apollo7
asked on
Export Active Directory Members from a Group
We are using a Windows Server 2008 R2 Standard server.
I need to export Active Directory members from our Domain Users group. When I look at the Properties of this group and open the Members tab, it includes all the users I need to export. I have looked up PowerShell scripts that export the Members of a group but cannot get the scripts to work.
Is there a straight forward way to export the members of the Domain Users group?
Thanks
I need to export Active Directory members from our Domain Users group. When I look at the Properties of this group and open the Members tab, it includes all the users I need to export. I have looked up PowerShell scripts that export the Members of a group but cannot get the scripts to work.
Is there a straight forward way to export the members of the Domain Users group?
Thanks
ASKER
I used the script you supplied and it returns a lot of users but not all. I ran the script to get the primary group token (results below) and tried switching in some of the attributes but get the same list of members. Can you tell me what I need to change?
Thanks for your help
DistinguishedName : CN=Domain Users,CN=Users,DC=ad51,DC= cob,DC=csc ,DC=com
GroupCategory : Security
GroupScope : Global
Name : Domain Users
ObjectClass : group
ObjectGUID : d13ffc7e-773a-4df7-8836-be c51ca9dfde
primaryGroupToken : 513
SamAccountName : Domain Users
SID : S-1-5-21-838940963-3073529 794-368501 9904-513
Thanks for your help
DistinguishedName : CN=Domain Users,CN=Users,DC=ad51,DC=
GroupCategory : Security
GroupScope : Global
Name : Domain Users
ObjectClass : group
ObjectGUID : d13ffc7e-773a-4df7-8836-be
primaryGroupToken : 513
SamAccountName : Domain Users
SID : S-1-5-21-838940963-3073529
Are there any users with a different primary group?
As it is, the search filter finds those with Domain Users as the primary group, and those who directly belong to Domain Users.
Either there's a bug in Get-ADUser, or they're rightfully excluded.
For a user who isn't appearing, can you run:
Get-ADUser -Filter { primaryGroupId -ne 513 }
If so, are they part of Domain Users by other means?As it is, the search filter finds those with Domain Users as the primary group, and those who directly belong to Domain Users.
Either there's a bug in Get-ADUser, or they're rightfully excluded.
For a user who isn't appearing, can you run:
Get-ADUser -Identity username -Properties primaryGroupId, memberOf
Or inspect those attributes by other means.
ASKER
Thanks, ran the script for a non-appearing user and got the following. Can you tell me what this means?
Thanks
PS C:\Users\x-dtripp2> Get-ADUser -Identity x-amosley7 -Properties primaryGroupId, memberOf
DistinguishedName : CN=Adam Mosley,OU=Application support,OU=Accounts and Groups,DC=ad51,DC=cob,DC=c sc,DC=com
Enabled : True
GivenName : Adam
MemberOf : {CN=Role-G-COBCDBNDC5101-S erver-Admi ns,OU=Grou ps,OU=Secu rity,OU=Ac counts and Groups,DC=ad51,DC=cob,DC=c sc,DC=com,
CN=Role-G-COBCAPNDC5104-Se rver-Admin s,OU=Group s,OU=Secur ity,OU=Acc ounts and Groups,DC=ad51,DC=cob,DC=c sc,DC=com,
CN=Role-G-COBCAPNDC5103-Se rver-Admin s,OU=Group s,OU=Secur ity,OU=Acc ounts and Groups,DC=ad51,DC=cob,DC=c sc,DC=com,
CN=Role-G-COBCAPNDC5102-Se rver-Admin s,OU=Group s,OU=Secur ity,OU=Acc ounts and Groups,DC=ad51,DC=cob,DC=c sc,DC=com. ..}
Name : Adam Mosley
ObjectClass : user
ObjectGUID : d276876b-b7bf-4d42-a227-d9 13ff3407ed
primaryGroupId : 513
SamAccountName : x-amosley7
SID : S-1-5-21-838940963-3073529 794-368501 9904-1744
Surname : Mosley
UserPrincipalName : x-amosley7@ad51.cob.csc.co m
Thanks
PS C:\Users\x-dtripp2> Get-ADUser -Identity x-amosley7 -Properties primaryGroupId, memberOf
DistinguishedName : CN=Adam Mosley,OU=Application support,OU=Accounts and Groups,DC=ad51,DC=cob,DC=c
Enabled : True
GivenName : Adam
MemberOf : {CN=Role-G-COBCDBNDC5101-S
CN=Role-G-COBCAPNDC5104-Se
CN=Role-G-COBCAPNDC5103-Se
CN=Role-G-COBCAPNDC5102-Se
Name : Adam Mosley
ObjectClass : user
ObjectGUID : d276876b-b7bf-4d42-a227-d9
primaryGroupId : 513
SamAccountName : x-amosley7
SID : S-1-5-21-838940963-3073529
Surname : Mosley
UserPrincipalName : x-amosley7@ad51.cob.csc.co
Why not just use the following?
Get-ADGroupMember "domain users" -Recursive
ASKER
Thanks, tried the recursive script, that doesn't return some of the users I am looking for either
Odd, I've never seen that not return all members.
Have you identified anything in common about the users which don't show up for you?
Have you identified anything in common about the users which don't show up for you?
heh see I didn't try that on the assumption that it only looked at member. Live and learn :)
Could try something aside from the MS AD module and see if it works / doesn't?
Could try something aside from the MS AD module and see if it works / doesn't?
# Just because it's convenient
$dn = Get-ADGroup "Domain Users" | Select-Object -ExpandProperty DistinguishedName
[ADSISearcher]$searcher = "(&(objectClass=user)(objectCategory=person)(|(primaryGroupID=513)(memberOf=$dn)))"
$searcher.PageSize = 1000
$searcher.FindAll() | ForEach-Object { $_.Properties['name'] }
Where are you running the command?
I've gotten some incorrect/incomplete results before when running the AD cmdlets on a DC, while querying that same DC and/or running in a non-elevated session.
I've gotten some incorrect/incomplete results before when running the AD cmdlets on a DC, while querying that same DC and/or running in a non-elevated session.
ASKER
Chris, your script returned a lot users including the missing ones, this would be perfect if it can return the
ObjectClass
primaryGroupId
SamAccountName
UserPrincipalName
Thanks
ObjectClass
primaryGroupId
SamAccountName
UserPrincipalName
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
After the $searcher.FindAll() | ForEach-Object { line, it seems to jump out of PS and seems to think the rest of the commands are text
PS C:\> $searcher.FindAll() | ForEach-Object {
>> [PSCustomObject]@{
>> ObjectClass = $_.Properties['objectClass '][0]
>> PrimaryGroupID = $_.Properties['primaryGrou pID'][0]
>> SamAccountName = $_.Properties['sAMAccountN ame'][0]
>> UserPrincipalName = $_.Properties['userPrincip alName'][0 ]
>> }
>>
PS C:\> $searcher.FindAll() | ForEach-Object {
>> [PSCustomObject]@{
>> ObjectClass = $_.Properties['objectClass
>> PrimaryGroupID = $_.Properties['primaryGrou
>> SamAccountName = $_.Properties['sAMAccountN
>> UserPrincipalName = $_.Properties['userPrincip
>> }
>>
That's fine. One more "}" and another return and it'll run.
ASKER
Thanks, that worked, brackets get me all the time :)
ASKER
Great response and learned a bit, too
Open in new window
I've hard-coded the primary group token for that particular group. It's somewhat well-known. You can view it like this:Open in new window