Author Posts

July 5, 2016 at 8:28 am

Hello,

I'm not very familiar with powershell and would need some (urgent) help: I need a script that exports the domain users and domain admins to a single csv file. So that in the first column the domain users are mentioned and in the second column "yes" or "no" if they are in the group "domain admins".
Thank you very much for your help!

July 5, 2016 at 1:31 pm

Why not just get a list of the domain admins instead of touching every AD account?

Get-ADGroupMember -Identity "Domain Admins"

July 5, 2016 at 1:41 pm

I need a csv with 2 columns for an audit, it really needs to be that way 🙁
thank you for your help!

July 5, 2016 at 1:57 pm

Get-ADGroupMember -Identity "Domain Users" | Select Name | Export-csv -Path C:\Output\DomainUsers-GroupMembers.csv -NoTypeInformation
Get-ADGroupMember -Identity "Domain Admins" | Select Name | Export-csv -Path C:\Output\DomainAdmins-GroupMembers.csv -NoTypeInformation

Use these to export the information from AD to CSV and then just use Excel to get what you want.

  • This reply was modified 2 years, 1 month ago by  rintke.

July 5, 2016 at 2:21 pm

Okay, thank you. But now I have two separate lists and I only need one with both columns combined (maybe this isn't a powershell demand no more)

July 5, 2016 at 2:34 pm

$da = (Get-ADGroupMember 'domain admins').samaccountname;get-aduser -filter * | %{[pscustomobject]@{sam=$_.samaccountname;isDA=[bool]($_.samaccountname -in $da)}}

July 5, 2016 at 2:39 pm

Dan,

as I said: I'm totally unfamiliar with powershell. When I enter your suggestion, it returns the error "you must provide a value expression on the right-hand side of the '-' operator" (at char 154)

Furthermore, I think this doesn't give me an export to csv, right? To do this, do I just need to add another "| export-csv path c:\..."?
thx again!

July 5, 2016 at 2:45 pm

practice, practice, practice 🙂 remove the selection after you're comfortable with the output.


$da = (Get-ADGroupMember 'domain admins').samaccountname

get-aduser -filter * | %{[pscustomobject]@{sam=$_.samaccountname;isDA=[bool]($_.samaccountname -in $da)}} | select -First 10 | export-csv dainfo.csv

July 5, 2016 at 2:53 pm

I will Dan 🙂

currently still the same error 🙁

You must provide a value expression on the right-hand side of the '-' operator.
At C:\PowershellScripts\ExportDomainAdmins.ps1:3 char:97
+ get-aduser -filter * | %{[pscustomobject]@{sam=$_.samaccountname;isDA=[bool]($_.samac
countname – <<<< in $da)}} | select -First 10 | export-csv domain-admins.csv + CategoryInfo : ParserError: (:) [], ParseException + FullyQualifiedErrorId : ExpectedValueExpression

July 5, 2016 at 3:05 pm


$da = (Get-ADGroupMember 'domain admins').samaccountname;$da.count;$users = get-aduser -filter * |select -First 10;$users.count

July 5, 2016 at 3:12 pm

this looks good, script doesn't return errors.
unfortunately the output is not correct: it gives me a single line "#TYPE System.Int32"

July 5, 2016 at 3:16 pm

I don't know where my text went in the last post. I wanted you to run that and tell me the output. There should be two numbers returned. Are there current members of the DA group?

  • This reply was modified 2 years, 1 month ago by  Dan Potter.

July 5, 2016 at 3:17 pm

yes, there are about 20 users in the group "Domain Admins"

July 5, 2016 at 3:20 pm

type $da press enter, do you get output?

type on of the samaccountnames in the da group in the quotes here, what does it give you?

('samaccountname' -in $da)

July 5, 2016 at 3:26 pm

typing $da in powershell doesn't return any output
when I enter a samaccountname as you suggested I receive the same error as before:

You must provide a value expression on the right-hand side of the '-' operator.
ar:14
+ ('—admin' – <<<< in $da) + CategoryInfo : ParserError: (:) [], ParseException + FullyQualifiedErrorId : ExpectedValueExpression

July 5, 2016 at 4:02 pm

so powershell is telling you that you do not have anything in the $da variable.

what does this get you? (Get-ADGroupMember 'domain admins').samaccountname

July 5, 2016 at 7:14 pm

Unless you have a rather small directory the Domain Users group is HUGE! In some cases way to big for the AD Module. If I understand correctly the AD Module cmdlet will error out after it pulls 5000 objects and return nothing after that.

http://technet.microsoft.com/en-us/library/dd391908%28WS.10%29.aspx

Search the page for: MaxGroupOrMemberEntries

Apparently you can set it higher with that.

July 5, 2016 at 7:22 pm

Also, these are not cmdlet parameters, the article mentions:
These configuration parameters are stored in the Microsoft.ActiveDirectory.WebServices.exe.config file, under %WINDIR%\ADWS directory.

July 5, 2016 at 10:59 pm

Here's how I would do it.

Get-ADUser -filter * -Properties Memberof | select Name,@{Label="DA";Expression={If($_.MemberOf -join "" -match "CN=Domain Admins,"){"Yes"}Else{"No"}}}

July 6, 2016 at 7:39 am

Curtis,

your script is working perfect, thanks! (thanks to the others too of course)

Jan