Author Posts

October 2, 2013 at 11:22 am

Hello

I am seeking a PowerShell script that will gather info for four different AD Groups – each managed by (owner of the AD group) and
lists all members of username, SamaccountName, and DNs. The script needs to run from a tack schedule from a server.
Email each Managed by (owner of the AD group)

Each owner of each group need to examine their group to see if there’s members that they can delete or remove.
Instructions would help too.

Thank you

October 3, 2013 at 2:50 am

This should get you started on developing your script


"ADLgroup1", "ADLgroup2", "ADLgroup3", "ADLgroup4" |
foreach {
$group = Get-ADGroup -Identity $_ -Properties ManagedBy

Get-ADGroupMember -Identity $_ |
select @{N='GroupName'; E={$group.Name}},
@{N='ManagedBy'; E={$group.ManagedBY}},
Name, samAccountName, DistinguishedName

}

October 3, 2013 at 6:34 am

Richard

Thank you for the help. Everything seems to be alrgiht but I'm getting a Parse errors detected:

Missing expression after ','.
At line:3 char:11

Missing statement after '=' in hash literal.
At line:8 char:39

Missing statement after '=' in hash literal.
At line:9 char:35

October 3, 2013 at 6:46 am

That's strange because I've just copied the code from my post and run it.

How are you running the code?

Did you change the group names?

October 3, 2013 at 6:58 am

I copied the code and changed the group names from "ADLgroup1", "ADLgroup2", "ADLgroup3", "ADLgroup4" | to "Uxstaff", "Uxbasis", Uxunixtm", "Uxsched", | I am running it with powershell_ise.exe.

This is what I ran:

"Uxstaff", "Uxbasis", "Uxunixtm", "Uxsched" |
foreach {
$group = Get-ADGroup -Identity $_ -Properties ManagedBy

Get-ADGroupMember -Identity $_ |
select @{N='GroupName'; E={$group.Name}},
@{N='ManagedBy'; E={$group.ManagedBY}},
Name, samAccountName, DistinguishedName

}

It states it's completed but I got this:

The term 'Get-ADGroupMember' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name,
or if a path was included, verify that the path is correct and try again.
At line:5 char:18
+ Get-ADGroupMember <<<< -Identity $_ | + CategoryInfo : ObjectNotFound: (Get-ADGroupMember:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException

October 3, 2013 at 7:07 am

I'm very confused. I took that code – changed the group names and it ran. I can't see why it doesn't like Get-ADGroupMember but accepts Get-ADGroup

which version of PowerShell are you using and which version of Windows?

October 3, 2013 at 7:08 am

I haven’t used powershell to create script in this magnitude. I really do appreciate your help.

October 3, 2013 at 7:12 am

Windows 7 & Windows Powershell\v1.0\powershell_ise.exe

October 3, 2013 at 7:45 am

Do you have the AD module installed on your machine. if not you will need to get the RSAT tools installed so you can use the script.

What version of Windows are your domain controllers running?

October 3, 2013 at 7:52 am

Yes I have AD module – AD module for Win PS on my system. The DCs are running on Windows 2008 r2. I have the RSAT tools installed already. I don't understand what the issue could be.

October 3, 2013 at 7:56 am

Can you try running


import-module activedirectory
Get-ADGroup -Identity "Uxbasis"
Get-ADGroupMember -Identity "Uxbasis"

I just want to test the module

Thanks

October 3, 2013 at 8:07 am

Works!

DistinguishedName : CN=uxbasis,OU=Groups,OU=Unix,OU=Linux_Unix,DC=n
GroupCategory : Security
GroupScope : Universal
Name : uxbasis
ObjectClass : group
ObjectGUID : 9b4286a2-1a1b-45b0-b06d-9691a2b35742
SamAccountName : uxbasis
SID : S-1-5-21-1174801143-910442134-930774774-202050

October 3, 2013 at 8:09 am

Ok that's the group data – did you get the group membership data as well?

if you did then add this line to the beginning of the script I gave you initially

Import-Module ActiveDirectory -Force

and try it again

October 3, 2013 at 8:11 am

all works....

PS C:\Users\A87114> Get-ADGroup -Identity "Uxbasis"

DistinguishedName : CN=uxbasis,OU=Groups,OU=Unix,OU=Linux_Unix,DC=na,DC
GroupCategory : Security
GroupScope : Universal
Name : uxbasis
ObjectClass : group
ObjectGUID : 9b4286a2-1a1b-45b0-b06d-9691a2b35742
SamAccountName : uxbasis
SID : S-1-5-21-1174801143-910442134-930774774-202050

October 3, 2013 at 8:15 am

That works, this is what I get without errors:

PS C:\Windows\system32> Import-Module ActiveDirectory -Force
"Uxstaff", "Uxbasis", "Uxunixtm", "Uxsched" |
foreach {
$group = Get-ADGroup -Identity $_ -Properties ManagedBy

Get-ADGroupMember -Identity $_ |
select @{N='GroupName'; E={$group.Name}},
@{N='ManagedBy'; E={$group.ManagedBY}},
Name, samAccountName, DistinguishedName

}

GroupName : uxstaff
ManagedBy : CN=Z8248A,OU=Users,OU=GCA,OU=NA,DC=na,DC=ko,DC=com
Name : A86962
samAccountName : A86962
DistinguishedName : CN=A86962,OU=Users,OU=Atlanta-AOC,OU=US,OU=NA,DC=na,DC=ko,DC=com

