ADUC group members and numbers

Can anyone detail how (if possible) to list all ad groups in a domain and the number of users per group. Whether that be in active directory users and computers or elsewhere. Also, any tool/script to check all shares/acls in a domain for a specific group within an ACL?
Who is Participating?
Thomas WERNHERConfiguration ManagerCommented:
Hi guys !

so, as at work i had to do it in order to map all the access permissions, here's a little taste of a script i developed yesterday morning to find out all the permissions on the shared folders.

so, to answer the first par of your question, about de groups, you could go by two ways:  AD or get-wmiobject.

here's how i found all the groups i had  (maybe to cross check with the help to make sure a parameter isn't missing, cause am doing it from my poor memory ) :
with RSAT AD stuff : $gps = get-adgroup -filter *
with wmiobjcts : $gps = get-wmiobject -class "Win32_Group"

but, here is the thing :
i needed to map my filesrv which has smthg like 3800 shares with lot of permissions put to the uerlevel instead of being managed with groups.
so, i made a script to tell me who has permissions put on what sharedfolder by giving my the type of the account (Win32_account or Win32_Group), the samaccountname of the user or group, the full name of it, the name of the share and the type of permission (read, change, fullcontrol).

got a first DB with 7000 entries from which i needed to process a little more cause i went to take, for each group found in the permission, the members of this group.
thus, i mapped 10000 more entries.
i finally got in a few hours my map for 17000 entries which i'll need to process now.

Here is the script with comments (first part only, cause the post processing on the groups, well, i forgot to take it but i can post it tomorrow if you want).

#first we setup the date for the logs
$day = (get-date).day
$month = (get-date).month    
$date = "$day-$month"
# i create a new file to save the DB
new-item "c:\db$date.csv" -type file

# i define which is the active node of the cluster of my file server
$servers = Get-WmiObject -class win32_share -computername "<your fs name here>" | foreach {$_.__server}
# i can then retrieve the true name of the filesrv
$srvs = $servers | sort-object $_.__server -unique

# i retrieve all the accounts with wmiobject (AD and local accounts)
$comptes = get-wmiobject -class win32_account
#i export them
$comptes | export-csv -delimiter ";" -path "c:\listcomptes.csv"

# this is tricky. I couldn't get the logical security descriptor of the shares on the cluster, but instead, i have to retrieve them from the active node of my cluster.
foreach ($srv in $srvs) {
    $sharesec = get-wmiobject -class win32_logicalsharesecuritysetting -computername $srv

# i then get my acls from each share
$sharesec | foreach {
    $acls = $_.getsecuritydescriptor().descriptor.dacl
    $sharename = $
    write-host "acces pour le share $sharename"
# foreach entry in the acl,i go through my routine to collect datas
    foreach ($acl in $acls) {
        $acl | foreach {  
            $ace = "" | select user,accessmask,share,username,typecompte
            $ace.user = $
            switch ($acl.accessmask) {
                2032127 {$am = "fullcontrol"}
                1245631 {$am = "change"}
                1179817 {$am = "read"}
            $ace.accessmask = $am
            $ace.username = $comptes | where-object { $ -eq $ace.user} | foreach { $_.fullname }
            $ace.share = $sharename
            $ace.typecompte = $comptes | where-object { $ -eq $ace.user} | foreach { $_.__class}
            [array]$db += $ace
            add-content "c:\db$date.csv" $ace

here we go, working fine :)
4 hours and a half later for this part of the script. 2 hours later for the post processing of the groups contained (done on 416 groups with some wich were extensive with a few thousands entries in it...)

hope it helps

for your first query you can use ADFind from joeware (
using this command you can retrieve for each group of your domain, the number of direct or indirect member for each group:
- direct and indirect members (can be very slow)
for /F "tokens=*" %i in ('dsquery group -limit 0') do adfind -c -f "(&(memberof:1.2.840.113556.1.4.1941:=%~i))"
- direct members only:
for /F "tokens=*" %i in ('dsquery group -limit 0') do adfind -c -f "(&(memberof=%~i))"

for your second query, this is very difficult to retrieve this information. Personnaly i don't know.
Here is a vbs that will list all groups, its members and user count.

Like Tasmant, this one is a little more difficult.

You can use a tool like "srvcheck.exe" from the resource kit to check all shares on a spesific server. Then you can do a little Excel magic with the output.
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Thomas WERNHERConfiguration ManagerCommented:

i only work in pwrshell with the RSAT tools from Ms, so am gonna give you some of the answers on this side...

first, you'll need to charge the AD module : import-module activedirectory
this maid, you'll be able to use the command get-adgroup to find out the groups (usually, i use get-adgroup -filter * -properties *, something like that and working on a domain with more that 4000 users items, it doesn't take so long to charge all the users, so...)

you can also use the command get-adgroupmember to find out more about the members of the group you're looking for.

for the acls on shares, you can use the get-wmiobject -class win32_logicalsecuritydescriptor -computer <server name here> to list the logicalsecuritydesriptors used, and the create a dacl object and the use it to find out the acl you're looking for. I'll post more about it tomorrow cause i left my script for that at worK.

So, the script would go something like this :

get-adgroup -filter * l (note : this is a pipe) foreach {
     # foreach group in the wholegroups of your AD, you'll take it's name, or CN, or DN depending of      
     # what will be in use in the identity part of the get-adgroupmember
     $gpname = $_.distinguishedname (or use the name or canonical name)
     # to count the numbers of users in a group, you apply the command get-adgroupmember that
     # you use to find on the group with the identity you want, and you use on that the method count to
     #count the number of objects returned
     $count = (get-adgroupmember -identity $gpname).count
     #and  after that you work the tricky part for the acls on the shares by using
     get-wmiobject -class win32-logicalsecuritydescriptor -server <your srv name here>
     #you find out about the acls: i'll post that later

that's the overarching concepts of what i'd use to make it.
but am doing it without being able to test it till tomorrow. I need to make a script like that at work so i'll be posting the advancement tomorrow with further explainations

good night (here it's 11pm :)  

Shabarinath RamadasanInfrastructure ArchitectCommented:
I would recommend you to try Quest AD Modules for powershell.

You can run the one liners to get what you want.

Good luck
pma111Author Commented:
Cheers T
Thomas WERNHERConfiguration ManagerCommented:
thanks for the rating.
Just by the way, i finished last week end to compile my db : 101 000+ entries...
but working fine :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.