I am looking for help with listing off all AD Groups that have between 1 and 3 members.

LainRobertson It was the most simple one to get a list of groups which match the 1-3 member requirement. But the get-adgroupmember also has a -recursive parameter which lists all nested membership too.

sparkislife wrote:Looking at explicit and am looking for user count per group.sparkislife Okay, in this case, something like this will suffice. You can add and remove any attributes you'd like. Get-ADObject -Filter { (objectClass -eq "group") -and (member -like "*") } -Properties member | Select-Object -Property objectGUID, name, @{n="count"; e={ $_.member.Count; }} | Where-Object { $_.Count -in 1 .. 3 } Cheers,Lain

sparkislife I made this in my test DC, it will create a list of all groups containing 1,2 or 3 members and output them to c:\temp\groups.csv $total = @() foreach ($group in Get-ADGroup -Filter * -ResultSetSize 100000 | Sort-Object Name) { $members = get-adgroup $group.name | Get-ADGroupMember | Sort-Object Name $count = @(Get-ADGroupMember -Identity $Group).Count if ($count -ge 1 -and $count -le 3) { foreach ($member in $members) { $info = [PSCustomObject]@{ Group = $group.Name "Total Members" = $count Member = $member.SamAccountName } $total += $info } } } $total | export-csv -NoTypeInformation -Encoding UTF8 -Delimiter ';' -Path c:\temp\groups.csv Output looks like: "Group";"Total Members";"Member""Administrators";"3";"Administrator""Administrators";"3";"Domain Admins""Administrators";"3";"Enterprise Admins""Cert Publishers";"1";"W2K22DC$""Certificate Service DCOM Access";"1";"Authenticated Users""Domain Admins";"1";"Administrator""Domain Controllers";"1";"W2K22DC$""Domain Guests";"1";"Guest""Enterprise Admins";"1";"Administrator""Group 1";"1";"test.user1""Group 2";"2";"test.user1""Group 2";"2";"test.user2""Group Policy Creator Owners";"1";"Administrator""Guests";"2";"Domain Guests""Guests";"2";"Guest""Helpdesk";"3";"test.user1""Helpdesk";"3";"test.user2""Helpdesk";"3";"test.user3""Pre-Windows 2000 Compatible Access";"2";"Authenticated Users""Pre-Windows 2000 Compatible Access";"2";"W2K22DC$""RDS Endpoint Servers";"2";"NETWORK SERVICE""RDS Endpoint Servers";"2";"W2K22DC$""RDS Management Servers";"2";"NETWORK SERVICE""RDS Management Servers";"2";"W2K22DC$""RDS Remote Access Servers";"1";"W2K22DC$""Remote Desktop Users";"1";"Domain Users""Schema Admins";"1";"Administrator""Terminal Server License Servers";"2";"NETWORK SERVICE""Terminal Server License Servers";"2";"W2K22DC$""Users";"3";"Authenticated Users""Users";"3";"Domain Users""Users";"3";"INTERACTIVE""Windows Authorization Access Group";"1";"ENTERPRISE DOMAIN CONTROLLERS" There was a bug/glitch listing groups with only 1 member, but this article fixed that for me https://community.spiceworks.com/topic/2237955-more-different-results-get-adgroupmember-count-null

Harm_Veenstra It'd be useful to know from the poster if this is explicit or transitive, and related to members that are users or of any object type. I couldn't motivate myself to ask but they're all things that would definitely impact the script. Here's a quick one-liner that demonstrates pulling the transitive membership, which requires an additional round trip per group (since it's only available on base searches) and the explicit requesting of the msds-memberTransitive constructed attribute (i.e. using "-Properties *" doesn't cut it.) (Get-ADGroup -SearchBase ((Get-ADGroup -Identity "Domain Admins").distinguishedName) -SearchScope Base -Filter * -Properties msds-memberTransitive).'msds-memberTransitive'.Count Anyhow, that's all from me as the question's too open to know how best to answer at the moment. Cheers,Lain

List off all AD groups that have between 1 and 3 users

Harm_Veenstra
MVP
Apr 24, 2022
Did my example help you?
- sparkislife
  Copper Contributor
  Apr 25, 2022
  Get-ADGroup -Filter * -Properties Member | Select-Object Name,@{n="MemberCount";e={$_.Member.Count}} |export-csv -NoTypeInformation -Encoding UTF8 -Delimiter ';' -Path C:\temp\groups.csv got me the each group by name and count
  Want it filtered to groups with between 1 - 3 users only.
  - Harm_Veenstra
    MVP
    Apr 25, 2022
    The output looks like the one in my first reply, it lists every group than contains 1,2 or 3 members and gives the amount of members in that group and the member names in a csv. So it does that, not sure what you want?
    