GroupName : uxstaff
ManagedBy : CN=Z8248A,OU=Users,OU=GCA,OU=NA,DC=na,DC=ko,DC=com
Name : A86900
samAccountName : A86900
DistinguishedName : CN=A86900,OU=Users,OU=Atlanta-AOC,OU=US,OU=NA,DC=na,DC=ko,DC=com

GroupName : uxstaff
ManagedBy : CN=Z8248A,OU=Users,OU=GCA,OU=NA,DC=na,DC=ko,DC=com
Name : A86592
samAccountName : A86592
DistinguishedName : CN=A86592,OU=Users,OU=Atlanta-AOC,OU=US,OU=NA,DC=na,DC=ko,DC=com

GroupName : uxstaff
ManagedBy : CN=Z8248A,OU=Users,OU=GCA,OU=NA,DC=na,DC=ko,DC=com
Name : A86483
samAccountName : A86483
DistinguishedName : CN=A86483,OU=Users,OU=Atlanta-AOC,OU=US,OU=NA,DC=na,DC=ko,DC=com

October 3, 2013 at 8:19 am

How can I create the script to input each AD group memberlist and add the managed by (owner of the group) and email it to the managed by (owner of the group)? If it can be done. I would like to setup a task schedule to run this input from a server. I am not sure if it can be done.

October 3, 2013 at 8:31 am

What I think I mean is I what the script to loop for one group after the other. Do you think I can do this just by adding the same script input for each group with the send email input underneath each script? I have never done this.

October 3, 2013 at 10:54 am

How would you add the script outpu as a txt file to be sent as an email?

October 3, 2013 at 11:21 am

You asked about producing files. Either:

Import-Module ActiveDirectory -Force
"ADLgroup1", "ADLgroup2", "ADLgroup3", "ADLgroup4" |
foreach {
$group = Get-ADGroup -Identity $_ -Properties ManagedBy

Get-ADGroupMember -Identity $_ |
select @{N=’GroupName’; E={$group.Name}},
@{N=’ManagedBy’; E={$group.ManagedBY}},
Name, samAccountName, DistinguishedName |
Out-File -FilePath "$($group.Name).txt"
}

OR

Import-Module ActiveDirectory -Force
"ADLgroup1", "ADLgroup2", "ADLgroup3", "ADLgroup4" |
foreach {
$group = Get-ADGroup -Identity $_ -Properties ManagedBy

Get-ADGroupMember -Identity $_ |
select @{N=’GroupName’; E={$group.Name}},
@{N=’ManagedBy’; E={$group.ManagedBY}},
Name, samAccountName, DistinguishedName |
Export-Csv -NoTypeInformation -Path "$($group.Name).csv"
}

if you prefer a csv file

October 14, 2013 at 6:08 am

Hello

I have created this script below from reviewing your help. How can I add the input so that it can list four different group name in the subject when sent to the managed by (owner of group).

Everytime I run the script the subject: $messageSubject = "Action Required – Review Members List For (groupname) " + " $Group – 4th Quarter" it never changes or add the correct group name there. Is there any input that I can input the change it?

#GroupOwnerEmail.ps1
#Prupose: Pull AD groups from grouplist, get member attributes and smtp mail to group owner for review

$smtpServer = ""

$smtpFrom = ""

$messagebody1 = "This message is notice for the quarterly group membership attestation required by our Policies.
The following users are members of the group, which provides privileged access to AIX servers.
You are listed as the Custodian of this group. Please verify these users should retain this access.

If any users should be removed, please submit a Service Now Revoke Access request.

Please reply to this email, affirming that you have reviewed the access to this group.
If you are no longer the custodian, please reply stating so.
If known, please also provide the name of the person now managing this group's members

Thank you"

$groups = Get-Content c:\temp\adgroups.txt

[string]$messagebody = ""

foreach ($group in $groups)
{

$group = Get-QADGroup $group

$ManagedBy = (Get-QADUser $Group.ManagedBy).Email

$smtpTo = $managedby

$messagebody2 = Get-QADGroupMember $group | % {

"`r`n`r`n"
"$($_.NTaccountName.ToString())", " ","$($_.DisplayName.ToString())"," ","$($_.Email.ToString())"

}

$smtp = New-Object Net.Mail.SmtpClient($smtpServer)

$messageSubject = "Action Required – Review Members List For group " + " $Group – 4th Quarter"

$smtp.Send($smtpFrom,$smtpTo,$messagesubject,$messagebody1 + $messagebody2)

}

Thank you for your help!

October 14, 2013 at 6:56 am

Sorry
What I have been asked to do is see if I can add the name of the group in the message for each group name. I not sure if this can be done. This is what I speaking about......

$messagebody1 = “This message is notice for the quarterly group membership attestation required by our Policies.
The following users are members of the (groupname here), which provides privileged access to AIX servers.
You are listed as the Custodian of this group. Please verify these users should retain this access.

If any users should be removed, please submit a Service Now Revoke Access request.

Please reply to this email, affirming that you have reviewed the access to this group.
If you are no longer the custodian, please reply stating so.
If known, please also provide the name of the person now managing this group’s members

Thank you”