Solved

Powershell - Pulling nested group members

Posted on 2013-12-17
6
1,613 Views
Last Modified: 2014-01-06
Hi EE

Can someone help me modify this script so it also pulls the nested group members ?

If I enter a group in the groups.txt file that also has nested groups , it does not pull those members into the output file .

Import-Module Activedirectory
[array]$Members=$null
GC groups.txt | % {
$Group = Get-ADGroup $_  -ErrorAction SilentlyContinue
If ($Group){
$members += Get-ADGroup $Group.Name -Properties Members |
            Select-Object -ExpandProperty Members |
            Get-ADObject -properties Samaccountname |
            ?{$_.ObjectClass -eq "user"}  | Get-aduser -Properties * |
      Select @{L='GroupName';e={$Group.Name}},Name,Samaccountname,CanonicalName
 }
}
$Members | Select * | Export-Csv Members.csv -NoTypeInformation
0
Comment
Question by:MilesLogan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 40

Expert Comment

by:footech
ID: 39725498
Get-ADGroupMember has a -recursive parameter which makes this easy.
Get-Content groups.txt | ForEach `
{
    $group = Get-ADGroup $_ -ErrorAction SilentlyContinue | Select -ExpandProperty Name
    If ($Group)
    {
        Get-ADGroupMember $group -Recursive |
         Get-ADUser -Properties canonicalname | 
         Select @{n="GroupName";e={$group}},Name,Samaccountname,Canonicalname
    }
} | Export-Csv Members.csv -NoTypeInformation

Open in new window

If you didn't need the CanonicalName, you wouldn't even need to pipe to Get-ADUser.
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39725512
Hi footech .. thank you .. it worked on a small group but not on a group with more then 5k users .. can this be tweaked so I can ?
0
 
LVL 40

Expert Comment

by:footech
ID: 39725563
It's not actually a problem with the script, but with limits that AD Web Services has.  See about the "MaxGroupOrMemberEntries" parameter in this link
http://technet.microsoft.com/en-us/library/dd391908%28WS.10%29.aspx

You can try changing the parameter so it works.
You could also the following substitutes [adsisearcher] type accelerator for the Get-ADGroupMember cmdlet, but I wouldn't be able to test how it works with >5K members.
Get-Content groups.txt | ForEach `
{
    $group = Get-ADGroup $_ -ErrorAction SilentlyContinue | Select -ExpandProperty Name
    If ($Group)
    {
        ([ADSISearcher]"(&(ObjectClass=Group)(samaccountname=$group))").FindOne() |
         % {$_.Properties.member} |
         Get-ADUser -Properties canonicalname | 
         Select @{n="GroupName";e={$group}},Name,Samaccountname,Canonicalname
    }
} | Export-Csv Members.csv -NoTypeInformation

Open in new window


EDIT: found a problem with the code, so don't bother with it.  I'll see if I can correct it.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 39725607
Can't say I really like what I've come up with, but it appears to work.  From an efficiency standpoint I think there are too many queries to AD.  It may be possible to optimize it more, but by far my preferred route would be to change the AD WS parameter.
function groupmember ($group)
{
    $groupname = Get-ADGroup $group | Select -expand Name
    ([ADSISearcher]"(&(ObjectClass=Group)(samaccountname=$groupname))").FindOne() |
     % {$_.Properties.member} |
     Get-ADobject | % `
    {
        If ($_.objectclass -eq "group")
        { groupmember $_ }
        Else
        { $_ }
    }
}
Get-Content groups.txt | ForEach `
{
    $group = Get-ADGroup $_ -ErrorAction SilentlyContinue | Select -ExpandProperty Name
    If ($Group)
    {
        groupmember $group |
         Get-ADUser -Properties canonicalname |
         Select @{n="GroupName";e={$group}},Name,Samaccountname,Canonicalname
    }
} | Export-Csv Members.csv -NoTypeInformation

Open in new window

0
 
LVL 40

Expert Comment

by:Subsun
ID: 39726408
Probably need  to add Select * -Unique to get the unique members..
0
 
LVL 2

Author Closing Comment

by:MilesLogan
ID: 39760882
thanks footech ! sorry for the late closing on this .. Holidays and Flu caught up ..
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question