Forum Discussion
List off all AD groups that have between 1 and 3 users
sparkislife I made this in my test DC, it will create a list of all groups containing 1,2 or 3 members and output them to c:\temp\groups.csv
$total = @()
foreach ($group in Get-ADGroup -Filter * -ResultSetSize 100000 | Sort-Object Name) {
$members = get-adgroup $group.name | Get-ADGroupMember | Sort-Object Name
$count = @(Get-ADGroupMember -Identity $Group).Count
if ($count -ge 1 -and $count -le 3) {
foreach ($member in $members) {
$info = [PSCustomObject]@{
Group = $group.Name
"Total Members" = $count
Member = $member.SamAccountName
}
$total += $info
}
}
}
$total | export-csv -NoTypeInformation -Encoding UTF8 -Delimiter ';' -Path c:\temp\groups.csv
Output looks like:
"Group";"Total Members";"Member"
"Administrators";"3";"Administrator"
"Administrators";"3";"Domain Admins"
"Administrators";"3";"Enterprise Admins"
"Cert Publishers";"1";"W2K22DC$"
"Certificate Service DCOM Access";"1";"Authenticated Users"
"Domain Admins";"1";"Administrator"
"Domain Controllers";"1";"W2K22DC$"
"Domain Guests";"1";"Guest"
"Enterprise Admins";"1";"Administrator"
"Group 1";"1";"test.user1"
"Group 2";"2";"test.user1"
"Group 2";"2";"test.user2"
"Group Policy Creator Owners";"1";"Administrator"
"Guests";"2";"Domain Guests"
"Guests";"2";"Guest"
"Helpdesk";"3";"test.user1"
"Helpdesk";"3";"test.user2"
"Helpdesk";"3";"test.user3"
"Pre-Windows 2000 Compatible Access";"2";"Authenticated Users"
"Pre-Windows 2000 Compatible Access";"2";"W2K22DC$"
"RDS Endpoint Servers";"2";"NETWORK SERVICE"
"RDS Endpoint Servers";"2";"W2K22DC$"
"RDS Management Servers";"2";"NETWORK SERVICE"
"RDS Management Servers";"2";"W2K22DC$"
"RDS Remote Access Servers";"1";"W2K22DC$"
"Remote Desktop Users";"1";"Domain Users"
"Schema Admins";"1";"Administrator"
"Terminal Server License Servers";"2";"NETWORK SERVICE"
"Terminal Server License Servers";"2";"W2K22DC$"
"Users";"3";"Authenticated Users"
"Users";"3";"Domain Users"
"Users";"3";"INTERACTIVE"
"Windows Authorization Access Group";"1";"ENTERPRISE DOMAIN CONTROLLERS"
There was a bug/glitch listing groups with only 1 member, but this article fixed that for me https://community.spiceworks.com/topic/2237955-more-different-results-get-adgroupmember-count-null
It'd be useful to know from the poster if this is explicit or transitive, and related to members that are users or of any object type.
I couldn't motivate myself to ask but they're all things that would definitely impact the script.
Here's a quick one-liner that demonstrates pulling the transitive membership, which requires an additional round trip per group (since it's only available on base searches) and the explicit requesting of the msds-memberTransitive constructed attribute (i.e. using "-Properties *" doesn't cut it.)
(Get-ADGroup -SearchBase ((Get-ADGroup -Identity "Domain Admins").distinguishedName) -SearchScope Base -Filter * -Properties msds-memberTransitive).'msds-memberTransitive'.CountAnyhow, that's all from me as the question's too open to know how best to answer at the moment.
Cheers,
Lain
LainRobertson It was the most simple one to get a list of groups which match the 1-3 member requirement. But the get-adgroupmember also has a -recursive parameter which lists all nested membership too.
- Looking at explicit and am looking for user count per group.
sparkislife wrote:
Looking at explicit and am looking for user count per group.Okay, in this case, something like this will suffice. You can add and remove any attributes you'd like.
Get-ADObject -Filter { (objectClass -eq "group") -and (member -like "*") } -Properties member | Select-Object -Property objectGUID, name, @{n="count"; e={ $_.member.Count; }} | Where-Object { $_.Count -in 1 .. 3 }Cheers,
Lain
