Forum Discussion
Get nested groups in a group with members in an excel file
- Jun 28, 2022
Yeah, okay. So, you're after more of a detailed mapping rather than simply enumerating the members.
That being the case, you were on the right track, as to pull that additional metadata, you need to perform a separate call per member to the additional AD object of that member so you can in turn fetch things like objectClass and whatever else you want.
I've dropped another example below - which I'm a bit ashamed of as it's a rush job that uses Microsoft's ActiveDirectory module, but it probably does what you want and you already seem to be leveraging additional modules, so here goes.
PS: You could name the script whatever you like - I've provided a name simply so the examples further down align with the name.
Get-ADGroupMemberMappings.ps1
[cmdletbinding()] Param( [parameter(Mandatory=$true)][string] $Name ) # Let's get a domain controller reference to work with consistently throughout the script. $Server = (Get-ADRootDSE).dNSHostName; function Get-ADGroupMemberMappings([Microsoft.ActiveDirectory.Management.ADObject] $InputObject) { if ($InputObject -and $InputObject.member) { foreach ($MemberPath in $InputObject.member) { $Member = Get-ADObject -Server "$($Script:Server):3268" -Identity $MemberPath -Properties member -ErrorAction:Stop; [PSCustomObject] @{ ObjectID = $InputObject.ObjectGUID; Group = $InputObject.Name; MemberType = $Member.objectClass; Member = $Member.distinguishedName; } if ($Member.objectClass -ceq "group") { Get-ADGroupMemberMappings -InputObject $Member; } } } } Get-ADGroupMemberMappings -InputObject (Get-ADObject -Server $Server -Filter { (objectClass -eq "group") -and (cn -eq $Name) } -Properties member);
Example usage:
You can assign that to a variable, pipe it to a CSV, etc. etc.
Anyhow, see if that's more in line with what you were after.
Edited:
Just to quickly mention that some of the built-in groups like Domain Computers and Domain Users - for which the "member" attribute are dynamically constructed - do not get enumerated when searching. Some extra legwork needs to be done to capture their members but I skipped doing so as it wasn't going to be time well spent.
You can tackle that unique requirement if you'd like but there's little value in doing so since you already know what the membership for those will be.
Cheers,
Lain
Hi, thank you so much for your effort and sorry for the late reply. When I ran the script I get the output file but not exactly what I need. Let me explain you this way, I think it will be easier:
For example, I have let's say a group called "Domain Users" and inside there are 5 more groups, let's call it Group1, Group2, Group3, Group4 and Group5. Each of these groups have several users, so the output file I need is something like this:
Domain Users:
Column A Column B
-GROUP- -USER-
Group1 Martin
Group1 Richard
Group2 Kevin
Group3 John
Group4 Brian
Group4 Gary
Group4 Sarah
Group5 Samantha
Of course, if the group "Domain Users" has also users, list them as well. Is this possible to achieve? Since the output file from the script you wrote list all the users inside the groups within but you can't see if they belong to Group1, or Group2 etc etc.
Thanks!
Yeah, okay. So, you're after more of a detailed mapping rather than simply enumerating the members.
That being the case, you were on the right track, as to pull that additional metadata, you need to perform a separate call per member to the additional AD object of that member so you can in turn fetch things like objectClass and whatever else you want.
I've dropped another example below - which I'm a bit ashamed of as it's a rush job that uses Microsoft's ActiveDirectory module, but it probably does what you want and you already seem to be leveraging additional modules, so here goes.
PS: You could name the script whatever you like - I've provided a name simply so the examples further down align with the name.
Get-ADGroupMemberMappings.ps1
[cmdletbinding()]
Param(
[parameter(Mandatory=$true)][string] $Name
)
# Let's get a domain controller reference to work with consistently throughout the script.
$Server = (Get-ADRootDSE).dNSHostName;
function Get-ADGroupMemberMappings([Microsoft.ActiveDirectory.Management.ADObject] $InputObject)
{
if ($InputObject -and $InputObject.member)
{
foreach ($MemberPath in $InputObject.member)
{
$Member = Get-ADObject -Server "$($Script:Server):3268" -Identity $MemberPath -Properties member -ErrorAction:Stop;
[PSCustomObject] @{
ObjectID = $InputObject.ObjectGUID;
Group = $InputObject.Name;
MemberType = $Member.objectClass;
Member = $Member.distinguishedName;
}
if ($Member.objectClass -ceq "group")
{
Get-ADGroupMemberMappings -InputObject $Member;
}
}
}
}
Get-ADGroupMemberMappings -InputObject (Get-ADObject -Server $Server -Filter { (objectClass -eq "group") -and (cn -eq $Name) } -Properties member);
Example usage:
You can assign that to a variable, pipe it to a CSV, etc. etc.
Anyhow, see if that's more in line with what you were after.
Edited:
Just to quickly mention that some of the built-in groups like Domain Computers and Domain Users - for which the "member" attribute are dynamically constructed - do not get enumerated when searching. Some extra legwork needs to be done to capture their members but I skipped doing so as it wasn't going to be time well spent.
You can tackle that unique requirement if you'd like but there's little value in doing so since you already know what the membership for those will be.
Cheers,
Lain
- tincho1984Jun 28, 2022Copper Contributor
That worked perfectly, exactly what I needed, thank you so so so much. Have a great day 🙂
Cheers