Link to home
Start Free TrialLog in
Avatar of apollo7
apollo7Flag for United States of America

asked on

Export Active Directory Members from a Group

We are using a Windows Server 2008 R2 Standard server.

I need to export Active Directory members from our Domain Users group.  When I look at the Properties of this group and open the Members tab, it includes all the users I need to export.  I have looked up PowerShell scripts that export the Members of a group but cannot get the scripts to work.

Is there a straight forward way to export the members of the Domain Users group?

Thanks
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Happily easy to do.
$dn = Get-ADGroup "Domain Users" | Select-Object -ExpandProperty DistinguishedName
Get-ADUser -Filter { primaryGroupID -eq 513 -or memberOf -eq $dn }

Open in new window

I've hard-coded the primary group token for that particular group. It's somewhat well-known. You can view it like this:
Get-ADGroup "Domain Users" -Properties primaryGroupToken

Open in new window

Avatar of apollo7

ASKER

I used the script you supplied and it returns a lot of users but not all.  I ran the script to get the primary group token (results below) and tried switching in some of the attributes but get the same list of members.  Can you tell me what I need to change?

Thanks for your help

DistinguishedName : CN=Domain Users,CN=Users,DC=ad51,DC=cob,DC=csc,DC=com
GroupCategory     : Security
GroupScope        : Global
Name              : Domain Users
ObjectClass       : group
ObjectGUID        : d13ffc7e-773a-4df7-8836-bec51ca9dfde
primaryGroupToken : 513
SamAccountName    : Domain Users
SID               : S-1-5-21-838940963-3073529794-3685019904-513
Are there any users with a different primary group?
Get-ADUser -Filter { primaryGroupId -ne 513 }

Open in new window

If so, are they part of Domain Users by other means?

As it is, the search filter finds those with Domain Users as the primary group, and those who directly belong to Domain Users.

Either there's a bug in Get-ADUser, or they're rightfully excluded.

For a user who isn't appearing, can you run:
Get-ADUser -Identity username -Properties primaryGroupId, memberOf

Open in new window

Or inspect those attributes by other means.
Avatar of apollo7

ASKER

Thanks, ran the script for a non-appearing user and got the following.  Can you tell me what this means?

Thanks


PS C:\Users\x-dtripp2> Get-ADUser -Identity x-amosley7 -Properties primaryGroupId, memberOf

DistinguishedName : CN=Adam Mosley,OU=Application support,OU=Accounts and Groups,DC=ad51,DC=cob,DC=csc,DC=com
Enabled           : True
GivenName         : Adam
MemberOf          : {CN=Role-G-COBCDBNDC5101-Server-Admins,OU=Groups,OU=Security,OU=Accounts and Groups,DC=ad51,DC=cob,DC=csc,DC=com,
                    CN=Role-G-COBCAPNDC5104-Server-Admins,OU=Groups,OU=Security,OU=Accounts and Groups,DC=ad51,DC=cob,DC=csc,DC=com,
                    CN=Role-G-COBCAPNDC5103-Server-Admins,OU=Groups,OU=Security,OU=Accounts and Groups,DC=ad51,DC=cob,DC=csc,DC=com,
                    CN=Role-G-COBCAPNDC5102-Server-Admins,OU=Groups,OU=Security,OU=Accounts and Groups,DC=ad51,DC=cob,DC=csc,DC=com...}
Name              : Adam Mosley
ObjectClass       : user
ObjectGUID        : d276876b-b7bf-4d42-a227-d913ff3407ed
primaryGroupId    : 513
SamAccountName    : x-amosley7
SID               : S-1-5-21-838940963-3073529794-3685019904-1744
Surname           : Mosley
UserPrincipalName : x-amosley7@ad51.cob.csc.com
Why not just use the following?
Get-ADGroupMember "domain users" -Recursive

Open in new window

Avatar of apollo7

ASKER

Thanks, tried the recursive script, that doesn't return some of the users I am looking for either
Odd, I've never seen that not return all members.
Have you identified anything in common about the users which don't show up for you?
heh see I didn't try that on the assumption that it only looked at member. Live and learn :)

Could try something aside from the MS AD module and see if it works / doesn't?
# Just because it's convenient
$dn = Get-ADGroup "Domain Users" | Select-Object -ExpandProperty DistinguishedName
[ADSISearcher]$searcher = "(&(objectClass=user)(objectCategory=person)(|(primaryGroupID=513)(memberOf=$dn)))"
$searcher.PageSize = 1000
$searcher.FindAll() | ForEach-Object { $_.Properties['name'] }

Open in new window

Where are you running the command?
I've gotten some incorrect/incomplete results before when running the AD cmdlets on a DC, while querying that same DC and/or running in a non-elevated session.
Avatar of apollo7

ASKER

Chris, your script returned a lot users including the missing ones, this would be perfect if it can return the
ObjectClass
primaryGroupId
SamAccountName
UserPrincipalName

Thanks
ASKER CERTIFIED SOLUTION
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of apollo7

ASKER

After the $searcher.FindAll() | ForEach-Object {  line, it seems to jump out of PS and seems to think the rest of the  commands are text

PS C:\> $searcher.FindAll() | ForEach-Object {
>>     [PSCustomObject]@{
>>         ObjectClass       = $_.Properties['objectClass'][0]
>>         PrimaryGroupID    = $_.Properties['primaryGroupID'][0]
>>         SamAccountName    = $_.Properties['sAMAccountName'][0]
>>         UserPrincipalName = $_.Properties['userPrincipalName'][0]
>>     }
>>
That's fine. One more "}" and another return and it'll run.
Avatar of apollo7

ASKER

Thanks, that worked, brackets get me all the time :)
Avatar of apollo7

ASKER

Great response and learned a bit, too