ADUC group members and numbers

Posted on 2011-05-04
Last Modified: 2012-05-11
Can anyone detail how (if possible) to list all ad groups in a domain and the number of users per group. Whether that be in active directory users and computers or elsewhere. Also, any tool/script to check all shares/acls in a domain for a specific group within an ACL?
Question by:pma111
    LVL 11

    Assisted Solution

    for your first query you can use ADFind from joeware (
    using this command you can retrieve for each group of your domain, the number of direct or indirect member for each group:
    - direct and indirect members (can be very slow)
    for /F "tokens=*" %i in ('dsquery group -limit 0') do adfind -c -f "(&(memberof:1.2.840.113556.1.4.1941:=%~i))"
    - direct members only:
    for /F "tokens=*" %i in ('dsquery group -limit 0') do adfind -c -f "(&(memberof=%~i))"

    for your second query, this is very difficult to retrieve this information. Personnaly i don't know.
    LVL 21

    Assisted Solution

    Here is a vbs that will list all groups, its members and user count.

    Like Tasmant, this one is a little more difficult.

    You can use a tool like "srvcheck.exe" from the resource kit to check all shares on a spesific server. Then you can do a little Excel magic with the output.
    LVL 4

    Expert Comment

    by:Thomas WERNHER

    i only work in pwrshell with the RSAT tools from Ms, so am gonna give you some of the answers on this side...

    first, you'll need to charge the AD module : import-module activedirectory
    this maid, you'll be able to use the command get-adgroup to find out the groups (usually, i use get-adgroup -filter * -properties *, something like that and working on a domain with more that 4000 users items, it doesn't take so long to charge all the users, so...)

    you can also use the command get-adgroupmember to find out more about the members of the group you're looking for.

    for the acls on shares, you can use the get-wmiobject -class win32_logicalsecuritydescriptor -computer <server name here> to list the logicalsecuritydesriptors used, and the create a dacl object and the use it to find out the acl you're looking for. I'll post more about it tomorrow cause i left my script for that at worK.

    So, the script would go something like this :

    get-adgroup -filter * l (note : this is a pipe) foreach {
         # foreach group in the wholegroups of your AD, you'll take it's name, or CN, or DN depending of      
         # what will be in use in the identity part of the get-adgroupmember
         $gpname = $_.distinguishedname (or use the name or canonical name)
         # to count the numbers of users in a group, you apply the command get-adgroupmember that
         # you use to find on the group with the identity you want, and you use on that the method count to
         #count the number of objects returned
         $count = (get-adgroupmember -identity $gpname).count
         #and  after that you work the tricky part for the acls on the shares by using
         get-wmiobject -class win32-logicalsecuritydescriptor -server <your srv name here>
         #you find out about the acls: i'll post that later

    that's the overarching concepts of what i'd use to make it.
    but am doing it without being able to test it till tomorrow. I need to make a script like that at work so i'll be posting the advancement tomorrow with further explainations

    good night (here it's 11pm :)  

    LVL 14

    Expert Comment

    by:Shabarinath Ramadasan
    I would recommend you to try Quest AD Modules for powershell.

    You can run the one liners to get what you want.

    Good luck
    LVL 3

    Author Comment

    Cheers T
    LVL 4

    Accepted Solution

    Hi guys !

    so, as at work i had to do it in order to map all the access permissions, here's a little taste of a script i developed yesterday morning to find out all the permissions on the shared folders.

    so, to answer the first par of your question, about de groups, you could go by two ways:  AD or get-wmiobject.

    here's how i found all the groups i had  (maybe to cross check with the help to make sure a parameter isn't missing, cause am doing it from my poor memory ) :
    with RSAT AD stuff : $gps = get-adgroup -filter *
    with wmiobjcts : $gps = get-wmiobject -class "Win32_Group"

    but, here is the thing :
    i needed to map my filesrv which has smthg like 3800 shares with lot of permissions put to the uerlevel instead of being managed with groups.
    so, i made a script to tell me who has permissions put on what sharedfolder by giving my the type of the account (Win32_account or Win32_Group), the samaccountname of the user or group, the full name of it, the name of the share and the type of permission (read, change, fullcontrol).

    got a first DB with 7000 entries from which i needed to process a little more cause i went to take, for each group found in the permission, the members of this group.
    thus, i mapped 10000 more entries.
    i finally got in a few hours my map for 17000 entries which i'll need to process now.

    Here is the script with comments (first part only, cause the post processing on the groups, well, i forgot to take it but i can post it tomorrow if you want).

    #first we setup the date for the logs
    $day = (get-date).day
    $month = (get-date).month    
    $date = "$day-$month"
    # i create a new file to save the DB
    new-item "c:\db$date.csv" -type file

    # i define which is the active node of the cluster of my file server
    $servers = Get-WmiObject -class win32_share -computername "<your fs name here>" | foreach {$_.__server}
    # i can then retrieve the true name of the filesrv
    $srvs = $servers | sort-object $_.__server -unique

    # i retrieve all the accounts with wmiobject (AD and local accounts)
    $comptes = get-wmiobject -class win32_account
    #i export them
    $comptes | export-csv -delimiter ";" -path "c:\listcomptes.csv"

    # this is tricky. I couldn't get the logical security descriptor of the shares on the cluster, but instead, i have to retrieve them from the active node of my cluster.
    foreach ($srv in $srvs) {
        $sharesec = get-wmiobject -class win32_logicalsharesecuritysetting -computername $srv

    # i then get my acls from each share
    $sharesec | foreach {
        $acls = $_.getsecuritydescriptor().descriptor.dacl
        $sharename = $
        write-host "acces pour le share $sharename"
    # foreach entry in the acl,i go through my routine to collect datas
        foreach ($acl in $acls) {
            $acl | foreach {  
                $ace = "" | select user,accessmask,share,username,typecompte
                $ace.user = $
                switch ($acl.accessmask) {
                    2032127 {$am = "fullcontrol"}
                    1245631 {$am = "change"}
                    1179817 {$am = "read"}
                $ace.accessmask = $am
                $ace.username = $comptes | where-object { $ -eq $ace.user} | foreach { $_.fullname }
                $ace.share = $sharename
                $ace.typecompte = $comptes | where-object { $ -eq $ace.user} | foreach { $_.__class}
                [array]$db += $ace
                add-content "c:\db$date.csv" $ace

    here we go, working fine :)
    4 hours and a half later for this part of the script. 2 hours later for the post processing of the groups contained (done on 416 groups with some wich were extensive with a few thousands entries in it...)

    hope it helps

    LVL 4

    Expert Comment

    by:Thomas WERNHER
    thanks for the rating.
    Just by the way, i finished last week end to compile my db : 101 000+ entries...
    but working fine :)

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Microsoft Windows Server Update Service (WSUS) is free for everyone, but it lacks of some desirable features like send an e-mail to the administrator with the status of all computers on the WSUS server. This article is based on my PowerShell script …
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now