locked
Group membership and memberof information RRS feed

  • Question

  • Scenario,

    We have around 50 Groups each group is nested into differen group or is member of different group.

    We are building different forest and need that information

    Need powershell script that will get (information about group membership and export int o excel)

    1) Group members information

    2) Group memberof information

    Thursday, May 30, 2013 7:42 PM

Answers

  • Hi,

    I agree with Richard, the command get-adgroup should be what you are looking for. We could specify -memberof property to get those groups that the group is member of.

    Please refer to the below article:

    http://community.spiceworks.com/how_to/show/2689-get-ad-nested-group-membership-with-powershell

    Hope this helps.

    Regards,

    Yan Li

    If you have any feedback on our support, please click here .


    Cataleya Li
    TechNet Community Support

    • Marked as answer by Yan Li_ Tuesday, June 18, 2013 1:26 AM
    Tuesday, June 4, 2013 1:55 AM
  • 
    With ActiveDirectory PowerShell modules*, consider Get-ADPrincipalGroupMembership which enables the retrieval of groups in which an AD account is a member of to start off, and write loop control statements to check detail group membership info.

    * Windows Server 2008 R2 and above



    TechNet/MSDN Forum Moderator - http://www.leedesmond.com

    • Marked as answer by Yan Li_ Tuesday, June 18, 2013 1:26 AM
    Thursday, June 6, 2013 6:51 AM

All replies

  • check here they are using csv instead, but should serve same purpose

    http://bradkingsley.com/using-powershell-to-list-group-membership-from-active-directory-ad/

    Thursday, May 30, 2013 7:44 PM
  • It doesn't give me any information about of whom the group is MemberOF    .Only the members which i can easily get by using for following cmdlet

    get-adgroupmember (group name) 

    Friday, May 31, 2013 11:06 PM
  •  

    Try playing around with this .ps1 script I wrote a while back. Before running it you will have to update the smtp reply addresses and relay server. The script will allow you to export the group or user membership to a .csv file and then it will email it to you.

    Let me know if you need any help adjusting it for your needs..

    Import-Module ActiveDirectory
    
    # Main Menu
    Write-Host "Welcome to Member of Whaaaaaat?" -foregroundcolor "yellow"
    Write-Host `
    "***************************************** `
    *                                       * `
    *    Use this utility to gather group   * `
    *    membership for Users and Groups.   * `
    *                                       * `
    *****************************************" -foregroundcolor "Red"
    Write-Host "1. Search Groups"
    Write-Host "2. Search Users"
    do {
      $a = read-host "Please select a search type"
    }
    until (($a -eq "1") -or ($a -eq "2"))
    Write-Host " "
    
    switch ($a) 
        { 
            1 {
               $Choice = "1"
              } 
            2 {
               $Choice = "2"
              } 
    }
    $smtpServer = "relay.abc.com"
    
    Function SendMail
            {	
            	$msg = new-object Net.Mail.MailMessage
            	$smtp = new-object Net.Mail.SmtpClient($smtpServer)
                $att = new-object Net.Mail.Attachment($CsvFile)
            	$msg.From = $From
            	$msg.To.Add($To)
            	#$msg.bcc.Add($BccAddress)
            	$msg.Subject = ($Subject)
            	$msg.Body = $MessageBody
            	$msg.IsBodyHTML = $true
                $msg.Attachments.Add($att)
            	$smtp.Send($msg)
            }
    
    
    IF ($Choice -eq "1")
    {
    Clear-Host
    DO 
    {
    (Write-Host `
    "***************************************** `
    *    This script will only return user  * `
    *    objects. Nested groups will not be * ` 
    *    displayed. Group Names should be   * `
    *    entered with their 'Group Name',   * `
    *    not an Exchange Alias.             * `
    *****************************************" -foregroundcolor "Red")
    $GroupName = Read-Host "Please enter a Active Directory Group"
    }
    Until (Get-ADGroup -filter {SamAccountName -eq $GroupName})
    Clear-Host
    (Write-Host `
    "***************************************** `
    *    This script will only return user  * `
    *    objects. Nested groups will not be * ` 
    *    displayed. Group Names should be   * `
    *    entered with their 'Group Name',   * `
    *    not an Exchange Alias.             * `
    *****************************************" -foregroundcolor "Red")
    Write-Host AD Group Name:$GroupName -foregroundcolor "yellow"
    $From = "dontreply@na.abc.com"
    $To = Read-Host "Please enter the email address of the recipient of the .csv file"
    Clear-Host $To
    Write-Host AD Group Name:$GroupName -foregroundcolor "yellow"
    Write-Host E-Mail sent to:$To -foregroundcolor "yellow"
    $Subject = "Group Membership Request: $GroupName"
    $CsvFile = "C:\temp\$GroupName.csv"
    
    ####
    ## Email Body
    ####
    $MessageBody = $MessageBody + @"
    <body>
    <p>Your group membership request for:
    <p><b>$GroupName</b>
    <p>is attached in a .csv formatted document.
    </p>
    </body></html>
    "@
    
    $ColItems = Get-ADGroupMember -Identity $GroupName
    $GroupItems = @()
    
