locked
how to denest or flatten particular level of nested AD groups RRS feed

  • Question

  • how to denest or flatten particular level of nested AD groups. I am learning scripting. any inputs will be helpful to take off the scripting 

    $GroupDN will have a list of nested groups with group names and distinguishednames

    $GroupDN = import-csv .\desktop\group.csv
    $member = (Get-ADObject -Identity $GroupDN.groupname).ObjectClass
    Set-ADGroup -Identity $GroupDN.distinguishedname -Remove $member


    suresh arasu

    Tuesday, June 16, 2020 6:31 PM

Answers

  • For you to find the "nested level" of a group you'd have to recurse through the membership of each group and find the groups that are members of the sub-group, and then through the membership of the sub-groups(s) looking for other groups, etc. For each group you find, check its "memberOf" property. If it's a member of the parent group, don't remove it.

    All your code is doing right now is to remove only the groups that are direct members the parent group. The code ignores the membership of the 3rd thru X-th level of nesting.

    Your definition of "flattening" is misleading. If you were to flatten the membership you'd make the users that are members of each group you remove a member of the parent group.


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    • Marked as answer by Suresh Arasu Thursday, June 18, 2020 7:48 PM
    Wednesday, June 17, 2020 6:39 PM

All replies

  • What you're doing won't "de-nest" anything.

    Can you explain what you want to do without the code? To me, "de-nesting" would mean taking the membership of a group and retaining only the users that are members, and getting the membership of each "nested" group, and then creating a new group that had no other groups as members.

    You can accomplish the "getting the membership" by using the Get-ADGroupMember cmdlet and using the "-Recurse" switch.

    As for working with a list of groups, you'll have to loop over that list. Use the "ForEach-Object" cmdlet to do that.


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Tuesday, June 16, 2020 7:16 PM
  • thanks for response. Denest here refer to flatten of AD groups which are nested within each other. i want to keep the direct first level of nested AD group within group and the rest nested groups should be removed.

    Eg. 1st level GroupA nested to GroupB, 2nd level GroupB nested to GroupC, 3rd level GroupC nested to GroupD, 4th level GroupE nested to GroupF

    here i wanted retain GroupA nesting with Group B but needs to denests(flatten) all other levels of nesting `

    I tried with the below code which does denesting of nested groups. but my intent was to retain one level nesting and then remove the rest of nesting levels.

    # Specify the DistinguishedName (DN) of the parent group.
    # We will remove all members of this group that have class "group".
    $GroupDN = "cn=Sales,ou=West,dc=domain,dc=com"
    # The Member property is an array of the DistinguishedNames (DN) of all direct members of the group.
    # The DN is required by Get-ADObject, which we use to determine the class of each member.
    $Members = (Get-ADGroup -Identity $GroupDN -Properties Member).Member
    
    # Create an array of distinguished names of nested groups to remove.
    $GroupsToRemove = @()
    
    # Enumerate all direct members of the parent group and determine which are nested groups.
    ForEach ($Member In $Members)
    {
        # Members can be users, computers, contacts, or nested groups. We only consider groups.
        $Class = (Get-ADObject -Identity $Member).ObjectClass
        If ($Class -eq "group")
        {
            # Add the DN of this nested group to the array of groups to remove.
            $GroupsToRemove = $GroupsToRemove + $Member
        }
    }
    
    # Remove any nested groups from the parent group.
    If ($GroupsToRemove.Count -gt 0)
    {
        Set-ADGroup -Identity $GroupDN -Remove @{Member=$GroupsToRemove}
    }


    suresh arasu

    Wednesday, June 17, 2020 11:44 AM
  • Groups can only be contained in one group.  That group can contain another group.

    I think you need to try to understand what "nested" means.

    To de-nest(???)  Just remove the group form the parent.

    Use "Get-AdGroupMember" and remove-all group objects with "Remove-AdGroupMember"

    Get-AdGroupMember groupname | 
         Where-Object{objectClass -eq 'group'} | 
         Remove-AdGroupMember
    


    \_(ツ)_/

    Wednesday, June 17, 2020 3:44 PM
  • Thanks for the response. but when we are able to index number to find the nested level of groups.

    how can we use the same index to point out particular nested level of nested group and remove the nesting without touching the other levels of nesting.

     

    suresh arasu

    Wednesday, June 17, 2020 4:41 PM
  • There is no level to of nesting.  A group can contain a group.  Levels are something that humans use to describe this over mnay groups.

    What you are asking is too vague.  This is likely due to a lack of understanding of the technology and how AD defines things.  Start by reading documentation on what a group is.

    It may also be a language issue if English is not you first language.


    \_(ツ)_/

    Wednesday, June 17, 2020 6:24 PM
  • For you to find the "nested level" of a group you'd have to recurse through the membership of each group and find the groups that are members of the sub-group, and then through the membership of the sub-groups(s) looking for other groups, etc. For each group you find, check its "memberOf" property. If it's a member of the parent group, don't remove it.

