Powershell script to check and list group membership for users
Hi, We are deleting users from an Active directory group, before we do that I am looking for a PowerShell or batch script which can list users group membership(CSV format) by checking if they are member of another group? Its a multidomain forest. I have got the script half way working where it lists all the users for an AD group, how can I check if these users are part of any other group membership and list them in CSV?
Get-ADGroupMember -server servername -identity “AD group name” | select name | Export-csv -path C:\Temp\Groupmembers.csv -NoTypeInformation
Thanks.
https://community.spiceworks.com/topic/2215189-list-all-groups-a-user-is-a-member-of
Modified From the link above
Modified From the link above
$users = Get-ADUser -Filter 'Enabled -eq $true -and UserPrincipalName -like "*@*"'
$report = foreach ($user in $users) {
[PSCustomObject]@{
User = $user.UserPrincipalName
UserDN = $user.DistinguishedName
'AD Groups' = {
Get-ADPrincipalGroupMembership -Identity $user |`
Select-Object -ExpandProperty Name
}
}
}
$report | Export-CSV -path c:\scripts\Office365groups.csvASKER
Thanks.
"Does each domain have their own DCs to which you would need to connect to enumerate the get-aduser from each domain in the forest? "
thats right each domain have their own DCs, so I want to target the script on to a specific domain and specific AD group and then retrieve the information for each user group memberships.
From the script you added should I add " ADGroupMember -server servername -identity “AD group name” to target specific domain and then AD group name?
"Does each domain have their own DCs to which you would need to connect to enumerate the get-aduser from each domain in the forest? "
thats right each domain have their own DCs, so I want to target the script on to a specific domain and specific AD group and then retrieve the information for each user group memberships.
From the script you added should I add " ADGroupMember -server servername -identity “AD group name” to target specific domain and then AD group name?
Started to write, but not clear what you are after.
The script is not mine, it is a modification of the script in the link, stipping out the azure reference and azure related data.
The example when run on a DC will return data on active users and their primary group memberships.
If you need a single script that needs to connect to a DC of an ADdomain, you will need an outer for-each loop that either reads in data , addomain, DC.
or just AD and identifies which DC is responsible to which to connect, presuming the user with which you will run the script will have rights on all domains in the forest.
Now back to your clarification, are you looking only to pull data of users who are members of a specific group and then you want the information of what other groups these users are members of?
The script is not mine, it is a modification of the script in the link, stipping out the azure reference and azure related data.
The example when run on a DC will return data on active users and their primary group memberships.
If you need a single script that needs to connect to a DC of an ADdomain, you will need an outer for-each loop that either reads in data , addomain, DC.
or just AD and identifies which DC is responsible to which to connect, presuming the user with which you will run the script will have rights on all domains in the forest.
Now back to your clarification, are you looking only to pull data of users who are members of a specific group and then you want the information of what other groups these users are members of?
ASKER
"Now back to your clarification, are you looking only to pull data of users who are members of a specific group and then you want the information of what other groups these users are members of?"
Thats exactly what i am after.
Thanks.
Thats exactly what i am after.
Thanks.
Ok, you would have to look at the initial $users which currently pulls all active users.
The change is to pull users who are members of a group
https://www.alitajran.com/list-all-users-in-a-security-group-through-powershell/#:~:text=We%20like%20to%20list%20all%20the%20users%20and,list%20of%20users%20and%20security%20groups%20will%20show.
Get-adgroupmember -identity "ad group name" |select-object Name
Will need to test since for your purpose, you need the complete user object,
The check us whether there is a need for an outer loop
For each returned user, to build the user object..
The change is to pull users who are members of a group
https://www.alitajran.com/list-all-users-in-a-security-group-through-powershell/#:~:text=We%20like%20to%20list%20all%20the%20users%20and,list%20of%20users%20and%20security%20groups%20will%20show.
Get-adgroupmember -identity "ad group name" |select-object Name
Will need to test since for your purpose, you need the complete user object,
The check us whether there is a need for an outer loop
For each returned user, to build the user object..
try the following,
replace the users assignment in the above example with the following
$users=get-adgroupmember -identity "ad group of choice" | get-aduser -properties distinguishedname
The above will return both active and disabled accounts
you could as part of your for-each loop exclude accounts that are deactivated.
see below slight adjustment and adding the user account status to the report.
replace the users assignment in the above example with the following
$users=get-adgroupmember -identity "ad group of choice" | get-aduser -properties distinguishedname
The above will return both active and disabled accounts
you could as part of your for-each loop exclude accounts that are deactivated.
see below slight adjustment and adding the user account status to the report.
