Get AD users from specific AD Groups and parse results

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Massimo Cavo Massimo Cavo 2 years, 3 months ago.

  • Author
    Posts
  • #18519
    Profile photo of Massimo Cavo
    Massimo Cavo
    Participant

    Hi all,

    my first post here 🙂

    I have a question for the scripting gurus: i need to create a report containing UNIQUE users accounts, from specific AD Groups taking into account ALSO the nested groups.

    Basically i have come up with this script:

    Import-Module ActiveDirectory
    
    $Report= "C:\Users.csv"
    remove-item $Report -Force -ErrorAction SilentlyContinue
    $Groups=Get-ADGroup -Filter 'Name -like "*AAAA*" -or Name -like "*BBBB*" -or Name -eq "GROUPX"'
    $Users = @(); ForEach ($Group in $Groups) {
        $Users += (Get-ADGroupMember -Identity "$($Group.Name)" -Recursive)| Where-Object { $_.objectClass -eq 'user' } | 
        Get-Aduser -Property * | Select Name, @{Name="Username";Expression={$_.samaccountname}}, Enabled, @{Name="Last access";Expression={($_.lastlogondate).ToshortDateString()}}, @{n='MemberOf';e={$_.MemberOf -replace '^(cn.*?),.*','$1'}}
    }
    $Users  | sort Name -Unique  | export-csv $Report -NoTypeInformation -Encoding unicode

    Now i'm getting records like this:
    "Name","Username","Enabled","Last access","Member of"
    "Name, Surname","username","True/False","YYYY-MM-DD","CN=Group1 CN=Group2, CN=Group3"

    I'm trying to get the CN and not the DN for the memberof property. But this is my best on it.

    Do you guys have any idea how to improve this?

    Thanks in advance
    Max

  • #18520
    Profile photo of Tim Pringle
    Tim Pringle
    Participant

    Hey Max,

    Bit of indentation would be nice. 😉

    Seriously though, Jeff Wouter wrote something similar in one of his blogs, which you might be able to adapt to tidy things up a bit.

    Depending on the size of the AD you have, you could maybe look at doing a Get-ADGroup -identity $_.MemberOf (think thats the right syntax) and assign that to a variable, which you then place into the @{n='MemberOf'........................}} bit, saving you have to do the -replace bit.

    cheers,

    Tim

  • #18531
    Profile photo of Massimo Cavo
    Massimo Cavo
    Participant

    Bit of indentation would be nice. 😉

    hehe yeah sorry 🙂

    I get an error if i try to put in a variable the result of Get-ADGroup -Identity $_.MemberOf

    Get-ADGroup : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and tr
    y the command again.

    Anyway i was able to improve my regex to get what i needed.

    If someone else needs, this is the final code 🙂

    Import-Module ActiveDirectory
    
    $Report= "C:\Users.csv"
    remove-item $Report -Force -ErrorAction SilentlyContinue
    
    $Groups = Get-ADGroup -Filter 'Name -like "*AAAA*" -or Name -like "*BBBB*" -or Name -eq "GROUPX"'
    $Users = @()
    
    ForEach ($Group in $Groups) {
    
    	$Users += (Get-ADGroupMember -Identity "$($Group.Name)" -Recursive) | 
    	Where-Object { $_.objectClass -eq 'user' } | 
    	Get-Aduser -Property * | Select Name, @{Name="Username";Expression={$_.samaccountname}}, 
    	Enabled, @{Name="Last access";Expression={($_.lastlogondate).ToshortDateString()}}, @{n='MemberOf';e={$_.MemberOf -replace "(CN=)(.*?),.*",'$2' -join ','}}
    	
    	}
    $Users | sort Name -Unique | export-csv $Report -NoTypeInformation -Encoding unicode
    

    Cheers,

    Max

You must be logged in to reply to this topic.