Author Posts

August 27, 2015 at 8:24 am

Hello there,

Does anyone know how can i get the equivalent to this

Get-ADGroupMember -identity "$group" -Recursive |Where-Object ObjectClass -EQ user| select SamAccountname -ExpandProperty SamAccountname

But using [adsisearcher] ?

August 27, 2015 at 10:31 am

I don't think you can do that directly. You'd have to get all of the top group members then write a recursive function to test if any of them are groups and get their members.

Its possible but messy

Is there a reason you can't use Get-ADGroupMember

I covered this way back in PowerShell in Practice but the code looks something like this

## PowerShell in Practice
## by Richard Siddaway
##################################

## get group membership
##################################
$group = [ADSI]"LDAP://cn=UKPMs,ou=All Groups,dc=manticore,dc=org"
$group.member | Sort-Object


## Listing 5.25
## Get nested group membership
#################################
function resolve-group{
param ($group)
	foreach ($member in $group.member){
		$obj = [ADSI]("LDAP://" + $member)
		$global:members += $obj.distinguishedname
		if ($obj.objectclass[1] -eq 'group'){resolve-group $obj}
	}
}

$global:members = @()
$group = [ADSI]"LDAP://cn=International,ou=All Groups,dc=manticore,dc=org"
resolve-group $group
$global:members | Sort-Object -Unique

August 31, 2015 at 2:53 am

It's possible

#Find all (include indirect) members of TestGroup1
$ds = New-Object System.DirectoryServices.DirectorySearcher
$gdn='CN=TestGroup1,OU=TEST,OU=ROOTOU,DC=corp,DC=domain,DC=com'
$ds.Filter = "(memberOf:1.2.840.113556.1.4.1941:=$gdn)"
$ds.FindAll()