$users=get-adgroupmember -identity "ad group of choice" | get-aduser -properties distinguishedname
$report = foreach ($user in $users) {
[PSCustomObject]@{
User = $user.UserPrincipalName
UserDN = $user.DistinguishedName
Enabled = $user.Enabled
'AD Groups' = {
Get-ADPrincipalGroupMembership -Identity $user |`
Select-Object -ExpandProperty Name
}
}
}
$report | Export-CSV -path c:\scripts\Office365groups.csvASKER
Thanks for that, in the CSV file i am getting 4 columns. Pasting one row to show;
AD Groups is empty, there is no information in that column.
| User | UserDN | Enabled | AD Groups |
| user@domain | CN=Username,OU=Users,OU=Sub,DC=Domain,DC=com,DC=au | TRUE | ` |
AD Groups is empty, there is no information in that column.
I think there is an extra character that causes this
`
see below and try.
Pulling all users with user memberships, and all groups and their nested relationships.....
`
see below and try.
Pulling all users with user memberships, and all groups and their nested relationships.....
$users=get-adgroupmember -identity "ad group of choice" | get-aduser -properties distinguishedname
$report = foreach ($user in $users) {
[PSCustomObject]@{
User = $user.UserPrincipalName
UserDN = $user.DistinguishedName
Enabled = $user.Enabled
'AD Groups' = {
Get-ADPrincipalGroupMembership -Identity $user |
Select-Object -ExpandProperty Name
}
}
}
$report | Export-CSV -path c:\scripts\Office365groups.csvASKER
sorry it didnt made any difference.
AD Groups column is empty, its meant to list the AD groups which users are part of?
thanks.
AD Groups column is empty, its meant to list the AD groups which users are part of?
thanks.
The script is still based on the one in the link way up there......
Lets get back to the rudimentary to confirm the data you want will be actually output
To confirm the data is being pulled.
Then try the following change deals with whether the AD groups are further hashed.
Lets get back to the rudimentary to confirm the data you want will be actually output
$users=get-adgroupmember -identity "ad group of choice" | get-aduser -properties distinguishedname
foreach ($user in $users) {
echo "----Start"
$user.UserPrincipalName
$user.DistinguishedName
$user.Enabled
echo "groups"
Get-ADPrincipalGroupMembership -Identity $user |
Select-Object -ExpandProperty Name
echo "end groups"
echo "--- END User"
}To confirm the data is being pulled.
Then try the following change deals with whether the AD groups are further hashed.
$users=get-adgroupmember -identity "ad group of choice" | get-aduser -properties distinguishedname
$report = foreach ($user in $users) {
[PSCustomObject]@{
User = $user.UserPrincipalName
UserDN = $user.DistinguishedName
Enabled = $user.Enabled
'AD Groups' = Get-ADPrincipalGroupMembership -Identity $user |
Select-Object -ExpandProperty Name
}
}
$report | Export-CSV -path c:\scripts\Office365groups.csvASKER
Thanks for your time.
The first script is pulling the data, i can see AD group names.
Second script output ;
For AD group names I can only see "System.Object[]" in each row.
Would it be possible that there are too many groups to be fit in the field box and when it cant fit all of them in, it just shows System.object?
https://learn-powershell.net/2014/01/24/avoiding-system-object-or-similar-output-when-using-export-csv/
The first script is pulling the data, i can see AD group names.
Second script output ;
| User | UserDN | Enabled | AD Groups |
| user@domain | CN=username,OU=Users,OU=Sub,DC=Domain | TRUE | System.Object[] |
For AD group names I can only see "System.Object[]" in each row.
Would it be possible that there are too many groups to be fit in the field box and when it cant fit all of them in, it just shows System.object?
https://learn-powershell.net/2014/01/24/avoiding-system-object-or-similar-output-when-using-export-csv/
Sure, you can try adding the -notype -notypeinformation
Either as an argument to export-csv
Either as an argument to export-csv
with the first thing echo 'username,UserDN,Enabled,"
you will have a csv file with the data
you will have a csv file with the data
echo 'username,UserDN,Enabled,"AD Groups"'
$users=get-adgroupmember -identity "ad group of choice" | get-aduser -properties distinguishedname
foreach ($user in $users) {
write-host -nonewline '"' $user.UserPrincipalName
Write-Host -NoNewline '","'
Write-host -nonewline $user.DistinguishedName
Write-Host -NoNewline '","'
Write-host -nonewline $user.Enabled
Write-Host -NoNewline '","'
Get-ADPrincipalGroupMembership -Identity $user | Select-Object -ExpandProperty Name
write-output '"'
} ASKER
Thanks,
If i insert $report | Export-CSV -path c:\scripts\Office365groups.csv at the end of this script, it doesn't output the results to csv file.
If i insert $report | Export-CSV -path c:\scripts\Office365groups.csv at the end of this script, it doesn't output the results to csv file.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
User
The link in your prior question lists all users, and goes user by user to see which groups the user is a member of and since the example is for azure, it was checking exchange related groups.
If you have netstat groups you would need to loop through user's group to see which groups the group is a member
Does each domain have their own DCs to which you would need to connect to enumerate the get-aduser from each domain in the forest?
Potentially you have to pull list of groups in each domain, and their group affiliations to address netstat groups. To establish structure.
You then pull users from each domain and the primary groups if which it ISA member.
Then you recombine the data you already have expanding primary groups if they are nested in another.