    All your code is doing right now is to remove only the groups that are direct members the parent group. The code ignores the membership of the 3rd thru X-th level of nesting.

    Your definition of "flattening" is misleading. If you were to flatten the membership you'd make the users that are members of each group you remove a member of the parent group.


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    • Marked as answer by Suresh Arasu Thursday, June 18, 2020 7:48 PM
    Wednesday, June 17, 2020 6:39 PM
  • thanks Rich you understood and your response helped me to play around the script. 

    @jrv consultant please check the below links to know about nesting levels. you can respond late take some time to provide valid response or no response is better instead of first language 2nd language replies in technical discussions. 

    https://gallery.technet.microsoft.com/scriptcenter/Get-nested-group-15f725f2

    https://gallery.technet.microsoft.com/Get-nested-group-15f725f2/view/Discussions/5


    suresh arasu

    Wednesday, June 17, 2020 6:53 PM
  • thanks Rich you understood and your response helped me to play around the script. 

    @jrv consultant please check the below links to know about nesting levels. you can respond late take some time to provide valid response or no response is better instead of first language 2nd language replies in technical discussions. 

    https://gallery.technet.microsoft.com/scriptcenter/Get-nested-group-15f725f2

    https://gallery.technet.microsoft.com/Get-nested-group-15f725f2/view/Discussions/5


    suresh arasu

    Those are scripts that define what they mean by nest9ing.  You don't.  The issue is that you are asking a question that can be interpreted too many ways.

    "nesting" is not a computer technology term it is a loose reference to things that are in containers or that have some form of a parent-child relationship.

    I know you want to believe that you know what you are asking but the statements made do not define nesting.

    The code I posted shows how to remove  "nested" (included or assigned) group.  What it appears you are asking is how to run this on every group in the system,.  That could be disastrous.  Without a clear definition that describes the scope of you issue the question cannot be answered.

    If language isn't the issue then logical use of language is an issue. That is not a criticism - it is just an observation.  I am sure you can fix that by stating the scope and reason for you issue.


    \_(ツ)_/

    Wednesday, June 17, 2020 9:19 PM
  • For you to find the "nested level" of a group you'd have to recurse through the membership of each group and find the groups that are members of the sub-group, and then through the membership of the sub-groups(s) looking for other groups, etc. For each group you find, check its "memberOf" property. If it's a member of the parent group, don't remove it.

    All your code is doing right now is to remove only the groups that are direct members the parent group. The code ignores the membership of the 3rd thru X-th level of nesting.

    Your definition of "flattening" is misleading. If you were to flatten the membership you'd make the users that are members of each group you remove a member of the parent group.


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Yes - this would work but it doesn't address the point of failure which is doing this may break system groups which require the inclusion of nested groups.

    That is why I say scope and intent are critical.  The code I posted can recurse and remove all nested groups but, only if you recurse from the leaf up and not the other way.  It all depends on the intent and scope.  This is true of all recursive methods and is a fundamental formal requirement in programming.


    \_(ツ)_/

    Wednesday, June 17, 2020 9:23 PM
  • you said nesting is not a computer technology term. but hope you did not see microsoft documents using this terminology. anyways @Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years) gave me the answer. This is not criticism to your reply.I just wanted to inform you about the technology term nesting if you were not aware.  Thanks you too Jrv consultant

    https://docs.microsoft.com/en-us/windows/win32/ad/nesting-a-group-in-another-group


    suresh arasu

    Thursday, June 18, 2020 5:25 AM
  • "Apples" is not a computer term but Microsoft uses the word frequently.

    Don't argue just to claim rightness.  I am trying to get you to see an important thing about programming.


    \_(ツ)_/


    • Edited by jrv Thursday, June 18, 2020 4:21 PM
    Thursday, June 18, 2020 4:20 PM
  • The problem can be even more complex than that. To remove "C" and "D" from the hierarchy "A"-"B" (below) isn't hard for group "C", but removing group "D"s membership in "C" and "G" would be wrong. Keeping track of the groups as you descend (or ascend) the hierarchy is, well, a PITA.

    A           E
    |           |
    +-B       F-+
      |       |
      +-C   G-+
        |   |
        +-D-+
    The last place I worked had an AD designed during the JDP (before the AD was released) that had forest root with a single-label domain name and a security group that didn't (I think) quite know what they were doing. The result was a tangled web of security groups (from at least a dozen NT domains) that eventually resulted in all Domain Admins also being Enterprise Admins! They didn't discover that for more than nine years.


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Thursday, June 18, 2020 7:34 PM
  • thanks Rich, with your previous response. i have put an if statement to check if any nested group has memberof.count -gt 0 to denest. So, the first level of nested group will not have memberof attribute value in it and the script is working as expected.

    suresh arasu

    Thursday, June 18, 2020 7:48 PM