Solved

Get Active Directory Group Membership Including Active users and Security Groups Powreshell

Posted on 2013-12-10
11
934 Views
Last Modified: 2013-12-18
I'm presently running the following command to get group membership of enabled user accounts, however it does not include other security groups that may be a member of that group, how can I have that included in this command:

Get-ADUser -LdapFilter "(&(!useraccountcontrol:1.2.840.113556.1.4.803:=2)(objectCategory=user,groups)(memberof=$(Get-ADGroup "Support Staff")))" | Select-Object Name,SamAccountName |Sort-Object samaccountname
0
Comment
Question by:fireguy1125
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
11 Comments
 
LVL 9

Expert Comment

by:Sean
ID: 39709982
dsquery group -samid "GroupName" | dsget group -members

This will show you all the users and groups.
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 39709985
but that includes disabled users as well i need to only show active users which is why i'm using the Get-ADUser command with the Ldapfilter
0
 
LVL 9

Expert Comment

by:Sean
ID: 39710010
Is there any reason there are disabled users part of the group still? I would take disabled users out of the groups (if you need to keep them) otherwise just remove the user's AD account. Keep AD clean that way.

I also found this:
i have not tried it but it sounds like what you want to do
http://gallery.technet.microsoft.com/scriptcenter/Get-nested-group-15f725f2
0
IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

 
LVL 1

Author Comment

by:fireguy1125
ID: 39710022
unfortunately removing disabled users is not an option for me, otherwise i would have done that :)
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 39710039
Unfortunately the link you provided and ADNestedGroupMembers also does not work
0
 
LVL 40

Expert Comment

by:footech
ID: 39711630
This isn't the best, but it will give you all the groups the user is a member of.  There can be duplicates with nested groups depending on membership.
function Get-NestedGroup ($identity)
{
    $identity | ForEach `
    {
        $id = $_.samaccountname
        Get-ADPrincipalGroupMembership $id | 
          Where {$_.GroupCategory -eq "Security"} | ForEach `
        {
            Write-Output "......$($_.name)"
            If ($_.samaccountname -ne $id)
            { Get-NestedGroup $_ }
        }
    }
}

Get-ADUser -Filter {enabled -eq $true} | ForEach `
{
    Write-Output "$($_.samaccountname)" #user
    Get-NestedGroup $_
    Write-Output "----"
}

Open in new window

0
 
LVL 1

Author Comment

by:fireguy1125
ID: 39714916
Thanks, this is a useful script, but not for my purposes, I need it done backwards, where I input a group name specifically such as Account Operators, and it lists the active users and any security groups of that group.
0
 
LVL 40

Expert Comment

by:footech
ID: 39715088
OK, I'm totally confused by what you're looking for then.
What is it that you need that Get-ADGroupMember doesn't do for you besides filtering out disabled users?
Are you wanting to list the security groups that are members of the group being queried as well as members of those groups?  And what about members and groups that are in those groups?  This gets pretty messy to describe.

Could you post an example of what you're looking for?
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 39724974
Basically if I right click a security group in ADU&C, such as Account Operators, it will show me all AD users that are a member of that group, as well as any other Security Groups that are a member of that group, such as Help Desk. I wish to accomplish this using a query so I can export to csv or take a screenshot of the powershell window with all the members.  This is for compliance purposes.  I also want to exclude any disabled users that may appear.
0
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 39725531
OK, so your answer to the question "What is it that you need that Get-ADGroupMember doesn't do for you besides filtering out disabled users?", is "nothing".

This will give you the same list that you get from Get-ADGroupMember (or from looking at the Members tab in ADUC), while filtering out the disabled users.
Get-ADGroupMember administrators | ForEach `
{
    If ($_.objectclass -eq "group")
    { $_ }
    ElseIf ($_.objectclass -eq "user")
    {
        Get-ADUser -filter {enabled -eq $true -and samaccountname -eq $_.samaccountname}
    }
} | Select samaccountname

Open in new window

0
 
LVL 1

Author Closing Comment

by:fireguy1125
ID: 39727227
Perfect, thanks!
0

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question