 33678680
all thanks
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
A brief introduction to what I consider to be the best editor for PowerShell.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question