Exporting Groups and users Names
We need to Export all Security Distribution Groups with all users names into a csv file
i have used and got some info in the CMD and some in powershell.
Does someone have the exact script for this?
i have used and got some info in the CMD and some in powershell.
Does someone have the exact script for this?
Please clarify "all Security Distribution Groups" - there are no "Security Distribution Groups"; a group is either a security or a distribution group. And which scope are you after, Global, DomainLocal, Universal, all of the above?
And when asking questions about AD reports, please specify the approximate size of your AD.
Sam's script might work for you, but there are some general issues with it (details follow in a separate comment), so here's a different approach:
And when asking questions about AD reports, please specify the approximate size of your AD.
Sam's script might work for you, but there are some general issues with it (details follow in a separate comment), so here's a different approach:
## Group-Type attribute: https://docs.microsoft.com/en-us/windows/desktop/adschema/a-grouptype
## Scope: System created: 0x00000001, Global: 0x00000002, DomainLocal: 0x00000004, Universal: 0x00000008
## Security: Add 0x80000000, otherwise Distribution
$outFile = 'C:\Temp\GroupMembers.csv'
$textInfo = (Get-Culture).TextInfo
Get-ADGroup -Filter "(groupType -eq 0x80000002) -and (name -ne 'Domain Users') -and (name -ne 'Domain Computers')" -ResultSetSize $null -Properties Members | ForEach-Object {
$group = $_
$_.Members | Get-ADObject -Properties DisplayName, SamAccountName |
Select-Object -Property `
@{n='Group SamAccountName'; e={$group.SamAccountName}},
@{n='Group Name'; e={$group.Name}},
@{n='Group Category'; e={$group.GroupCategory}},
@{n='Group Scope'; e={$group.GroupScope}},
@{n='Member Type'; e={$textInfo.ToTitleCase($_.objectClass)}},
@{n='Member SamAccountName'; e={$_.SamAccountName}},
@{n='Member Name'; e={$_.Name}},
@{n='Member DistinguishedName'; e={$_.DistinguishedName}},
@{n='Group DistinguishedName'; e={$group.DistinguishedName}}
} | Export-Csv -NoTypeInformation -Path $outFile
Some comments to PS in general and AD queries in particular.
* Use theForcePipeline - if the pipeline is properly used (instead of collecting all results in intermediate variables), PowerShell will happily process millions of objects, without any noticeable impact to memory usage.
* Always filter as close to the source as possible. It's way more efficient (and less work for AD) to specify a proper filter when querying AD, than to just let AD deliver everything it has to offer and filter in PowerShell.
* Only retrieve the AD properties you need; the members property (which can be quite large) requested in Get-ADUser is never used later on.
* The Get-AD<Object> cmdlets have a default limit of 1000 objects. Should an AD exceed that, you need to set ResultSetSize to $null to retrieve everything.
* Get-ADGroupMember (to be more precise: the Active Directory Web Services that Get-ADGroupMember uses) is limited to 5000 members.
* Using the group's Name as identity for Get-ADGroupMember is not correct; the Name attribute is not unique. In a worst case scenario, there's a group with a name of "GroupABC" and a SamAccountName of "Group", and a group with a name of "GroupABCDEF" with a SamAccountName of "GroupABC". When passing the "GroupABC" name, AD will actually return the GroupABCDEF object. Just pass the group object itself, or the DistinguishedName.
* A group can contain other object types than just users, so naming a property "User Name", even though the object could be a computer or anothre group, might be confusing.
* An AD object name is not unique and should not be the sole identifying property in a report. You can have two user objects with a name of "jdoe" in different OUs, but not two users with a SamAccountName of "jdoe".
* "Export-Csv -Append ..." inside a loop is very inefficient. The file has to be opened and closed for every single element, and PS will check every single time whether the existing columns in the csv will match the properties of the object added.
* Use the
* Always filter as close to the source as possible. It's way more efficient (and less work for AD) to specify a proper filter when querying AD, than to just let AD deliver everything it has to offer and filter in PowerShell.
* Only retrieve the AD properties you need; the members property (which can be quite large) requested in Get-ADUser is never used later on.
* The Get-AD<Object> cmdlets have a default limit of 1000 objects. Should an AD exceed that, you need to set ResultSetSize to $null to retrieve everything.
* Get-ADGroupMember (to be more precise: the Active Directory Web Services that Get-ADGroupMember uses) is limited to 5000 members.
* Using the group's Name as identity for Get-ADGroupMember is not correct; the Name attribute is not unique. In a worst case scenario, there's a group with a name of "GroupABC" and a SamAccountName of "Group", and a group with a name of "GroupABCDEF" with a SamAccountName of "GroupABC". When passing the "GroupABC" name, AD will actually return the GroupABCDEF object. Just pass the group object itself, or the DistinguishedName.
* A group can contain other object types than just users, so naming a property "User Name", even though the object could be a computer or anothre group, might be confusing.
* An AD object name is not unique and should not be the sole identifying property in a report. You can have two user objects with a name of "jdoe" in different OUs, but not two users with a SamAccountName of "jdoe".
* "Export-Csv -Append ..." inside a loop is very inefficient. The file has to be opened and closed for every single element, and PS will check every single time whether the existing columns in the csv will match the properties of the object added.
Try this Script:
Source: http://expert-advice.org/active-directory/export-list-of-all-active-directory-security-groups-with-their-members/
$Groups = Get-ADGroup -Properties * -Filter * -SearchBase "OU=Groups,DC=corp,DC=ourcompany,DC=Com"
Foreach($G In $Groups)
{
Write-Host $G.Name
Write-Host "-------------"
$G.Members
}Source: http://expert-advice.org/active-directory/export-list-of-all-active-directory-security-groups-with-their-members/
Thanks, oBdA, for your detailed comments. I'm always in "learn" mode.
ASKER
Guys thanks but I could not get it to work?
Are you receiving any errors? If so, what are they?
ASKER
Hey Guys,
The requested question for the project, I was working on has changed.
So we do not need to pursue this for.
Thank you
The requested question for the project, I was working on has changed.
So we do not need to pursue this for.
Thank you
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Open in new window