locked
Find all nested groups and circular nestings. RRS feed

  • Question

  • Hello,

    I am new to Powershell and anything beyond basic BAT file scripting, so please excuse me if I'm a little slow to understand.

    OK,

    I need to figure out exactly how out of control our AD groups are. (they're bad, really bad)

    I found this script on TechNet that does _almost_ exactly what I need:

    function Get-NestedGroups 
    {param ($strGroup,$Offset)
    
      $currentGroupGroups = (Get-ADGroup –Identity $strGroup –Properties Memberof).Memberof
      
      ForEach ($memGroup in $currentGroupGroups) {
        If ($script:groupList.ContainsKey($memgroup) -eq $False) {
           $strMemGroup = ($memGroup -split ",*..=")[1] 
           $script:GroupList[$memGroup] = $True
           "$Offset$strMemGroup"
           "$Offset$strMemGroup" | Add-Content $logfile
           Get-NestedGroups -strGroup $strMemGroup $($Offset + ",")
        }
        Else {
           "$Offset$strMemgroup Circular Reference" | Add-Content $logfile
        }
      }
    }
    
    $logfile = ".\nestedtest.csv"
    "Level1,Level2,Level3,Level4,Level5,Level6,Level7,Level8,Level9,Level10" | Add-Content $logfile # initialise log file.
    
    $groupList = @{} # Hash table to track group memberships.
    
    $group = "MiserableAccountingDrones"
    
    $group | Add-Content $logfile
    
    Get-NestedGroups $group ","

    The problem is, I have a list of more than 2000 AD groups... I cannot spend the next month running them through one at a time.

    I would like to replace:

    $group = "MiserableAccountingDrones"

    With something that will pull the group names from a text fiel or a csv file and run through the whole list.

    I have tried several things to make this work.

    Get-Content ".\Groups.txt" | Foreach-Object{
       $group = $_.Split('=')
       New-Variable -Name $group[0] -Value $group[1]
    }

    and

    $csv = Import-Csv ".\Groups.csv"
    foreach ($group in $csv) {
        Get-NestedGroups $group ","   
    }

    They both cause an error with the Get-ADgroup –Identity cmdlet.

    Get-ADGroup : Cannot validate argument on parameter 'Identity'. The Identity property on the argument is null or empty.
    At c:\path\CircularNestedGroupsTEST.ps1:4 char:48
    +   $currentGroupGroups = (Get-ADGroup –Identity $strGroup –Properties  ...
    +                                                ~~~~~~~~~
        + CategoryInfo          : InvalidData: (:) [Get-ADGroup], ParameterBindingValidationException
        + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADGroup

    I am studying PowerShell as I do this, but it's been slow going.

    Any help would be appreciated,

    Dot19408



    • Edited by dot19408 Wednesday, November 15, 2017 1:42 PM
    Wednesday, November 15, 2017 1:40 PM

Answers

  • That script that you have is designed to run 1 group at a time. What you're wanting isn't nearly that complicated. You just want to see what group is a member of another group.

    Get-ADGroup -filter * -Properties MemberOf | Select-Object Name,MemberOf

    What this will do is get you every group and the groups that said group is a member of. 

    If you only want groups that are members of another group, just throw a where-object in there:

    Get-ADGroup -filter * -Properties MemberOf | Where-Object {$_.MemberOf -ne $null} | Select-Object Name,MemberOf

    From there, you can start manipulating the data to put it in the format that you need. (i.e. export-csv)

    Take a look at the documentation of the Get-ADGroup cmdlet and Get-ADGroupMember cmdlet, as that will give you some insight.

    Get-ADGroup

    Get-ADGroupMember

    • Marked as answer by dot19408 Wednesday, November 15, 2017 4:27 PM
    Wednesday, November 15, 2017 1:59 PM

All replies

  • That script that you have is designed to run 1 group at a time. What you're wanting isn't nearly that complicated. You just want to see what group is a member of another group.

    Get-ADGroup -filter * -Properties MemberOf | Select-Object Name,MemberOf

    What this will do is get you every group and the groups that said group is a member of. 

    If you only want groups that are members of another group, just throw a where-object in there:

    Get-ADGroup -filter * -Properties MemberOf | Where-Object {$_.MemberOf -ne $null} | Select-Object Name,MemberOf

    From there, you can start manipulating the data to put it in the format that you need. (i.e. export-csv)

    Take a look at the documentation of the Get-ADGroup cmdlet and Get-ADGroupMember cmdlet, as that will give you some insight.

    Get-ADGroup

    Get-ADGroupMember

    • Marked as answer by dot19408 Wednesday, November 15, 2017 4:27 PM
    Wednesday, November 15, 2017 1:59 PM
  • I posted a PowerShell script in the TechNet Script Gallery to find all instances of circular nested groups in the domain here:

    https://gallery.technet.microsoft.com/fa4ccf4f-712e-459c-88b4-aacdb03a08d0


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, November 15, 2017 2:02 PM
  • Hello Richard,

    I did find your script in my searches and used it. It did not find any circular nested groups in the domain...

    However, running the group names through the script I posted I have found 5 circularly referenced groups. I'm not sure why they were not found by your script.

    Wednesday, November 15, 2017 4:26 PM
  • Thank you anonymous person!

    I am playing around with this now!

    Wednesday, November 15, 2017 4:27 PM
  • I don't know why I'm showing up as anonymous.. Some wierd glitch with my account I guess. I actually don't see anyone's names. Time to call Microsoft!

    Anyways, no worries. Glad I could help!

    BTW: this is "Jacorbello" :D

    Wednesday, November 15, 2017 4:32 PM