Active Directory Nested group members

Welcome Forums General PowerShell Q&A Active Directory Nested group members

This topic contains 5 replies, has 6 voices, and was last updated by

 
Participant
3 months ago.

  • Author
    Posts
  • #161297

    Participant
    Topics: 15
    Replies: 21
    Points: 185
    Rank: Participant

    I'm looping through all groups to get group info and their members(users) info.  The problem is the nested group members are being reported as just a member of the parent group. For example, user1 is a member of group2 and group2 is a member of group1. When I run this it just displays user1 and group1. How can I change this to show that user1 is a member of group2 and group2 is a member of group1?

     

    foreach( $Group in $Groups ){
    
    Get-ADGroupMember -Identity $Group -Recursive| Get-ADUser -Properties samaccountname, givenname,sn,title,description,mail,department,manager| foreach {
    
    $data+= [pscustomobject]@{ObjectName =$_.name
    objectclass =$_.objectclass
    GroupName =$group.name
    GroupCategory =$group.groupcategory
    GroupScope =$group.groupscope
    GroupDescription =$group.description
    distinguishedName =$_.distinguishedName
    UserName =$_.samaccountname
    FirstName =$_.givenname
    LastName =$_.sn
    Title =$_.title
    UserDescription =$_.Description
    Email =$_.mail
    Department =$_.department
    Manager =$_.manager
    
    }
    
    }#end foreach
    }# end foreach
  • #161310

    Participant
    Topics: 1
    Replies: 1530
    Points: 2,591
    Helping Hand
    Rank: Community Hero

    There's no easy/builtin way to achieve what you're asking for. You're using the parameter -Recursive. To achieve what you want you'd have to ommit the parameter -Recursive, check for each member of the queried group if it's a group or not and if it's a group "dive" into it and get the members. Please have in mind that's it's possible to have more than one level of nesting in your groups. So you might create a recursive function for that.

  • #161337

    Participant
    Topics: 0
    Replies: 13
    Points: 43
    Helping Hand
    Rank: Member

    #Try this Script. This should work for you

    
    $Groups = 'All_admins', 'AD-Grp-16'
    $Consolidate = @()
    foreach( $Group in $Groups ){
    
    Get-ADGroupMember -Identity $Group -Recursive| Get-ADUser -Properties samaccountname, givenname,sn,title,description,mail,department,manager|
    
    foreach {
    
    $data= [pscustomobject]@{ObjectName =$_.name
    objectclass =$_.objectclass
    GroupName =$group.name
    GroupCategory =$group.groupcategory
    GroupScope =$group.groupscope
    GroupDescription =$group.description
    distinguishedName =$_.distinguishedName
    UserName =$_.samaccountname
    FirstName =$_.givenname
    LastName =$_.sn
    Title =$_.title
    UserDescription =$_.Description
    Email =$_.mail
    Department =$_.department
    Manager =$_.manager
    }
    
    $Consolidate+= $data
    }
    
    }#end foreach
    $Consolidate
  • #161420

    Participant
    Topics: 9
    Replies: 423
    Points: 676
    Helping Hand
    Rank: Major Contributor

    So this issue of getting AD group members including sub-groups has been on my mind for a while. I wrote a function to do just that. Example:

    Install-Module AZSBTools -Force -AllowClobber
    Get-SBADGroupMembers testgroup1
    

    with output similar to:

    Processing group       CN=testgroup1,DC=TW24,DC=local  
    Processing child group CN=testgroup2,DC=TW24,DC=local (Parent: testgroup1)  
    
    UserName  DN                            OU   MemberOf             
    --------  --                            --   --------             
    testuser1 CN=testuser1,DC=TW24,DC=local TW24 testgroup1           
    testuser2 CN=testuser2,DC=TW24,DC=local TW24 testgroup2.testgroup1
    
  • #161421

    Participant
    Topics: 2
    Replies: 999
    Points: 1,946
    Helping Hand
    Rank: Community Hero

    Try this...

    function Get-ADNestedGroupMembers 
    {
      [cmdletbinding()]
      param 
      ( 
          [String] $Group 
      )            
      Import-Module ActiveDirectory
      ($Members = Get-ADGroupMember -Identity $Group -Recursive)
    }

    Or this...

    function Get-NestedGroupMember
    {
        [cmdletbinding()]
        [Alias('gngm')]
        param
        (
            [Parameter(Mandatory,ValueFromPipeline)]
            [string]
            $Identity
        )
    
        process
        {
            $user = Get-ADUser -Identity $Identity
            $userdn = $user.DistinguishedName
            $strFilter = "(member:1.2.840.113556.1.4.1941:=$userdn)"
            Get-ADGroup -LDAPFilter $strFilter -ResultPageSize 1000
        }
    }

    Or this...

    $MasterGroup = "Denied RODC Password Replication Group"
    
    $GlobalGroups = @()
    $MemberGroups = @()
    
    $MemberGroups += Get-ADGroupMember $MasterGroup | 
    where { $_.ObjectClass -eq "Group" }
    
    Foreach ($MemberGroup in $MemberGroups)
    {
        IF ((Get-ADGroup $MemberGroup).GroupScope -eq "Global") 
        { $GlobalGroups += $MemberGroup }
        $NestedGroups = TRY
                    {
                        Get-ADGroup -Identity (Get-ADGroupMember $MemberGroup | 
                        where { $_.ObjectClass -eq "Group" })
                    }
                    CATCH { }
        $MemberGroups += $NestedGroups
        $Membergroups = $MemberGroups -ne $MemberGroup
    }

     

     

  • #161597

    Participant
    Topics: 23
    Replies: 154
    Points: 368
    Helping Hand
    Rank: Contributor

The topic ‘Active Directory Nested group members’ is closed to new replies.