locked
Listing users in multiple groups in a specific OU RRS feed

  • Question

  • What I'm trying to do is run a report on an OU called prt-groups to look for users that are in more than one security group in that OU.

    All groups start with prt if thats information thats needed?

    So for example, I want to see if Jane Doe is in:

    prt-group1

    prt-group2

    & if she is I want to be able to easily read that. I don't have any code initially setup for this yet as I don't know how to start searching through an OU. Any help is greatly appreciated. 

    Thursday, January 23, 2014 4:49 PM

Answers

  • Give this a try:

    Get-ADUser -Filter * -Properties memberOf | ForEach {
    
        If (($_.memberOf -like '*OU=prt-groups,*').Count -gt 1) { 
        
            Write-Host "$($_.SamAccountName) is a member of more than one group that lives in the targeted OU." -ForegroundColor Red 
        
        }
    
        If (($_.memberOf -like '*OU=prt-groups,*').Count -gt 1) { $_ | Select SamAccountName }
    
    }  | Export-Csv .\checkTheseUsers.csv -NoTypeInformation


    Don't retire TechNet! - (Don't give up yet - 12,575+ strong and growing)

    • Marked as answer by jjthexer Friday, January 24, 2014 5:48 PM
    Friday, January 24, 2014 5:34 PM

All replies

  • I recommend starting here:http://technet.microsoft.com/en-us/scriptcenter/dd793613

    Simply you can just use the Get-ADGroup Cmdlet to get the specific groups:

    $groups=Get-AdGroup -filter {Name -like 'prt-*'} -SearchBase 'ou=xxx,dc=xxx,dc=com' |
         Get-ADGroupMember |
         Where-Object{$_.name -eq 'JDoe'}


    ¯\_(ツ)_/¯


    • Edited by jrv Thursday, January 23, 2014 5:38 PM
    Thursday, January 23, 2014 5:38 PM
  • I recommend starting here:

    Simply you can just use the Get-ADGroup Cmdlet to get the specific groups:

    $groups=Get-AdGroup -filter {Name -like 'prt-*'} -SearchBase 'ou=xxx,dc=xxx,dc=com' |
         Get-ADGroupMember |
         Where-Object{$_.name -eq 'JDoe'}


    ¯\_(ツ)_/¯


    I have a script that will return members of said groups, but there are over 40 groups and I'm not looking for specific users I'm just looking for any duplicates. 
    Thursday, January 23, 2014 6:26 PM
  • Hi,

    Try this:

    Get-ADUser -Filter * -SearchBase 'OU=prt-groups,DC=domain,DC=com' -Properties memberOf | ForEach {
    
        If (($_.memberOf).Count -gt 1) { "$($_.SamAccountName) is a member of more than one group." }
    
    }

    EDIT: If this isn't what you're after, you'll need to explain your requirements a bit more clearly. I'm kinda guessing here.


    Don't retire TechNet! - (Don't give up yet - 12,575+ strong and growing)


    Thursday, January 23, 2014 7:04 PM
  • I posted a link to the learning material.  I also posted a starter intended to get you started.  We do not write scripts on demand.  If you are not interested in learning how to write this script then you should consider hiring a consultant.

    What you are asking is fairly vague.  The reason for this is because you do not understand programming or computer requirements.  The learning material will help you get up to speed on this.


    ¯\_(ツ)_/¯

    Thursday, January 23, 2014 7:37 PM
  • Hi,

    Try this:

    Get-ADUser -Filter * -SearchBase 'OU=prt-groups,DC=domain,DC=com' -Properties memberOf | ForEach {
    
        If (($_.memberOf).Count -gt 1) { "$($_.SamAccountName) is a member of more than one group." }
    
    }

    EDIT: If this isn't what you're after, you'll need to explain your requirements a bit more clearly. I'm kinda guessing here.




    Thanks Mike, I tried added a bit on to yours to see if anything happened see here:

    Get-ADUser -Filter * -SearchBase 'OU=prt-groups,DC=samtec,DC=ad' -Properties memberOf | ForEach {

        If (($_.memberOf).Count -gt 1) { "$($_.SamAccountName) is a member of more than one group."| Export-CSV C:\Audit\Duplicates.csv }

        }

    I tried to Pipe & export any thing it picked up to a csv file but it didn't create a file which tells me it's not getting passed that if statement. I'm going to try to learn by reading code/deciphering it because that's how I learned in Java I'm assuming this $_.memberOf).Count -gt 1 means it's checking the member of the OU then increase the count by 1. Then $($_.SamAccountName) is a member of more than one group this is different, it's almost like the code isn't finished, & don't suspect it is I think you're basically asking me here? & you're right if the .SamAccountName is a member of more than one group in that OU I want to export their names to that csv file.

    Does this make more sense? Thanks!!

    Friday, January 24, 2014 1:01 PM
  • I posted a link to the learning material.  I also posted a starter intended to get you started.  We do not write scripts on demand.  If you are not interested in learning how to write this script then you should consider hiring a consultant.

    What you are asking is fairly vague.  The reason for this is because you do not understand programming or computer requirements.  The learning material will help you get up to speed on this.


    ¯\_(ツ)_/¯

    Hey JRV, I appreciate your feedback, I checked out the learning center which starts at the basic and this is something I can work on definitely and it will take practice, but since I'm in the work environment I can't really pickup on what I need to know in the time I have to figure this out. I'm not asking you or anyone to "write scripts on demand" as thats not what I asked. I just asked for any help because I didn't know how to start, now that Mike has given me kind of a rough start I was able to learn by reading his code and seeing how this language works exactly for what I'm targeting. By going back and forth and building to this from my end and his hopefully we can achieve something working! :D But I understand the frustration I came here with nothing asking for something. I'm not a total stranger to powershell but I'm no where near brilliant so just trying to fire back bits of code back and forth and try to piece them all together.

    Friday, January 24, 2014 1:06 PM
  • Hi,
    I tried to Pipe & export any thing it picked up to a csv file but it didn't create a file which tells me it's not getting passed that if statement.

    The code as written above is complete, but it will only output to the console. If you want CSV output, this will do what you're after:

    # Get all users from the specified OU and process each one individually
    Get-ADUser -Filter * -SearchBase 'OU=prt-groups,DC=domain,DC=com' -Properties memberOf | ForEach {
    
        # Check if there is more than one value in the memberOf property
        # If so, select only the SamAccountName property from the current user object
        If (($_.memberOf).Count -gt 1) { $_ | Select SamAccountName }
    
    }  | Export-Csv .\usersInMoreThanOneGroup.csv -NoTypeInformation
    # Export the completed object to CSV


    Don't retire TechNet! - (Don't give up yet - 12,575+ strong and growing)

    Friday, January 24, 2014 1:55 PM
  • Hi,
    I tried to Pipe & export any thing it picked up to a csv file but it didn't create a file which tells me it's not getting passed that if statement.

    The code as written above is complete, but it will only output to the console. If you want CSV output, this will do what you're after:

    # Get all users from the specified OU and process each one individually
    Get-ADUser -Filter * -SearchBase 'OU=prt-groups,DC=domain,DC=com' -Properties memberOf | ForEach {
    
        # Check if there is more than one value in the memberOf property
        # If so, select only the SamAccountName property from the current user object
        If (($_.memberOf).Count -gt 1) { $_ | Select SamAccountName }
    
    }  | Export-Csv .\usersInMoreThanOneGroup.csv -NoTypeInformation
    # Export the completed object to CSV



    Weird, I can't figure out why this won't run? I hit run in my powershell ise window and it types out the saved file path in the console and then goes to a new line in about a second without actually running? I have other scripts that will run and that I just tested and they work fine. Ideas?

    EDIT:It did run and create the duplicates file in that path but no information is listed. Its possible there aren't duplicates?

    • Edited by jjthexer Friday, January 24, 2014 2:01 PM
    Friday, January 24, 2014 2:00 PM
  • It's certainly possible. Try this to be sure:

    # Get all users from the specified OU and process each one individually
    Get-ADUser -Filter * -SearchBase 'OU=prt-groups,DC=domain,DC=com' -Properties memberOf | ForEach {
    
        # Display user and membership group count in the console
        If (($_.memberOf).Count -gt 1) { Write-Host "$($_.SamAccountName) is a member of $((($_.memberOf).Count)) groups." -ForegroundColor Red }
        Else { Write-Host "$($_.SamAccountName) is a member of $((($_.memberOf).Count)) groups." }
    
        # Check if there is more than one value in the memberOf property
        # If so, select only the SamAccountName property from the current user object
        If (($_.memberOf).Count -gt 1) { $_ | Select SamAccountName }
    
    }  | Export-Csv .\usersInMoreThanOneGroup.csv -NoTypeInformation

    EDIT: Anything that appears in red should end up in your CSV file.


    Don't retire TechNet! - (Don't give up yet - 12,575+ strong and growing)


    Friday, January 24, 2014 2:14 PM
  • It's certainly possible. Try this to be sure:

    # Get all users from the specified OU and process each one individually
    Get-ADUser -Filter * -SearchBase 'OU=prt-groups,DC=domain,DC=com' -Properties memberOf | ForEach {
    
        # Display user and membership group count in the console
        If (($_.memberOf).Count -gt 1) { Write-Host "$($_.SamAccountName) is a member of $((($_.memberOf).Count)) groups." -ForegroundColor Red }
        Else { Write-Host "$($_.SamAccountName) is a member of $((($_.memberOf).Count)) groups." }
    
        # Check if there is more than one value in the memberOf property
        # If so, select only the SamAccountName property from the current user object
        If (($_.memberOf).Count -gt 1) { $_ | Select SamAccountName }
    
    }  | Export-Csv .\usersInMoreThanOneGroup.csv -NoTypeInformation

    EDIT: Anything that appears in red should end up in your CSV file.




    Ok, I think I found the problem, to expand a little more:

    Our tree looks like this: domain-prt-groups OU-security groups

    Under the prt-groups ou there are a number of security groups.

    The security groups default a printer to the user based on what group they're in. This has conflict if a user is in more than one security group that starts with the name prt-securitygroups.

    I had a test account inside the prt-groups OU called testj this script came back and said 'testj is a member of 0 groups' 

    So basically what I'm trying to do is have the script traverse through all the groups inside prt-groups ou and tell me if John is in prt-group1 and prt-group2

    so it spits out John -prt-group1, prt-group2

    Sorry I probably wasn't clear enough :(

    Does this help?

    Friday, January 24, 2014 2:42 PM
  • I think the logic is off on this one.  if i understand correctly the users are not in this OU, only the security groups.  You want tknow if any user is in more thatn one of those groups.

    If this is correct you have two options

    the first one is to get a list of all members in each security group, then walk through each membership list to compare it to all of the other membership lists and save the users that are duplicates.

    The other approach would be to get the group membership for each user.  Then walk through that list to see if more than one entry exists for groups that start with "prt-Group".  You could then output any that have duplicates.

    I think the results of both searches are multivalued fields so you would have to get them into an array.

    Sorry my powershell skills are not sufficient that i can generate the code in a timely mannor.  But perhaps this different look at the logic will allow others to make suggestions.

    jrussell97

    Friday, January 24, 2014 4:34 PM
  • I think the logic is off on this one.  if i understand correctly the users are not in this OU, only the security groups.  You want tknow if any user is in more thatn one of those groups.

    If this is correct you have two options

    the first one is to get a list of all members in each security group, then walk through each membership list to compare it to all of the other membership lists and save the users that are duplicates.

