Groups within Active Directory and PowerShell

Phillip Davis
Phillip Davis used Ask the Experts™
on
Hey guys,

I'm tasked with looking at Active Directory "Groups" in our environment.

My question is, is it okay to have a user and computer account in a security group?

I'm finding both "user and computer" accounts within the same group and I want to know if I should separate these out and put them into their own separate groups?

Also, does anyone have a PowerShell script that can be used to get the groups, group type and group nestings?

Thanks

Phil
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jose Gabriel Ortega CastroCEO Faru Bonon IT /Top Rated Freelancer on Upwork / Photographer
Awarded 2018
Distinguished Expert 2018

Commented:
Hi Phillip thank you for your question.

Well, the 1st answer will depend on what are you planning to do with the grouping.

there's no good or bad answer there, it will depend on what you want to do with the groups.
Usually, Security groups are only for users and you use them for security access to file servers and resources.

It's not usual to get computers into groups.
Jose Gabriel Ortega CastroCEO Faru Bonon IT /Top Rated Freelancer on Upwork / Photographer
Awarded 2018
Distinguished Expert 2018

Commented:
Powershell Script for groups

$AllGroups=Get-adgroup -filter *| select *

$Distributions =  $AllGroups | where{ $_.GroupCategory -eq "Distribution"}
$Security  =  $AllGroups | where{ $_.GroupCategory -eq "Security"}

#Members
Write-Host "Total Distribution Groups $($Distributions.Count)"
foreach($group in $Distributions){
    Write-Host "Working with group $($group.Name)" -ForegroundColor Magenta
    $allmembers =Get-adGroupMember $($group.SamAccountName)
    $users = $allmembers | where{ $_.ObjectClass -eq "User"}
    $Groups = $allmembers | where { $_.ObjectClass -eq "Group"}
    Write-Host "Total Users in Group  $($users.Count)"
    $users | select Name,SamAccountname
    if($Groups){ 
        Write-Host "Total Groups in Group  $($Groups.Count)"
        $Groups | select DisplayName,SamAccountname
    }
    else{
        Write-Host "There are no groups within the current group"
    }
}

Write-Host "Total Security Groups $($Security.Count)"
foreach($group in $Security){
    Write-Host "Working with group $($group.Name)" -ForegroundColor Magenta
    $allmembers =Get-adGroupMember $($group.SamAccountName)
    $users = $allmembers | where{ $_.ObjectClass -eq "User"}
    $Groups = $allmembers | where { $_.ObjectClass -eq "Group"}
    Write-Host "Total Users in Group  $($users.Count)"
    $users | select Name,SamAccountname
    if($Groups){ 
        Write-Host "Total Groups in Group  $($Groups.Count)"
        $Groups | select DisplayName,SamAccountname
    }
    else{
        Write-Host "There are no groups within the current group"
    }}

Open in new window

Author

Commented:
Thanks Jose !

So, the script, does it get the groups within groups ?  Does it get the parent group and any nested or child groups that are nested within it ?

Also, you're saying that that you don't use groups for computers, mainly for users?

Phil
CEO Faru Bonon IT /Top Rated Freelancer on Upwork / Photographer
Awarded 2018
Distinguished Expert 2018
Commented:
yes it search the groups and members for each groups .

separated in distribution groups and security group.

so 1st get all distributions groups and after all security groups .

just 1 level down.

get parents and nested groups 1 lvl down.

Yes I'm saying that if you aren't applying GPOs to computers there's no need to add them into security grouos! so mainly users are those that requires grouping on security groups to access resources on AD

Author

Commented:
Thank you Jose !!!!

I appreciate the prompt response, you have made a new friend !!!!!

Thanks a ton.

Phil

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial