locked
Querying Active Directory for groups and users RRS feed

  • Question

  • Hi,

    I've written a script which grabs some groups, grabs the members of those groups, and for each member it's returning 4 things:

    Name of user
    samaccountname of user
    extensionattribute7  of user
    Names (not DistinguishedName) of the groups that user is a member, and ideally only those where 'name -like "ADM-*"'

    At the moment is does all the above except point 4, it's just returning the DNs of all groups, so not the friendly name, and not just the ADM-* groups.

    get-adgroup -filter 'name -like "ADM-*"' | `
    Get-ADGroupMember -recursive | `
    get-aduser -properties extensionattribute7, memberof | `
    select Name, samaccountname, extensionattribute7, @{L='memberof'; E={$_.memberof -join ";"}} | `
    Export-Csv file.csv -NoTypeInformation

    Any help is appreciated. Thank you.
    Tuesday, March 15, 2016 12:02 PM

Answers

  • Here's how I'd tackle this:

    Get-ADGroup -Filter "Name -like 'ADM-*'" |
        Get-ADGroupMember -Recursive | 
            Get-ADUser -Properties ExtensionAttribute7 |
                Select Name,SamAccountName,ExtensionAttribute7,@{N='Groups';E={(Get-ADPrincipalGroupMembership -Identity $_.SamAccountName | Where { $_.Name -like 'ADM-*' }).Name -join ', ' }} |
                    Export-Csv .\groupMemberships.csv -NoTypeInformation


    • Marked as answer by David4576 Tuesday, March 15, 2016 6:14 PM
    Tuesday, March 15, 2016 4:13 PM

All replies

  • Hi,

    Use Get-ADPrincipalGroupMembership instead of joining the MemberOf property together:

    http://ss64.com/ps/get-adprincipalgroupmembership.html


    EDIT: Simple example to start from:

    $groups = (Get-ADPrincipalGroupMembership -Identity tester1 |
        Where { $_.Name -like 'ADM-*' } |
            Select -ExpandProperty Name) -join ', '
    
    $groups


    Tuesday, March 15, 2016 12:07 PM
  • Great thanks Mike. So here's my updated code, I think it's nearly there except the exporting isn't quite working.

    $groups = get-adgroup -filter 'name -like "ADM-*"'
    $groupmembers = $groups | Get-ADGroupMember -recursive
    $users = $groupmembers | get-aduser -properties extensionattribute7
    $userscsv = $users | select Name, samaccountname, extensionattribute7
    $usermemberof = $users | Get-ADPrincipalGroupMembership | Where-Object {$_.name -like "ADM-*"} |  select name
    $userscsv | Export-Csv file.csv -NoTypeInformation -Append
    $usermemberof | Export-Csv file.csv -NoTypeInformation -Append

    P.s. only just saw you example, I think I was quite close :)


    • Edited by David4576 Tuesday, March 15, 2016 12:30 PM
    Tuesday, March 15, 2016 12:29 PM
  • You're welcome.

    I recommend creating a single object (like you were doing in your original code) and doing your export at the very end. Appending to the output CSV isn't doing what you're expecting.


    Tuesday, March 15, 2016 12:34 PM
  • Cheers, I struggled to get Get-ADPrincipalGroupMembership into the code going via the single object. I'll keep playing around with it though.
    Tuesday, March 15, 2016 12:39 PM
  • Great, let us know if you get stuck.

    Tuesday, March 15, 2016 1:00 PM
  • So I'm struggling to pipe users into Get-ADPrincipalGroupMembership and get two objects out (I don't actually think this is possible but it's just a way to explain that I'm trying to export 3 attributes of a user and the groups they're a member of e.g.

    Get-ADGroup -filter 'name -like "ADM-*"' | `
    Get-ADGroupMember -recursive | `
    Get-ADUser -properties extensionattribute7 | `
    Get-ADPrincipalGroupMembership | Where { $_.Name -like 'ADM-*' } | Select -ExpandProperty Name -join ', ' | `

    But then I'm struggling with exporting 3 attribs from the user, as well as the groups we've found e.g.

    Select Name, samaccountname, extensionattribute7 | `
    Export-Csv out.csv -NoTypeInformation



    • Edited by David4576 Tuesday, March 15, 2016 3:34 PM
    Tuesday, March 15, 2016 3:20 PM
  • Here's how I'd tackle this:

    Get-ADGroup -Filter "Name -like 'ADM-*'" |
        Get-ADGroupMember -Recursive | 
            Get-ADUser -Properties ExtensionAttribute7 |
                Select Name,SamAccountName,ExtensionAttribute7,@{N='Groups';E={(Get-ADPrincipalGroupMembership -Identity $_.SamAccountName | Where { $_.Name -like 'ADM-*' }).Name -join ', ' }} |
                    Export-Csv .\groupMemberships.csv -NoTypeInformation


    • Marked as answer by David4576 Tuesday, March 15, 2016 6:14 PM
    Tuesday, March 15, 2016 4:13 PM
  • Ahhh very nice. I should have gotten closer to that than I did. Grr. Off to read up on Hashtables :)

    Appreciate your time.

    Tuesday, March 15, 2016 6:14 PM
  • Cheers, you're very welcome.

    Calculated properties are extremely useful. Here's some initial info:

    https://technet.microsoft.com/en-us/library/ff730948.aspx


    Tuesday, March 15, 2016 6:15 PM