Author Posts

September 4, 2014 at 1:51 am

Hi all,

my first post here 🙂

I have a question for the scripting gurus: i need to create a report containing UNIQUE users accounts, from specific AD Groups taking into account ALSO the nested groups.

Basically i have come up with this script:

Import-Module ActiveDirectory

$Report= "C:\Users.csv"
remove-item $Report -Force -ErrorAction SilentlyContinue
$Groups=Get-ADGroup -Filter 'Name -like "*AAAA*" -or Name -like "*BBBB*" -or Name -eq "GROUPX"'
$Users = @(); ForEach ($Group in $Groups) {
    $Users += (Get-ADGroupMember -Identity "$($Group.Name)" -Recursive)| Where-Object { $_.objectClass -eq 'user' } | 
    Get-Aduser -Property * | Select Name, @{Name="Username";Expression={$_.samaccountname}}, Enabled, @{Name="Last access";Expression={($_.lastlogondate).ToshortDateString()}}, @{n='MemberOf';e={$_.MemberOf -replace '^(cn.*?),.*','$1'}}
}
$Users  | sort Name -Unique  | export-csv $Report -NoTypeInformation -Encoding unicode

Now i'm getting records like this:
"Name","Username","Enabled","Last access","Member of"
"Name, Surname","username","True/False","YYYY-MM-DD","CN=Group1 CN=Group2, CN=Group3"

I'm trying to get the CN and not the DN for the memberof property. But this is my best on it.

Do you guys have any idea how to improve this?

Thanks in advance
Max

September 4, 2014 at 2:10 am

Hey Max,

Bit of indentation would be nice. 😉

Seriously though, Jeff Wouter wrote something similar in one of his blogs, which you might be able to adapt to tidy things up a bit.

PowerShell function to get all nested group members in Active Directory

Depending on the size of the AD you have, you could maybe look at doing a Get-ADGroup -identity $_.MemberOf (think thats the right syntax) and assign that to a variable, which you then place into the @{n='MemberOf'........................}} bit, saving you have to do the -replace bit.

cheers,

Tim

September 4, 2014 at 6:45 am

Bit of indentation would be nice. 😉

hehe yeah sorry 🙂

I get an error if i try to put in a variable the result of Get-ADGroup -Identity $_.MemberOf

Get-ADGroup : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and tr
y the command again.

Anyway i was able to improve my regex to get what i needed.

If someone else needs, this is the final code 🙂

Import-Module ActiveDirectory

$Report= "C:\Users.csv"
remove-item $Report -Force -ErrorAction SilentlyContinue

$Groups = Get-ADGroup -Filter 'Name -like "*AAAA*" -or Name -like "*BBBB*" -or Name -eq "GROUPX"'
$Users = @()

ForEach ($Group in $Groups) {

	$Users += (Get-ADGroupMember -Identity "$($Group.Name)" -Recursive) | 
	Where-Object { $_.objectClass -eq 'user' } | 
	Get-Aduser -Property * | Select Name, @{Name="Username";Expression={$_.samaccountname}}, 
	Enabled, @{Name="Last access";Expression={($_.lastlogondate).ToshortDateString()}}, @{n='MemberOf';e={$_.MemberOf -replace "(CN=)(.*?),.*",'$2' -join ','}}
	
	}
$Users | sort Name -Unique | export-csv $Report -NoTypeInformation -Encoding unicode

Cheers,

Max