Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Powershell - Getting groups members from nested groups.

Posted on 2014-02-28
16
Medium Priority
?
4,336 Views
Last Modified: 2014-03-10
Hi EE

I have the script below that pulls all the groups members , including nested groups.. but the output file does not show the name of the nested group name ..

can someone help me change this or have any other way ?


function groupmember ($group)
{
    $groupname = Get-ADGroup $group | Select -expand Name
    ([ADSISearcher]"(&(ObjectClass=Group)(samaccountname=$groupname))").FindOne() |
     % {$_.Properties.member} |
     Get-ADobject | % `
    {
        If ($_.objectclass -eq "group")
        { groupmember $_ }
        Else
        { $_ }
    }
}
Get-Content groups.txt | ForEach `
{
    $group = Get-ADGroup $_ -ErrorAction SilentlyContinue | Select -ExpandProperty Name
    If ($Group)
    {
        groupmember $group |
         Get-ADUser -Properties canonicalname |
         Select @{n="GroupName";e={$group}},Name,Samaccountname,Canonicalname
    }
} | Export-Csv Members.csv -NoTypeInformation
0
Comment
Question by:MilesLogan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
16 Comments
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39896552
Select @{n="GroupName";e={$group.name}} should work.....

$group should give you blank info......
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39896581
Hi Justin
I modified that line and it actually removed the group name , the data now did not show even show the group name .
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39896638
From what I see, you have a txt file of the group name already, the script could be a lot simply without doing any function at all

Are you have this in multiple domain environment?
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 2

Author Comment

by:MilesLogan
ID: 39896641
Its a single domain domain..
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39896652
$Contents = Get-Content -path "your path"
Foreach ($Content in $Contents)
{
$Groups = get-adgroup $_
foreach ($Group in $Groups)
{
get-adgroupmember $group.name -properties * | Select-object @{n="GroupName";e={$group.name}},Name,Samaccountname,Canonicalname | out-file "path" -append
}
}
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39896665
Hi Justin

I added one group to the groups.txt file and modified your script to :

$Contents = Get-Content -path "E:\projects\Test\groups.txt"
Foreach ($Content in $Contents)
{
$Groups = get-adgroup $_
foreach ($Group in $Groups)
{
get-adgroupmember $group.name -properties * | Select-object @{n="GroupName";e={$group.name}},Name,Samaccountname,Canonicalname | out-file "E:\projects\Test\data.csv" -append
}
}


and I received the error below .


PS E:\Projects\Test> .\Jtest.ps1
Get-ADGroup : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try the command again.
At E:\Projects\Test\Jtest.ps1:4 char:23
+ $Groups = get-adgroup $_
+                       ~~
    + CategoryInfo          : InvalidData: (:) [Get-ADGroup], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADGroup
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39896702
change $_ to $content
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39896724
Changed it to this:
$Contents = Get-Content -path "E:\projects\Test\groups.txt"
Foreach ($Content in $Contents)
{
$Groups = get-adgroup $Content
foreach ($Group in $Groups)
{
get-adgroupmember $Group.name -properties * | Select-object @{n="GroupName";e={$Group.name}},Name,Samaccountname,Canonicalname | out-file "E:\projects\Test\data.csv" -append
}
}

Received this error:
PS E:\Projects\Test> .\Jtest.ps1
Get-ADGroupMember : A parameter cannot be found that matches parameter name 'properties'.
At E:\Projects\Test\Jtest.ps1:7 char:31
+ get-adgroupmember $Group.name -properties * | Select-object @{n="GroupName";e={$ ...
+                               ~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-ADGroupMember], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39896726
$Contents = Get-Content -path "E:\projects\Test\groups.txt"
Foreach ($Content in $Contents)
{
$Groups = get-adgroup $content
foreach ($Group in $Groups)
{
$users = get-adgroupmember $group.name
foreach ($user in $users)
{
get-aduser -id $users.samaccoutname -properties * | Select-object @{name="GroupName";expression={$group.name}},Name,Samaccountname,Canonicalname | out-file "E:\projects\Test\data.csv" -append
}
}
}
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39896744
I appreciate you trying .. I received the error below now .

PS E:\Projects\Test> .\Jtest.ps1
Get-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try the command again.
At E:\Projects\Test\Jtest.ps1:10 char:16
+ get-aduser -id $users.samaccoutname -properties * | Select-object @{name="GroupN ...
+                ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-ADUser], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADUser
 
Get-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try the command again.
At E:\Projects\Test\Jtest.ps1:10 char:16
+ get-aduser -id $users.samaccoutname -properties * | Select-object @{name="GroupN ...
+                ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-ADUser], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADUser
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39900493
get-aduser -id $user.samaccoutname -properties *

sorry mis typed $users............

it should be $user

and out-file needs to be a txt file for append
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39900715
actually have a chance to test it today........... here is the working script

$Contents = Get-Content -path "E:\projects\Test\groups.txt"
Foreach ($Content in $Contents)
{
$Groups = get-adgroup $content
foreach ($Group in $Groups)
{
$users = get-adgroupmember $group.name
foreach ($user in $users)
{
$userinfo = get-aduser -id $user.samaccountname -properties * | Select-object @{name="GroupName";expression={$group.name}},Name,Samaccountname,Canonicalname



$array = @()

$Properties = @{"Group Name"=$group.name;Name=$user.Name;SamAccountName=$user.samaccountname;"Canonical Name"=$userinfo.canonicalname}

$Newobject = New-Object  PSObject -Property  $Properties

$Array +=$Newobject

$outpath = "your csv path"

$Array | Select-Object "Group Name",Name,SamAccountName,"Canonical Name"| export-csv $outpath -Append


}
}
}
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39901371
it requires powershell 3.0 for CSV append.

no -append option for csv in 2.0
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39901868
Hi Justin .. I am using 3.0

If I run your script with one user it will output the user info .. if I add a group it will error with
get-aduser : Cannot find an object with identity: and the group that I nested ..

It happened with any group that I add .

if I run Get-ADGroupMember "Test_Group" -Recursive | select Name,SamAccountName
it does output all the members but does not give me the name of the group each are in ..
0
 
LVL 14

Accepted Solution

by:
Justin Yeung earned 2000 total points
ID: 39904107
this should work


function Get-GroupHierarchy ($searchGroup)
{
$groupMember = get-adgroupmember $searchGroup | sort-object objectClass -descending
   foreach ($member in $groupMember)
    {
if ($member.objectclass -eq "user")
{
$userinfo = get-aduser $member.samaccountname -Properties *
}
if ($member.objectclass -eq "group")
{
$groupinfo = get-adgroup $member}
$array = @()
$Properties = @{"Group Name"=$groupinfo.name;Name=$member.Name;SamAccountName=$member.samaccountname;"Canonical Name"=$Userinfo.canonicalname}
$Newobject = New-Object  PSObject -Property  $Properties
$Array +=$Newobject

$outpath = "E:\projects\Test\groups.csv"

$Array | Select-Object "Group Name",Name,SamAccountName,"Canonical Name" | export-csv $outpath -Append

    if ($member.ObjectClass -eq "group")
        {Get-GroupHierarchy $member.name}}
}



$Contents = Get-Content -Path "E:\projects\Test\groups.txt"
foreach ($Content in $Contents)
{
$txtgroups = get-adgroup $Content
foreach ($txtgroup in $txtgroups)
{
Get-GroupHierarchy $txtgroup.Name
}
}
0
 
LVL 2

Author Closing Comment

by:MilesLogan
ID: 39918166
Hi Justin .. sorry for the delay on this issue ... works madness ..

this worked !! thanks !!
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question