    FOREACH ($Colitem in $Colitems)
    {
        
        IF ($Colitem.ObjectClass -ne "user")
        {
                IF ($Colitem.ObjectClass -eq "user")
                    {
                        $SamAccountName = $ColItem.samaccountname
                        $UserData = get-aduser -Identity $SamAccountName -properties displayname,samaccountname,department,lastlogondate
                        $GrpItems = New-Object -TypeName PSObject -Property @{
                        DisplayName = $UserData.displayname
                        SamName = $UserData.SamAccountName
                        Department = $UserData.Department
                        LastLogon = $UserData.LastLogonDate
    					}
    				}	
         
    	 
    	 }       
    		$GroupItems += $GrpItems        
    }
    $GroupItems | Select-Object DisplayName,SamName,Department,LastLogon | Sort-Object -property DisplayName | export-csv $CsvFile -NoTypeInformation
    
    SendMail
    
    }
    ELSEIF ($Choice -eq "2")
    {
    Clear-Host
    DO 
    {
    (Write-Host `
    "******************************************** `
    *   This script will return a User's group  * `
    *   memberships. User names should be       * `
    *   entered using the SamAccountName, not   * `
    *   an Exchange Alias.                      * `
    ********************************************" -foregroundcolor "Red")
    $UserName = Read-Host "Please enter an Active Directory User Name"
    }
    Until (Get-ADuser -filter {SamAccountName -eq $UserName})
    Clear-Host
    (Write-Host `
    "******************************************** `
    *   This script will return a User's group  * `
    *   memberships. User names should be       * `
    *   entered using the SamAccountName, not   * `
    *   an Exchange Alias.                      * `
    ********************************************" -foregroundcolor "Red")
    Write-Host AD User Name:$UserName -foregroundcolor "yellow"
    $From = "dontreply@na.abc.com"
    $To = Read-Host "Please enter the email address of the recipient of the .csv file"
    Clear-Host $To
    Write-Host AD User Name:$UserName -foregroundcolor "yellow"
    Write-Host E-Mail sent to:$To -foregroundcolor "yellow"
    $Subject = "User Group Membership Request: $UserName"
    $CsvFile = "C:\temp\$UserName.csv"
    
    ####
    ## Email Body
    ####
    $MessageBody = $MessageBody + @"
    <body>
    <p>Your user membership request for:
    <p><b>$UserName</b>
    <p>is attached in a .csv formatted document.
    </p>
    </body></html>
    "@
    
    Function GetADUser{
        $ADUsers = dsquery user -samid $UserName | dsget user -memberof
        $ADGroupItems = @()
        FOREACH ($ADUser in $ADUsers)
        {
            If ($ADUser.Length -gt 3)
            {
                $DN = $ADUser.split(",")
                $CN = $DN[0]
                $GrpFriendlyName = $CN.Substring(4)
                Write-Host $GrpFriendlyName
                $GrpItems = New-Object -TypeName PSObject -Property @{
                Memberof = $GrpFriendlyName}
                $ADGroupItems += $GrpItems
            }
        }    
        $ADGroupItems
    }
    GetADUser $UserName | Sort-Object -property Memberof | export-csv $CsvFile -NoTypeInformation
    
    SendMail
    
    BREAK
    
    {
    }#Exit
    }


    Saturday, June 1, 2013 2:24 AM
  • Hello CMR,

    This is really cool script but this is what i am not looking for. For e.g

    I have ops_fte_chn and ops_fte_jpn   group. i  can easily find out there  members name but what i am looking for is there Memberof infornation ,which is hard to get and export into excel sheet. hope it makes sense.let me knowif you need more info by the way your script is great 

    Sunday, June 2, 2013 1:56 AM
  • If you are using the Get-ADGroup cmdlet, the MemberOf property retrieves the memberOf attribute of the group. This is a multi-valued collection of the DN's of the groups the group is a member of. Or, if you use [ADSI] to bind to the group object, you can reference the memberOf attribute directly.


    Richard Mueller - MVP Directory Services

    • Proposed as answer by Yan Li_ Tuesday, June 4, 2013 1:49 AM
    Sunday, June 2, 2013 10:24 PM
  • Richard

    thanks for the reply i found a way to get Memberof by using Quest commandlets Get-qadmemberof it saved me lot of time . i was hoping windows powershell cmdlets should have similar thing. Anyways thanks for the help everyone

    Monday, June 3, 2013 5:39 AM
  • Hi,

    I agree with Richard, the command get-adgroup should be what you are looking for. We could specify -memberof property to get those groups that the group is member of.

    Please refer to the below article:

    http://community.spiceworks.com/how_to/show/2689-get-ad-nested-group-membership-with-powershell

    Hope this helps.

    Regards,

    Yan Li

    If you have any feedback on our support, please click here .


    Cataleya Li
    TechNet Community Support

    • Marked as answer by Yan Li_ Tuesday, June 18, 2013 1:26 AM
    Tuesday, June 4, 2013 1:55 AM
  • Hi,

    Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.

     

    If you have any feedback on our support, please click here 


    Cataleya Li
    TechNet Community Support

    Thursday, June 6, 2013 2:01 AM
  • 
    With ActiveDirectory PowerShell modules*, consider Get-ADPrincipalGroupMembership which enables the retrieval of groups in which an AD account is a member of to start off, and write loop control statements to check detail group membership info.

    * Windows Server 2008 R2 and above



    TechNet/MSDN Forum Moderator - http://www.leedesmond.com

    • Marked as answer by Yan Li_ Tuesday, June 18, 2013 1:26 AM
    Thursday, June 6, 2013 6:51 AM