Nested Groups - User Properties

Welcome Forums General PowerShell Q&A Nested Groups - User Properties

This topic contains 3 replies, has 2 voices, and was last updated by

3 years, 8 months ago.

  • Author
  • #22750

    Points: 0
    Rank: Member

    Hello and thank you for your anticipated help with this.

    Pretty new at Powershell because I was good at the old ways.
    Doing my best to stop going back to the old, familiar out of date ways so here goes.

    Below is a script that I've put together from things found on the interwebs.
    It walks through a group and subgroups for members and displays as required.

    It's working as designed but new requirements from the client have come forth

    req 1: don't show disabled users
    req 2: don't show accounts with no defined expiration date

    When I attempt to have it skip disabled users with (below) I get an error.

    `Get-ADUser -filter {enabled -eq $true} -Prop Description.......

    Any help with this as well as not displaying the hundreds of users accounts that don't have the account expiry set would be greatly appreciated.

    function Get-ADNestedGroupMembers {
    param (
    [String] $GroupName

    import-module activedirectory
    $Members = Get-ADGroupMember -Identity $GroupName
    $members | % {
    if($_.ObjectClass -eq "group") {
    Get-ADNestedGroupMembers -GroupName $_.distinguishedName
    } else {
    return $_.distinguishedname

    import-module activedirectory
    Get-ADNestedGroupMembers -groupname "group name here" |
    `Get-ADUser -Prop Description,samAccountName,AccountExpirationDate, mail, LastLogoff, lastLogonTimestamp, company |
    `Select-Object Name,samAccountName,AccountExpirationDate, mail, LastLogoff, @{N='LastLogonTimestamp'; E={[DateTime]::FromFileTime($_.LastLogonTimestamp)}}, company |
    `Sort-Object AccountExpirationDate -descending |
    #`Format-Table -property * -AutoSize |
    `ConvertTo-HTML | Out-File C:\Temp\working\AccountExpiry.htm

  • #22766

    Points: 5
    Rank: Member

    Hey Mike,

    What's the error you are getting? I ran the command on my DC a couple of seconds ago, and it worked okay.

  • #22790

    Points: 0
    Rank: Member

    Hi Tim,

    The code above is working well.
    My poorly requested assistance meant to ask for help filtering out the resultant data set

    I don't want to see users that are disabled nor do I want to see users that don't have the account expiry not set.

    I'm trying to use something like Get-ADUser -filter {enabled -eq $true} -Prop Description……. with no luck.

    I'm thinking it's an issue with what is returned from the function (ADNestedGroupMembers)

    Thank you for your time!


  • #22791

    Points: 0
    Rank: Member

    And while we (ok you) are at it, I'd like to know what the path to their user object is (like when you view advanced features in AD and select the user\computer 'OBJECT' tab.

The topic ‘Nested Groups - User Properties’ is closed to new replies.