Add users to groups on nested groups

Welcome Forums General PowerShell Q&A Add users to groups on nested groups

Viewing 2 reply threads
  • Author
    • #202358
      Topics: 1
      Replies: 0
      Points: 14
      Rank: Member


      I am developing a powershell script that does few checks like:

      Check if the group has an certain attribute empty, check if group has certain names.

      What I want to achieve now is to get all groups that are nested on the group that I am checking and run the same checks as I described above but on the memberof.

      I know how to get the memberof and list it, but I want to get the group and edit an attribute.

      Sorry if the question is confusing.






    • #202364
      Topics: 5
      Replies: 2368
      Points: 5,986
      Helping Hand
      Rank: Community MVP

      Sorry if the question is confusing.

      Actually you did not ask any question. 😉 You may show the code you have and explain a little more detailed what’s not working.

    • #202397
      Topics: 12
      Replies: 525
      Points: 1,233
      Helping Hand
      Rank: Community Hero

      What you’re trying to do is called a recursive function. Look at this function from the AZSBTools PS module:

      function Get-SBADGroupMembers {
       Function to get members of AD group including sub-groups
       Function to get members of AD group including sub-groups using LDAP
       Does not need ActiveDirectory PowerShell module
       Must be run from a domain-joined computer
      .PARAMETER GroupName
       Name of the AD group - required
      .PARAMETER Parent
       Name of the parent AD group - optional - used to enable the recursive use to search sub-groups
      .PARAMETER Recurse
       Switch that is set to True by default. It causes this function to search sub-groups
       Get-SBADGroupMembers testgroup1
       Returns a PowerShell object containing the following properties/example:
          UserName  DN                            OU   MemberOf             
          --------  --                            --   --------             
          testuser1 CN=testuser1,DC=TW24,DC=local TW24 testgroup1           
          testuser2 CN=testuser2,DC=TW24,DC=local TW24 testgroup2.testgroup1
       Returns nothing if the group name is not found
       Function by Sam Boutros
          v0.1 - 15 June 2019
          v0.2 - 25 September 2019 - Fixed bug with Group members, added 'mail' property to group members
              [Parameter(Mandatory=$false)][Switch]$Recurse = $true 
          Begin { }
              $myOutput = if ((Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain) {
                  $adsi = [adsisearcher]"objectcategory=group"
                  $adsi.filter = "(&(objectCategory=group)(cn=$GroupName))"
                  if ($ADGroup = ($adsi.FindAll()).Properties) {
                      if ($Parent) {
                          Write-Log 'Processing child group',$ADGroup.distinguishedname,"(Parent: $Parent)" Green,Cyan,DarkYellow
                      } else {
                          Write-Log 'Processing group      ',$ADGroup.distinguishedname Green,Cyan
                      $GroupObj = [PSCustomObject][ordered]@{
                          GroupName   = [string]$
                          MemberNames = $( if ($ADGroup.member) { $ADGroup.member | foreach { $_.Split(',')[0].Split('=')[1] } } )
                      foreach ($Member in $GroupObj.MemberNames) {
                          $adsi = [adsisearcher]''
                          $adsi.filter = "cn=$Member"
                          $MemberObj = ($adsi.FindAll()).Properties 
                          if ($MemberObj.objectclass -match 'group') { 
                               if ($Recurse) { Get-SBADGroupMembers $ -Parent $GroupObj.GroupName }
                          } else { 
                                  UserName    = [string]$
                                  Mail        = [string]$MemberObj.mail
                                  DN          = [string]$MemberObj.distinguishedname
                                  OU          = [string](($MemberObj.distinguishedname) -replace '^CN=[\w\d-_]+,\w\w=','' -replace ',OU=','/' -replace ',DC=.*')
                                  MemberOf    = $( 
                                      if ($Parent) { "$($GroupObj.GroupName).$Parent" } else { $GroupObj.GroupName } 
                  }  else { 
                      Write-Log 'Group',$GroupName,'not found' Green,Yellow,Cyan
              } else {
                  Write-Log 'This function','Get-SBADGroupMembers','must be invoked from a domain-joined computer' Magenta, Yellow, Magenta
          End { $myOutput }

      Notice line 69 where the function calls itself..

      • This reply was modified 4 months, 3 weeks ago by Sam Boutros.
Viewing 2 reply threads
  • The topic ‘Add users to groups on nested groups’ is closed to new replies.