asked on
Groups within Active Directory and PowerShell
Hey guys,
I'm tasked with looking at Active Directory "Groups" in our environment.
My question is, is it okay to have a user and computer account in a security group?
I'm finding both "user and computer" accounts within the same group and I want to know if I should separate these out and put them into their own separate groups?
Also, does anyone have a PowerShell script that can be used to get the groups, group type and group nestings?
Thanks
Phil
I'm tasked with looking at Active Directory "Groups" in our environment.
My question is, is it okay to have a user and computer account in a security group?
I'm finding both "user and computer" accounts within the same group and I want to know if I should separate these out and put them into their own separate groups?
Also, does anyone have a PowerShell script that can be used to get the groups, group type and group nestings?
Thanks
Phil
PowershellActive DirectorySecurity
Last Comment
Phillip Davis
Powershell Script for groups
$AllGroups=Get-adgroup -filter *| select *
$Distributions = $AllGroups | where{ $_.GroupCategory -eq "Distribution"}
$Security = $AllGroups | where{ $_.GroupCategory -eq "Security"}
#Members
Write-Host "Total Distribution Groups $($Distributions.Count)"
foreach($group in $Distributions){
Write-Host "Working with group $($group.Name)" -ForegroundColor Magenta
$allmembers =Get-adGroupMember $($group.SamAccountName)
$users = $allmembers | where{ $_.ObjectClass -eq "User"}
$Groups = $allmembers | where { $_.ObjectClass -eq "Group"}
Write-Host "Total Users in Group $($users.Count)"
$users | select Name,SamAccountname
if($Groups){
Write-Host "Total Groups in Group $($Groups.Count)"
$Groups | select DisplayName,SamAccountname
}
else{
Write-Host "There are no groups within the current group"
}
}
Write-Host "Total Security Groups $($Security.Count)"
foreach($group in $Security){
Write-Host "Working with group $($group.Name)" -ForegroundColor Magenta
$allmembers =Get-adGroupMember $($group.SamAccountName)
$users = $allmembers | where{ $_.ObjectClass -eq "User"}
$Groups = $allmembers | where { $_.ObjectClass -eq "Group"}
Write-Host "Total Users in Group $($users.Count)"
$users | select Name,SamAccountname
if($Groups){
Write-Host "Total Groups in Group $($Groups.Count)"
$Groups | select DisplayName,SamAccountname
}
else{
Write-Host "There are no groups within the current group"
}}
ASKER
Thanks Jose !
So, the script, does it get the groups within groups ? Does it get the parent group and any nested or child groups that are nested within it ?
Also, you're saying that that you don't use groups for computers, mainly for users?
Phil
So, the script, does it get the groups within groups ? Does it get the parent group and any nested or child groups that are nested within it ?
Also, you're saying that that you don't use groups for computers, mainly for users?
Phil
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thank you Jose !!!!
I appreciate the prompt response, you have made a new friend !!!!!
Thanks a ton.
Phil
I appreciate the prompt response, you have made a new friend !!!!!
Thanks a ton.
Phil
Well, the 1st answer will depend on what are you planning to do with the grouping.
there's no good or bad answer there, it will depend on what you want to do with the groups.
Usually, Security groups are only for users and you use them for security access to file servers and resources.
It's not usual to get computers into groups.