none
Lisiting the nested groupmembers (Parents) of a AD group RRS feed

  • Question

  • Hello ,

    I am trying to get the parents of a Global Security  Group named "Monitoring" using powershell.

    I am using  :

    $group = "monitoring"
    get-adgroupmember $group
    foreach ($group in $group)
    {
    get-adgroupmember $group
    }

    this gives me the values listed in the Tab  "member" of the groupobject in the AD.

    This is nice , but the real issue is that i need to view whats listed in the tab "member of" for this object.

    So  let say :  the Global Security  Group "Monitoring" is also member of  'Servercore" and Servercore is a member of  "location1"

    I need to get the output rthat shows me the names of the groups that are listed under the tab "member of'  and that recursively..

    Hopefully this makes any sense, and one og f the scripting guy's knows a way...

    thx

    Pieter

    Thursday, June 8, 2017 1:27 PM

Answers

  • If I got you right you could start with something like this:
    Get-ADGroup -Identity 'Monitoring' -Properties MemberOf |
        Select-Object -ExpandProperty MemberOf



    Grüße - Best regards

    PS:> (79,108,97,102|%{[char]$_})-join''

    • Marked as answer by PBA1211 Friday, June 9, 2017 6:22 AM
    Thursday, June 8, 2017 2:26 PM

All replies

  • If I got you right you could start with something like this:
    Get-ADGroup -Identity 'Monitoring' -Properties MemberOf |
        Select-Object -ExpandProperty MemberOf



    Grüße - Best regards

    PS:> (79,108,97,102|%{[char]$_})-join''

    • Marked as answer by PBA1211 Friday, June 9, 2017 6:22 AM
    Thursday, June 8, 2017 2:26 PM
  • You can use the LDAP filter syntax for that purpose:

    Get-ADGroup -LDAPFilter "(memberOf:1.2.840.113556.1.4.1941:= 
    cn=Monitoring,ou=East,dc=Domain,dc=com)"

    The string 1.2.840.113556.1.4.1941 specifies LDAP_MATCHING_RULE_IN_CHAIN. This applies only to DN attributes, so you must specify the full distinguished name of the group. This is an extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match. Using Get-ADGroup means you will only get groups.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, June 8, 2017 3:40 PM
    Moderator