ADUC group members and numbers

Posted on 2011-05-04
Medium Priority
Last Modified: 2012-05-11
Can anyone detail how (if possible) to list all ad groups in a domain and the number of users per group. Whether that be in active directory users and computers or elsewhere. Also, any tool/script to check all shares/acls in a domain for a specific group within an ACL?
Question by:pma111
LVL 11

Assisted Solution

Tasmant earned 300 total points
ID: 35689151
for your first query you can use ADFind from joeware (http://www.joeware.net/freetools/tools/adfind/index.htm).
using this command you can retrieve for each group of your domain, the number of direct or indirect member for each group:
- direct and indirect members (can be very slow)
for /F "tokens=*" %i in ('dsquery group -limit 0') do adfind -c -f "(&(memberof:1.2.840.113556.1.4.1941:=%~i))"
- direct members only:
for /F "tokens=*" %i in ('dsquery group -limit 0') do adfind -c -f "(&(memberof=%~i))"

for your second query, this is very difficult to retrieve this information. Personnaly i don't know.
LVL 21

Assisted Solution

snusgubben earned 300 total points
ID: 35690134
Here is a vbs that will list all groups, its members and user count.


Like Tasmant, this one is a little more difficult.

You can use a tool like "srvcheck.exe" from the resource kit to check all shares on a spesific server. Then you can do a little Excel magic with the output.


Expert Comment

by:Thomas WERNHER
ID: 35693962

i only work in pwrshell with the RSAT tools from Ms, so am gonna give you some of the answers on this side...

first, you'll need to charge the AD module : import-module activedirectory
this maid, you'll be able to use the command get-adgroup to find out the groups (usually, i use get-adgroup -filter * -properties *, something like that and working on a domain with more that 4000 users items, it doesn't take so long to charge all the users, so...)

you can also use the command get-adgroupmember to find out more about the members of the group you're looking for.

for the acls on shares, you can use the get-wmiobject -class win32_logicalsecuritydescriptor -computer <server name here> to list the logicalsecuritydesriptors used, and the create a dacl object and the use it to find out the acl you're looking for. I'll post more about it tomorrow cause i left my script for that at worK.

So, the script would go something like this :

get-adgroup -filter * l (note : this is a pipe) foreach {
     # foreach group in the wholegroups of your AD, you'll take it's name, or CN, or DN depending of      
     # what will be in use in the identity part of the get-adgroupmember
     $gpname = $_.distinguishedname (or use the name or canonical name)
     # to count the numbers of users in a group, you apply the command get-adgroupmember that
     # you use to find on the group with the identity you want, and you use on that the method count to
     #count the number of objects returned
     $count = (get-adgroupmember -identity $gpname).count
     #and  after that you work the tricky part for the acls on the shares by using
     get-wmiobject -class win32-logicalsecuritydescriptor -server <your srv name here>
     #you find out about the acls: i'll post that later

that's the overarching concepts of what i'd use to make it.
but am doing it without being able to test it till tomorrow. I need to make a script like that at work so i'll be posting the advancement tomorrow with further explainations

good night (here it's 11pm :)  


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 14

Expert Comment

by:Shabarinath Ramadasan
ID: 35695111
I would recommend you to try Quest AD Modules for powershell.

You can run the one liners to get what you want.

Good luck

Author Comment

ID: 35696487
Cheers T

Accepted Solution

Thomas WERNHER earned 400 total points
ID: 35709590
Hi guys !

so, as at work i had to do it in order to map all the access permissions, here's a little taste of a script i developed yesterday morning to find out all the permissions on the shared folders.

so, to answer the first par of your question, about de groups, you could go by two ways:  AD or get-wmiobject.

here's how i found all the groups i had  (maybe to cross check with the help to make sure a parameter isn't missing, cause am doing it from my poor memory ) :
with RSAT AD stuff : $gps = get-adgroup -filter *
with wmiobjcts : $gps = get-wmiobject -class "Win32_Group"

but, here is the thing :
i needed to map my filesrv which has smthg like 3800 shares with lot of permissions put to the uerlevel instead of being managed with groups.
so, i made a script to tell me who has permissions put on what sharedfolder by giving my the type of the account (Win32_account or Win32_Group), the samaccountname of the user or group, the full name of it, the name of the share and the type of permission (read, change, fullcontrol).

got a first DB with 7000 entries from which i needed to process a little more cause i went to take, for each group found in the permission, the members of this group.
thus, i mapped 10000 more entries.
i finally got in a few hours my map for 17000 entries which i'll need to process now.

Here is the script with comments (first part only, cause the post processing on the groups, well, i forgot to take it but i can post it tomorrow if you want).

#first we setup the date for the logs
$day = (get-date).day
$month = (get-date).month    
$date = "$day-$month"
# i create a new file to save the DB
new-item "c:\db$date.csv" -type file

# i define which is the active node of the cluster of my file server
$servers = Get-WmiObject -class win32_share -computername "<your fs name here>" | foreach {$_.__server}
# i can then retrieve the true name of the filesrv
$srvs = $servers | sort-object $_.__server -unique

# i retrieve all the accounts with wmiobject (AD and local accounts)
$comptes = get-wmiobject -class win32_account
#i export them
$comptes | export-csv -delimiter ";" -path "c:\listcomptes.csv"

# this is tricky. I couldn't get the logical security descriptor of the shares on the cluster, but instead, i have to retrieve them from the active node of my cluster.
foreach ($srv in $srvs) {
    $sharesec = get-wmiobject -class win32_logicalsharesecuritysetting -computername $srv

# i then get my acls from each share
$sharesec | foreach {
    $acls = $_.getsecuritydescriptor().descriptor.dacl
    $sharename = $_.name
    write-host "acces pour le share $sharename"
# foreach entry in the acl,i go through my routine to collect datas
    foreach ($acl in $acls) {
        $acl | foreach {  
            $ace = "" | select user,accessmask,share,username,typecompte
            $ace.user = $_.trustee.name
            switch ($acl.accessmask) {
                2032127 {$am = "fullcontrol"}
                1245631 {$am = "change"}
                1179817 {$am = "read"}
            $ace.accessmask = $am
            $ace.username = $comptes | where-object { $_.name -eq $ace.user} | foreach { $_.fullname }
            $ace.share = $sharename
            $ace.typecompte = $comptes | where-object { $_.name -eq $ace.user} | foreach { $_.__class}
            [array]$db += $ace
            add-content "c:\db$date.csv" $ace

here we go, working fine :)
4 hours and a half later for this part of the script. 2 hours later for the post processing of the groups contained (done on 416 groups with some wich were extensive with a few thousands entries in it...)

hope it helps


Expert Comment

by:Thomas WERNHER
ID: 35759860
thanks for the rating.
Just by the way, i finished last week end to compile my db : 101 000+ entries...
but working fine :)

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question