Solved

Powershell - Getting groups members from nested groups.

Posted on 2014-02-28
16
3,994 Views
Last Modified: 2014-03-10
Hi EE

I have the script below that pulls all the groups members , including nested groups.. but the output file does not show the name of the nested group name ..

can someone help me change this or have any other way ?


function groupmember ($group)
{
    $groupname = Get-ADGroup $group | Select -expand Name
    ([ADSISearcher]"(&(ObjectClass=Group)(samaccountname=$groupname))").FindOne() |
     % {$_.Properties.member} |
     Get-ADobject | % `
    {
        If ($_.objectclass -eq "group")
        { groupmember $_ }
        Else
        { $_ }
    }
}
Get-Content groups.txt | ForEach `
{
    $group = Get-ADGroup $_ -ErrorAction SilentlyContinue | Select -ExpandProperty Name
    If ($Group)
    {
        groupmember $group |
         Get-ADUser -Properties canonicalname |
         Select @{n="GroupName";e={$group}},Name,Samaccountname,Canonicalname
    }
} | Export-Csv Members.csv -NoTypeInformation
0
Comment
Question by:MilesLogan
  • 9
  • 7
16 Comments
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39896552
Select @{n="GroupName";e={$group.name}} should work.....

$group should give you blank info......
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39896581
Hi Justin
I modified that line and it actually removed the group name , the data now did not show even show the group name .
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39896638
From what I see, you have a txt file of the group name already, the script could be a lot simply without doing any function at all

Are you have this in multiple domain environment?
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39896641
Its a single domain domain..
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39896652
$Contents = Get-Content -path "your path"
Foreach ($Content in $Contents)
{
$Groups = get-adgroup $_
foreach ($Group in $Groups)
{
get-adgroupmember $group.name -properties * | Select-object @{n="GroupName";e={$group.name}},Name,Samaccountname,Canonicalname | out-file "path" -append
}
}
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39896665
Hi Justin

I added one group to the groups.txt file and modified your script to :

$Contents = Get-Content -path "E:\projects\Test\groups.txt"
Foreach ($Content in $Contents)
{
$Groups = get-adgroup $_
foreach ($Group in $Groups)
{
get-adgroupmember $group.name -properties * | Select-object @{n="GroupName";e={$group.name}},Name,Samaccountname,Canonicalname | out-file "E:\projects\Test\data.csv" -append
}
}


and I received the error below .


PS E:\Projects\Test> .\Jtest.ps1
Get-ADGroup : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try the command again.
At E:\Projects\Test\Jtest.ps1:4 char:23
+ $Groups = get-adgroup $_
+                       ~~
    + CategoryInfo          : InvalidData: (:) [Get-ADGroup], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADGroup
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39896702
change $_ to $content
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39896724
Changed it to this:
$Contents = Get-Content -path "E:\projects\Test\groups.txt"
Foreach ($Content in $Contents)
{
$Groups = get-adgroup $Content
foreach ($Group in $Groups)
{
get-adgroupmember $Group.name -properties * | Select-object @{n="GroupName";e={$Group.name}},Name,Samaccountname,Canonicalname | out-file "E:\projects\Test\data.csv" -append
}
}

Received this error:
PS E:\Projects\Test> .\Jtest.ps1
Get-ADGroupMember : A parameter cannot be found that matches parameter name 'properties'.
At E:\Projects\Test\Jtest.ps1:7 char:31
+ get-adgroupmember $Group.name -properties * | Select-object @{n="GroupName";e={$ ...
+                               ~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-ADGroupMember], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39896726
$Contents = Get-Content -path "E:\projects\Test\groups.txt"
Foreach ($Content in $Contents)
{
$Groups = get-adgroup $content
foreach ($Group in $Groups)
{
$users = get-adgroupmember $group.name
foreach ($user in $users)
{
get-aduser -id $users.samaccoutname -properties * | Select-object @{name="GroupName";expression={$group.name}},Name,Samaccountname,Canonicalname | out-file "E:\projects\Test\data.csv" -append
}
}
}
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39896744
I appreciate you trying .. I received the error below now .