    You can also run this to only show the group and the number of members in it:
    
    $total = @()
    foreach ($group in Get-ADGroup -Filter * -ResultSetSize 100000 | Sort-Object Name) {
    $members = get-adgroup $group.name | Get-ADGroupMember | Sort-Object Name
    $count = @(Get-ADGroupMember -Identity $Group).Count
    if ($count -ge 1 -and $count -le 3) {
    $info = [PSCustomObject]@{
    Group = $group.Name
    "Total Members" = $count
    }
    $total += $info
    }
    }
    $total | export-csv -NoTypeInformation -Encoding UTF8 -Delimiter ';' -Path c:\temp\groups.csv
- sparkislife
  Copper Contributor
  Apr 25, 2022
  Harm_Veenstra
  Sorry had a busier weekend. Many thanks but lines 3 and 4 throw the error below.
  - Harm_Veenstra
    MVP
    Apr 25, 2022
    Ok, thats strange... After running the script, did it do anything? Did it create a c:\temp\groups.csv file? Does running Get-ADGroup -Filter * -ResultSetSize 100000 | Sort-Object Name give you any results?
Harm_Veenstra
MVP
Apr 22, 2022
sparkislife I made this in my test DC, it will create a list of all groups containing 1,2 or 3 members and output them to c:\temp\groups.csv

$total = @() foreach ($group in Get-ADGroup -Filter * -ResultSetSize 100000 | Sort-Object Name) { $members = get-adgroup $group.name | Get-ADGroupMember | Sort-Object Name $count = @(Get-ADGroupMember -Identity $Group).Count if ($count -ge 1 -and $count -le 3) { foreach ($member in $members) { $info = [PSCustomObject]@{ Group = $group.Name "Total Members" = $count Member = $member.SamAccountName } $total += $info } } } $total | export-csv -NoTypeInformation -Encoding UTF8 -Delimiter ';' -Path c:\temp\groups.csv

Output looks like:

"Group";"Total Members";"Member"
"Administrators";"3";"Administrator"
"Administrators";"3";"Domain Admins"
"Administrators";"3";"Enterprise Admins"
"Cert Publishers";"1";"W2K22DC$"
"Certificate Service DCOM Access";"1";"Authenticated Users"
"Domain Admins";"1";"Administrator"
"Domain Controllers";"1";"W2K22DC$"
"Domain Guests";"1";"Guest"
"Enterprise Admins";"1";"Administrator"
"Group 1";"1";"test.user1"
"Group 2";"2";"test.user1"
"Group 2";"2";"test.user2"
"Group Policy Creator Owners";"1";"Administrator"
"Guests";"2";"Domain Guests"
"Guests";"2";"Guest"
"Helpdesk";"3";"test.user1"
"Helpdesk";"3";"test.user2"
"Helpdesk";"3";"test.user3"
"Pre-Windows 2000 Compatible Access";"2";"Authenticated Users"
"Pre-Windows 2000 Compatible Access";"2";"W2K22DC$"
"RDS Endpoint Servers";"2";"NETWORK SERVICE"
"RDS Endpoint Servers";"2";"W2K22DC$"
"RDS Management Servers";"2";"NETWORK SERVICE"
"RDS Management Servers";"2";"W2K22DC$"
"RDS Remote Access Servers";"1";"W2K22DC$"
"Remote Desktop Users";"1";"Domain Users"
"Schema Admins";"1";"Administrator"
"Terminal Server License Servers";"2";"NETWORK SERVICE"
"Terminal Server License Servers";"2";"W2K22DC$"
"Users";"3";"Authenticated Users"
"Users";"3";"Domain Users"
"Users";"3";"INTERACTIVE"
"Windows Authorization Access Group";"1";"ENTERPRISE DOMAIN CONTROLLERS"

There was a bug/glitch listing groups with only 1 member, but this article fixed that for me https://community.spiceworks.com/topic/2237955-more-different-results-get-adgroupmember-count-null
- LainRobertson
  Silver Contributor
  Apr 22, 2022
  Harm_Veenstra
  
  It'd be useful to know from the poster if this is explicit or transitive, and related to members that are users or of any object type.
  
  I couldn't motivate myself to ask but they're all things that would definitely impact the script.
  
  Here's a quick one-liner that demonstrates pulling the transitive membership, which requires an additional round trip per group (since it's only available on base searches) and the explicit requesting of the msds-memberTransitive constructed attribute (i.e. using "-Properties *" doesn't cut it.)
  
  (Get-ADGroup -SearchBase ((Get-ADGroup -Identity "Domain Admins").distinguishedName) -SearchScope Base -Filter * -Properties msds-memberTransitive).'msds-memberTransitive'.Count
  
  Anyhow, that's all from me as the question's too open to know how best to answer at the moment.
  
  Cheers,
  Lain
  - sparkislife
    Copper Contributor
    Apr 25, 2022
    Looking at explicit and am looking for user count per group.

Forum Discussion

List off all AD groups that have between 1 and 3 users

Resources