    The other approach would be to get the group membership for each user.  Then walk through that list to see if more than one entry exists for groups that start with "prt-Group".  You could then output any that have duplicates.

    I think the results of both searches are multivalued fields so you would have to get them into an array.

    Sorry my powershell skills are not sufficient that i can generate the code in a timely mannor.  But perhaps this different look at the logic will allow others to make suggestions.

    jrussell97

    I think you're right, to go off a little on this one, what I have done manually is this:

    EDIT:posted wrong code below is correct.

    clear-host
    write-host "

    #############################
    #       Nested Group        #
    #          Checker          #
    #############################" -ForegroundColor Green -BackgroundColor Black

    function nestedgroupsniffer {
    $sniffedgroup =read-host "

    Active Directory Group"




    import-module activedirectory

    $GroupList = @{}

    $indent = ""

     

    function Get-GroupHierarchy

    {

        param

            (

                [Parameter(Mandatory=$true)]

                [String]$searchGroup

            )

     

        $groupMember = get-adgroupmember $searchGroup | sort-object objectClass -descending

        foreach ($member in $groupMember)

        {

            Write-Host $indent $member.objectclass,":", $member.name;

            if (!($GroupList.ContainsKey($member.name)))

            {

     

                if ($member.ObjectClass -eq "group")

                {

                     $GroupList.add($member.name,$member.name)

                     $indent += "`t"

                     Get-GroupHierarchy $member.name

                     $indent = "`t" * ($indent.length - 1)  

                }

            }

            Else

            {

                Write-Host $indent "Group:" $member.name "has already been processed, or there is loop... Please verify."  -Fore DarkYellow

            }

        }

    }

    get-grouphierarchy $sniffedgroup

    $confirm = read-host " 

    Run Again? Y,N"

    if ($confirm -eq "Y"){
    nestedgroupsniffer }

    if ($confirm -eq "N") {
    Exit}

    if ($confirm -eq "") {
    Exit}


    }

    nestedgroupsniffer


    and I manually ran that on all groups because I wasn't sure of another way to do it, I put all of that information into an excel file (also manually) and so I have that data. I'm not familiar with powershell reading through to find duplicates but I do have the group name and all the users listed in an excel file.


    • Edited by jjthexer Friday, January 24, 2014 4:38 PM
    Friday, January 24, 2014 4:38 PM
  • Give this a try:

    Get-ADUser -Filter * -Properties memberOf | ForEach {
    
        If (($_.memberOf -like '*OU=prt-groups,*').Count -gt 1) { 
        
            Write-Host "$($_.SamAccountName) is a member of more than one group that lives in the targeted OU." -ForegroundColor Red 
        
        }
    
        If (($_.memberOf -like '*OU=prt-groups,*').Count -gt 1) { $_ | Select SamAccountName }
    
    }  | Export-Csv .\checkTheseUsers.csv -NoTypeInformation


    Don't retire TechNet! - (Don't give up yet - 12,575+ strong and growing)

    • Marked as answer by jjthexer Friday, January 24, 2014 5:48 PM
    Friday, January 24, 2014 5:34 PM
  • Give this a try:

    Get-ADUser -Filter * -Properties memberOf | ForEach {
    
        If (($_.memberOf -like '*OU=prt-groups,*').Count -gt 1) { 
        
            Write-Host "$($_.SamAccountName) is a member of more than one group that lives in the targeted OU." -ForegroundColor Red 
        
        }
    
        If (($_.memberOf -like '*OU=prt-groups,*').Count -gt 1) { $_ | Select SamAccountName }
    
    }  | Export-Csv .\checkTheseUsers.csv -NoTypeInformation



    This is perfect, it did EXACTLY what I wanted it to! Thank you so much Mike, you never fail!

    I really appreciate this! :D

    You're awesome!

    Friday, January 24, 2014 5:49 PM
  • Friday, January 24, 2014 6:05 PM