PS E:\Projects\Test> .\Jtest.ps1
Get-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try the command again.
At E:\Projects\Test\Jtest.ps1:10 char:16
+ get-aduser -id $users.samaccoutname -properties * | Select-object @{name="GroupN ...
+                ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-ADUser], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADUser
 
Get-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try the command again.
At E:\Projects\Test\Jtest.ps1:10 char:16
+ get-aduser -id $users.samaccoutname -properties * | Select-object @{name="GroupN ...
+                ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-ADUser], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADUser
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39900493
get-aduser -id $user.samaccoutname -properties *

sorry mis typed $users............

it should be $user

and out-file needs to be a txt file for append
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39900715
actually have a chance to test it today........... here is the working script

$Contents = Get-Content -path "E:\projects\Test\groups.txt"
Foreach ($Content in $Contents)
{
$Groups = get-adgroup $content
foreach ($Group in $Groups)
{
$users = get-adgroupmember $group.name
foreach ($user in $users)
{
$userinfo = get-aduser -id $user.samaccountname -properties * | Select-object @{name="GroupName";expression={$group.name}},Name,Samaccountname,Canonicalname



$array = @()

$Properties = @{"Group Name"=$group.name;Name=$user.Name;SamAccountName=$user.samaccountname;"Canonical Name"=$userinfo.canonicalname}

$Newobject = New-Object  PSObject -Property  $Properties

$Array +=$Newobject

$outpath = "your csv path"

$Array | Select-Object "Group Name",Name,SamAccountName,"Canonical Name"| export-csv $outpath -Append


}
}
}
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39901371
it requires powershell 3.0 for CSV append.

no -append option for csv in 2.0
0
 
LVL 2

Author Comment

by:MilesLogan
ID: 39901868
Hi Justin .. I am using 3.0

If I run your script with one user it will output the user info .. if I add a group it will error with
get-aduser : Cannot find an object with identity: and the group that I nested ..

It happened with any group that I add .

if I run Get-ADGroupMember "Test_Group" -Recursive | select Name,SamAccountName
it does output all the members but does not give me the name of the group each are in ..
0
 
LVL 14

Accepted Solution

by:
Justin Yeung earned 500 total points
ID: 39904107
this should work


function Get-GroupHierarchy ($searchGroup)
{
$groupMember = get-adgroupmember $searchGroup | sort-object objectClass -descending
   foreach ($member in $groupMember)
    {
if ($member.objectclass -eq "user")
{
$userinfo = get-aduser $member.samaccountname -Properties *
}
if ($member.objectclass -eq "group")
{
$groupinfo = get-adgroup $member}
$array = @()
$Properties = @{"Group Name"=$groupinfo.name;Name=$member.Name;SamAccountName=$member.samaccountname;"Canonical Name"=$Userinfo.canonicalname}
$Newobject = New-Object  PSObject -Property  $Properties
$Array +=$Newobject

$outpath = "E:\projects\Test\groups.csv"

$Array | Select-Object "Group Name",Name,SamAccountName,"Canonical Name" | export-csv $outpath -Append

    if ($member.ObjectClass -eq "group")
        {Get-GroupHierarchy $member.name}}
}



$Contents = Get-Content -Path "E:\projects\Test\groups.txt"
foreach ($Content in $Contents)
{
$txtgroups = get-adgroup $Content
foreach ($txtgroup in $txtgroups)
{
Get-GroupHierarchy $txtgroup.Name
}
}
0
 
LVL 2

Author Closing Comment

by:MilesLogan
ID: 39918166
Hi Justin .. sorry for the delay on this issue ... works madness ..

this worked !! thanks !!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
This article will help you understand what HashTables are and how to use them in PowerShell.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now