I need to find groups which have been nested within groups.

Posted on 2014-10-03
Medium Priority
Last Modified: 2014-10-06

Been trawling the web and I've managed to find many useful scripts but not one to find what I need.

I need a script to be able to specify a domain and then export all the groups it finds that have been nested within other groups, not users. Just the groups.

Is there a simple solution to be able to achieve this?

Question by:tegenius
  • 2
  • 2
LVL 42

Expert Comment

ID: 40359864
For just the local domain, you can use this:
Get-ADGroup -filter * | Get-ADGroupMember | Where {$_.ObjectClass -eq "group"}

Open in new window

If you want to query a different server in another domain, you would likely have to add the -server parameter to the AD commands.  If you needed to use different credentials as well, I'd probably create a new PSDrive with the appropriate parameters, then change location into that (shown below) and then run the above code.
New-PSDrive -Name "trust" -PSProvider ActiveDirectory -Root "" -Credential (Get-Credential) -Server "dc01.temptrust.com"
cd trust:

Open in new window


Author Comment

ID: 40361564
Thanks for replying :) This just displays all the groups in the domain.

What I need is something that displays a tree of groups that have been added as members of other groups... i.e. below we can see group 3 is nested in group 1 and group 1 is nested in group 4.

Group 1
> Group 3
Group 2
Group 3
Group 4
> Group 1

LVL 42

Accepted Solution

footech earned 2000 total points
ID: 40361601
No, it doesn't show all groups in the domain.  You didn't specify that you need some special format.  Rather than a tree, here's another way of looking at it.
Get-ADGroup -filter * | % { $parent = $_.name; Get-ADGroupMember $_ | Where {$_.ObjectClass -eq "group"} | Select @{n="Parent";e={$parent}},Name }

Open in new window


Author Closing Comment

ID: 40363386
Perfect :) Just what I needed.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Welcome to 2018! Exciting things lie ahead in the world of tech. To start things off, we compiled great member articles on how to stay safe, ways to learn, and much more! Read on to start your new year right.
The Windows Firewall provides an important layer of protection and a rich interface to configure it. Unfortunately, it lacks item level filtering. This article details my process of implementing firewall-as-code to reduce GPO bloat.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

619 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question