export domain users & admins to csv - 2 columns

This topic contains 19 replies, has 5 voices, and was last updated by Profile photo of Jan Meeuws Jan Meeuws 5 months ago.

  • Author
    Posts
  • #45736
    Profile photo of Jan Meeuws
    Jan Meeuws
    Participant

    Hello,

    I'm not very familiar with powershell and would need some (urgent) help: I need a script that exports the domain users and domain admins to a single csv file. So that in the first column the domain users are mentioned and in the second column "yes" or "no" if they are in the group "domain admins".
    Thank you very much for your help!

  • #45759
    Profile photo of Paul Frankovich
    Paul Frankovich
    Participant

    Why not just get a list of the domain admins instead of touching every AD account?

    Get-ADGroupMember -Identity "Domain Admins"
  • #45763
    Profile photo of Jan Meeuws
    Jan Meeuws
    Participant

    I need a csv with 2 columns for an audit, it really needs to be that way 🙁
    thank you for your help!

  • #45772
    Profile photo of rintke
    rintke
    Participant
    Get-ADGroupMember -Identity "Domain Users" | Select Name | Export-csv -Path C:\Output\DomainUsers-GroupMembers.csv -NoTypeInformation
    Get-ADGroupMember -Identity "Domain Admins" | Select Name | Export-csv -Path C:\Output\DomainAdmins-GroupMembers.csv -NoTypeInformation

    Use these to export the information from AD to CSV and then just use Excel to get what you want.

    • This reply was modified 5 months ago by Profile photo of rintke rintke.
  • #45783
    Profile photo of Jan Meeuws
    Jan Meeuws
    Participant

    Okay, thank you. But now I have two separate lists and I only need one with both columns combined (maybe this isn't a powershell demand no more)

  • #45785
    Profile photo of Dan Potter
    Dan Potter
    Participant

    $da = (Get-ADGroupMember 'domain admins').samaccountname;get-aduser -filter * | %{[pscustomobject]@{sam=$_.samaccountname;isDA=[bool]($_.samaccountname -in $da)}}

  • #45787
    Profile photo of Jan Meeuws
    Jan Meeuws
    Participant

    Dan,

    as I said: I'm totally unfamiliar with powershell. When I enter your suggestion, it returns the error "you must provide a value expression on the right-hand side of the '-' operator" (at char 154)

    Furthermore, I think this doesn't give me an export to csv, right? To do this, do I just need to add another "| export-csv path c:\..."?
    thx again!

  • #45791
    Profile photo of Dan Potter
    Dan Potter
    Participant

    practice, practice, practice 🙂 remove the selection after you're comfortable with the output.

    
    $da = (Get-ADGroupMember 'domain admins').samaccountname
    
    get-aduser -filter * | %{[pscustomobject]@{sam=$_.samaccountname;isDA=[bool]($_.samaccountname -in $da)}} | select -First 10 | export-csv dainfo.csv
    
  • #45793
    Profile photo of Jan Meeuws
    Jan Meeuws
    Participant

    I will Dan 🙂

    currently still the same error 🙁

    You must provide a value expression on the right-hand side of the '-' operator.
    At C:\PowershellScripts\ExportDomainAdmins.ps1:3 char:97
    + get-aduser -filter * | %{[pscustomobject]@{sam=$_.samaccountname;isDA=[bool]($_.samac
    countname – <<<< in $da)}} | select -First 10 | export-csv domain-admins.csv + CategoryInfo : ParserError: (:) [], ParseException + FullyQualifiedErrorId : ExpectedValueExpression

  • #45795
    Profile photo of Dan Potter
    Dan Potter
    Participant
    
    $da = (Get-ADGroupMember 'domain admins').samaccountname;$da.count;$users = get-aduser -filter * |select -First 10;$users.count
    
  • #45797
    Profile photo of Jan Meeuws
    Jan Meeuws
    Participant

    this looks good, script doesn't return errors.
    unfortunately the output is not correct: it gives me a single line "#TYPE System.Int32"

  • #45799
    Profile photo of Dan Potter
    Dan Potter
    Participant

    I don't know where my text went in the last post. I wanted you to run that and tell me the output. There should be two numbers returned. Are there current members of the DA group?

    • This reply was modified 5 months ago by Profile photo of Dan Potter Dan Potter.
  • #45801
    Profile photo of Jan Meeuws
    Jan Meeuws
    Participant

    yes, there are about 20 users in the group "Domain Admins"

  • #45804
    Profile photo of Dan Potter
    Dan Potter
    Participant

    type $da press enter, do you get output?

    type on of the samaccountnames in the da group in the quotes here, what does it give you?

    ('samaccountname' -in $da)

  • #45806
    Profile photo of Jan Meeuws
    Jan Meeuws
    Participant

    typing $da in powershell doesn't return any output
    when I enter a samaccountname as you suggested I receive the same error as before:

    You must provide a value expression on the right-hand side of the '-' operator.
    ar:14
    + ('—admin' – <<<< in $da) + CategoryInfo : ParserError: (:) [], ParseException + FullyQualifiedErrorId : ExpectedValueExpression

  • #45813
    Profile photo of Dan Potter
    Dan Potter
    Participant

    so powershell is telling you that you do not have anything in the $da variable.

    what does this get you? (Get-ADGroupMember 'domain admins').samaccountname

  • #45867
    Profile photo of Paul Frankovich
    Paul Frankovich
    Participant

    Unless you have a rather small directory the Domain Users group is HUGE! In some cases way to big for the AD Module. If I understand correctly the AD Module cmdlet will error out after it pulls 5000 objects and return nothing after that.

    http://technet.microsoft.com/en-us/library/dd391908%28WS.10%29.aspx

    Search the page for: MaxGroupOrMemberEntries

    Apparently you can set it higher with that.

  • #45871
    Profile photo of Paul Frankovich
    Paul Frankovich
    Participant

    Also, these are not cmdlet parameters, the article mentions:
    These configuration parameters are stored in the Microsoft.ActiveDirectory.WebServices.exe.config file, under %WINDIR%\ADWS directory.

  • #45896
    Profile photo of Curtis Smith
    Curtis Smith
    Participant

    Here's how I would do it.

    Get-ADUser -filter * -Properties Memberof | select Name,@{Label="DA";Expression={If($_.MemberOf -join "" -match "CN=Domain Admins,"){"Yes"}Else{"No"}}}
    
  • #45937
    Profile photo of Jan Meeuws
    Jan Meeuws
    Participant

    Curtis,

    your script is working perfect, thanks! (thanks to the others too of course)

    Jan

You must be logged in to reply to this topic.