Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Powershell - Pulling nested group members

Posted on 2013-12-17
6
Medium Priority
?
1,645 Views
Last Modified: 2014-01-06
Hi EE

Can someone help me modify this script so it also pulls the nested group members ?

If I enter a group in the groups.txt file that also has nested groups , it does not pull those members into the output file .

Import-Module Activedirectory
[array]$Members=$null
GC groups.txt | % {
$Group = Get-ADGroup $_  -ErrorAction SilentlyContinue
If ($Group){
$members += Get-ADGroup $Group.Name -Properties Members |
            Select-Object -ExpandProperty Members |
            Get-ADObject -properties Samaccountname |
            ?{$_.ObjectClass -eq "user"}  | Get-aduser -Properties * |
      Select @{L='GroupName';e={$Group.Name}},Name,Samaccountname,CanonicalName
 }
}
$Members | Select * | Export-Csv Members.csv -NoTypeInformation
0
Comment
Question by:MilesLogan
  • 3
  • 2
6 Comments
 
LVL 41

Expert Comment

by:footech
ID: 39725498
Get-ADGroupMember has a -recursive parameter which makes this easy.
Get-Content groups.txt | ForEach `
{
    $group = Get-ADGroup $_ -ErrorAction SilentlyContinue | Select -ExpandProperty Name
    If ($Group)
    {
        Get-ADGroupMember $group -Recursive |
         Get-ADUser -Properties canonicalname | 
         Select @{n="GroupName";e={$group}},Name,Samaccountname,Canonicalname
    }
} | Export-Csv Members.csv -NoTypeInformation

Open in new window

If you didn't need the CanonicalName, you wouldn't even need to pipe to Get-ADUser.
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39725512
Hi footech .. thank you .. it worked on a small group but not on a group with more then 5k users .. can this be tweaked so I can ?
0
 
LVL 41

Expert Comment

by:footech
ID: 39725563
It's not actually a problem with the script, but with limits that AD Web Services has.  See about the "MaxGroupOrMemberEntries" parameter in this link
http://technet.microsoft.com/en-us/library/dd391908%28WS.10%29.aspx

You can try changing the parameter so it works.
You could also the following substitutes [adsisearcher] type accelerator for the Get-ADGroupMember cmdlet, but I wouldn't be able to test how it works with >5K members.
Get-Content groups.txt | ForEach `
{
    $group = Get-ADGroup $_ -ErrorAction SilentlyContinue | Select -ExpandProperty Name
    If ($Group)
    {
        ([ADSISearcher]"(&(ObjectClass=Group)(samaccountname=$group))").FindOne() |
         % {$_.Properties.member} |
         Get-ADUser -Properties canonicalname | 
         Select @{n="GroupName";e={$group}},Name,Samaccountname,Canonicalname
    }
} | Export-Csv Members.csv -NoTypeInformation

Open in new window


EDIT: found a problem with the code, so don't bother with it.  I'll see if I can correct it.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 41

Accepted Solution

by:
footech earned 2000 total points
ID: 39725607
Can't say I really like what I've come up with, but it appears to work.  From an efficiency standpoint I think there are too many queries to AD.  It may be possible to optimize it more, but by far my preferred route would be to change the AD WS parameter.
function groupmember ($group)
{
    $groupname = Get-ADGroup $group | Select -expand Name
    ([ADSISearcher]"(&(ObjectClass=Group)(samaccountname=$groupname))").FindOne() |
     % {$_.Properties.member} |
     Get-ADobject | % `
    {
        If ($_.objectclass -eq "group")
        { groupmember $_ }
        Else
        { $_ }
    }
}
Get-Content groups.txt | ForEach `
{
    $group = Get-ADGroup $_ -ErrorAction SilentlyContinue | Select -ExpandProperty Name
    If ($Group)
    {
        groupmember $group |
         Get-ADUser -Properties canonicalname |
         Select @{n="GroupName";e={$group}},Name,Samaccountname,Canonicalname
    }
} | Export-Csv Members.csv -NoTypeInformation

Open in new window

0
 
LVL 40

Expert Comment

by:Subsun
ID: 39726408
Probably need  to add Select * -Unique to get the unique members..
0
 
LVL 2

Author Closing Comment

by:MilesLogan
ID: 39760882
thanks footech ! sorry for the late closing on this .. Holidays and Flu caught up ..
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question