• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1683
  • Last Modified:

Powershell - Pulling nested group members

Hi EE

Can someone help me modify this script so it also pulls the nested group members ?

If I enter a group in the groups.txt file that also has nested groups , it does not pull those members into the output file .

Import-Module Activedirectory
[array]$Members=$null
GC groups.txt | % {
$Group = Get-ADGroup $_  -ErrorAction SilentlyContinue
If ($Group){
$members += Get-ADGroup $Group.Name -Properties Members |
            Select-Object -ExpandProperty Members |
            Get-ADObject -properties Samaccountname |
            ?{$_.ObjectClass -eq "user"}  | Get-aduser -Properties * |
      Select @{L='GroupName';e={$Group.Name}},Name,Samaccountname,CanonicalName
 }
}
$Members | Select * | Export-Csv Members.csv -NoTypeInformation
0
MilesLogan
Asked:
MilesLogan
  • 3
  • 2
1 Solution
 
footechCommented:
Get-ADGroupMember has a -recursive parameter which makes this easy.
Get-Content groups.txt | ForEach `
{
    $group = Get-ADGroup $_ -ErrorAction SilentlyContinue | Select -ExpandProperty Name
    If ($Group)
    {
        Get-ADGroupMember $group -Recursive |
         Get-ADUser -Properties canonicalname | 
         Select @{n="GroupName";e={$group}},Name,Samaccountname,Canonicalname
    }
} | Export-Csv Members.csv -NoTypeInformation

Open in new window

If you didn't need the CanonicalName, you wouldn't even need to pipe to Get-ADUser.
0
 
MilesLoganAuthor Commented:
Hi footech .. thank you .. it worked on a small group but not on a group with more then 5k users .. can this be tweaked so I can ?
0
 
footechCommented:
It's not actually a problem with the script, but with limits that AD Web Services has.  See about the "MaxGroupOrMemberEntries" parameter in this link
http://technet.microsoft.com/en-us/library/dd391908%28WS.10%29.aspx

You can try changing the parameter so it works.
You could also the following substitutes [adsisearcher] type accelerator for the Get-ADGroupMember cmdlet, but I wouldn't be able to test how it works with >5K members.
Get-Content groups.txt | ForEach `
{
    $group = Get-ADGroup $_ -ErrorAction SilentlyContinue | Select -ExpandProperty Name
    If ($Group)
    {
        ([ADSISearcher]"(&(ObjectClass=Group)(samaccountname=$group))").FindOne() |
         % {$_.Properties.member} |
         Get-ADUser -Properties canonicalname | 
         Select @{n="GroupName";e={$group}},Name,Samaccountname,Canonicalname
    }
} | Export-Csv Members.csv -NoTypeInformation

Open in new window


EDIT: found a problem with the code, so don't bother with it.  I'll see if I can correct it.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
footechCommented:
Can't say I really like what I've come up with, but it appears to work.  From an efficiency standpoint I think there are too many queries to AD.  It may be possible to optimize it more, but by far my preferred route would be to change the AD WS parameter.
function groupmember ($group)
{
    $groupname = Get-ADGroup $group | Select -expand Name
    ([ADSISearcher]"(&(ObjectClass=Group)(samaccountname=$groupname))").FindOne() |
     % {$_.Properties.member} |
     Get-ADobject | % `
    {
        If ($_.objectclass -eq "group")
        { groupmember $_ }
        Else
        { $_ }
    }
}
Get-Content groups.txt | ForEach `
{
    $group = Get-ADGroup $_ -ErrorAction SilentlyContinue | Select -ExpandProperty Name
    If ($Group)
    {
        groupmember $group |
         Get-ADUser -Properties canonicalname |
         Select @{n="GroupName";e={$group}},Name,Samaccountname,Canonicalname
    }
} | Export-Csv Members.csv -NoTypeInformation

Open in new window

0
 
SubsunCommented:
Probably need  to add Select * -Unique to get the unique members..
0
 
MilesLoganAuthor Commented:
thanks footech ! sorry for the late closing on this .. Holidays and Flu caught up ..
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now