fireguy1125
asked on
Get Active Directory Group Membership Including Active users and Security Groups Powreshell
I'm presently running the following command to get group membership of enabled user accounts, however it does not include other security groups that may be a member of that group, how can I have that included in this command:
Get-ADUser -LdapFilter "(&(!useraccountcontrol:1. 2.840.1135 56.1.4.803 :=2)(objec tCategory= user,group s)(membero f=$(Get-AD Group "Support Staff")))" | Select-Object Name,SamAccountName |Sort-Object samaccountname
Get-ADUser -LdapFilter "(&(!useraccountcontrol:1.
ASKER
but that includes disabled users as well i need to only show active users which is why i'm using the Get-ADUser command with the Ldapfilter
Is there any reason there are disabled users part of the group still? I would take disabled users out of the groups (if you need to keep them) otherwise just remove the user's AD account. Keep AD clean that way.
I also found this:
i have not tried it but it sounds like what you want to do
http://gallery.technet.microsoft.com/scriptcenter/Get-nested-group-15f725f2
I also found this:
i have not tried it but it sounds like what you want to do
http://gallery.technet.microsoft.com/scriptcenter/Get-nested-group-15f725f2
ASKER
unfortunately removing disabled users is not an option for me, otherwise i would have done that :)
ASKER
Unfortunately the link you provided and ADNestedGroupMembers also does not work
This isn't the best, but it will give you all the groups the user is a member of. There can be duplicates with nested groups depending on membership.
function Get-NestedGroup ($identity)
{
$identity | ForEach `
{
$id = $_.samaccountname
Get-ADPrincipalGroupMembership $id |
Where {$_.GroupCategory -eq "Security"} | ForEach `
{
Write-Output "......$($_.name)"
If ($_.samaccountname -ne $id)
{ Get-NestedGroup $_ }
}
}
}
Get-ADUser -Filter {enabled -eq $true} | ForEach `
{
Write-Output "$($_.samaccountname)" #user
Get-NestedGroup $_
Write-Output "----"
}
ASKER
Thanks, this is a useful script, but not for my purposes, I need it done backwards, where I input a group name specifically such as Account Operators, and it lists the active users and any security groups of that group.
OK, I'm totally confused by what you're looking for then.
What is it that you need that Get-ADGroupMember doesn't do for you besides filtering out disabled users?
Are you wanting to list the security groups that are members of the group being queried as well as members of those groups? And what about members and groups that are in those groups? This gets pretty messy to describe.
Could you post an example of what you're looking for?
What is it that you need that Get-ADGroupMember doesn't do for you besides filtering out disabled users?
Are you wanting to list the security groups that are members of the group being queried as well as members of those groups? And what about members and groups that are in those groups? This gets pretty messy to describe.
Could you post an example of what you're looking for?
ASKER
Basically if I right click a security group in ADU&C, such as Account Operators, it will show me all AD users that are a member of that group, as well as any other Security Groups that are a member of that group, such as Help Desk. I wish to accomplish this using a query so I can export to csv or take a screenshot of the powershell window with all the members. This is for compliance purposes. I also want to exclude any disabled users that may appear.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Perfect, thanks!
This will show you all the users and groups.