Searching multiple AD security groups for members?

%3CLINGO-SUB%20id%3D%22lingo-sub-1084714%22%20slang%3D%22en-US%22%3ESearching%20multiple%20AD%20security%20groups%20for%20members%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1084714%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20not%20sure%20if%20this%20is%20off%20topic%20for%20this%20group%2C%20but%20the%20groups%20control%20the%20licensing%20for%20O365%20for%20exchange%20hybrid%2C%20so%20I%20figured%20this%20would%20be%20a%20good%20place%20to%20start.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEvery%20time%20a%20user%20leaves%20the%20company%20I%20need%20to%20search%20through%20multiple%20AD%20groups%20to%20see%20if%20they%20have%20a%20license%20for%20any%20O365%20licenses.%26nbsp%3B%20M365-E3%2C%20O365-e3%2C%20F1%2C%20E1%2C%20and%20E5.%26nbsp%3B%20Do%20that%20manually%20in%20ADUC%20sucks%20because%20there%20are%20a%20LOT%20of%20people%20in%20those%20groups.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20of%20a%20way%20in%20powershell%20that%20I%20could%20easily%20search%20all%20of%20those%20AD%20groups%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20better%20yet%2C%20does%20anyone%20know%20of%20a%20way%20I%20could%20grab%20a%20list%20of%20names%20from%20a%20spreadsheet%2C%20and%20search%20for%20all%20of%20those%20names%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20days%20I%20might%20only%20get%20one%20or%202%20names%20to%20search%20for%2C%20other%20days%20I%20might%20get%2012%20or%2015.%26nbsp%3B%20Do%20those%20one%20by%20one%20would%20get%20old%20so%20the%20spreadsheet%20method%20would%20be%20great%20if%20anyone%20knows%20of%20a%20way%20to%20do%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%20I'm%20NOT%20a%20PS%20guru%20by%20any%20stretch%2C%20but%20hopefully%20I%20can%20cobble%20together%20something%20if%20someone%20can%20point%20me%20in%20the%20right%20direction.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3CP%3ETed%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1084714%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1085957%22%20slang%3D%22en-US%22%3ERe%3A%20Searching%20multiple%20AD%20security%20groups%20for%20members%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1085957%22%20slang%3D%22en-US%22%3E%3CP%3EDepends%20on%20the%20group%20type.%20Generally%20speaking%2C%20you%20can%20use%20the%20good%20old%20AD%20tools%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%2F%2F%2F%20List%20all%20groups%20(non-recursive)%0A%0A(Get-ADUser%20-Filter%20%7BUserPrincipalName%20-like%20%22XXXXXXXX%22%7D%20-Properties%20MemberOf).MemberOf%0A%0A%2F%2F%2F%20List%20all%20groups%20(recursive)%0AGet-ADGroup%20-LDAPFilter%20%22(member%3A1.2.840.113556.1.4.1941%3A%3DCN%3DXXXXXX%2COU%3DUser%2COU%3DAccounts%2COU%3DP01%2CDC%3Ddomain%2CDC%3Dcom)%22%20%7C%20measure%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3Ewhere%20I've%20used%20the%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3ELDAP_MATCHING_RULE_IN_CHAIN%20identifier%20(%22%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E1.2.840.113556.1.4.1941%3C%2FFONT%3E%22)%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fadsi%2Fsearch-filter-syntax%3Fredirectedfrom%3DMSDN%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fadsi%2Fsearch-filter-syntax%3Fredirectedfrom%3DMSDN%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1086419%22%20slang%3D%22en-US%22%3ERe%3A%20Searching%20multiple%20AD%20security%20groups%20for%20members%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1086419%22%20slang%3D%22en-US%22%3EYou%20can%20create%20a%20script%20to%20remove%20departed%20users%20from%20all%20groups%20and%20schedule%20it%20to%20run%20weekly%20once%20you%20confirm%20they%20are%20gone.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1086775%22%20slang%3D%22en-US%22%3ERe%3A%20Searching%20multiple%20AD%20security%20groups%20for%20members%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1086775%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F414440%22%20target%3D%22_blank%22%3E%40Scouter_Ted%3C%2FA%3E%26nbsp%3B!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20could%20do%20a%20simple%20powershell%20script%20with%20a%20%22foreach%22%20loop%20and%20a%20%22if%22%20statement%20together%20with%20a%20CSV%20file%20to%20quite%20easily%20remove%20AD%20users%20from%20the%20license%20groups%20autimatically%20with%20the%20help%20of%20the%20CSV%20file%20(%20Spreadsheet%20).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20also%20helps%20if%20the%20license%20groups%20follow%20some%20kind%20of%20name%20standard.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet%20me%20know%20if%20you%20need%20further%20guidance%20with%20the%20powershell%20script.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers!%26nbsp%3B%3CBR%20%2F%3EKind%20regards%3CBR%20%2F%3EOliwer%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I'm not sure if this is off topic for this group, but the groups control the licensing for O365 for exchange hybrid, so I figured this would be a good place to start.

 

Every time a user leaves the company I need to search through multiple AD groups to see if they have a license for any O365 licenses.  M365-E3, O365-e3, F1, E1, and E5.  Do that manually in ADUC sucks because there are a LOT of people in those groups.

 

Does anyone know of a way in powershell that I could easily search all of those AD groups?  

And better yet, does anyone know of a way I could grab a list of names from a spreadsheet, and search for all of those names?  

 

Some days I might only get one or 2 names to search for, other days I might get 12 or 15.  Do those one by one would get old so the spreadsheet method would be great if anyone knows of a way to do that.

 

Note I'm NOT a PS guru by any stretch, but hopefully I can cobble together something if someone can point me in the right direction.

 

Thanks.

Ted

 

3 Replies

Depends on the group type. Generally speaking, you can use the good old AD tools: 

 

/// List all groups (non-recursive)

(Get-ADUser -Filter {UserPrincipalName -like "XXXXXXXX"} -Properties MemberOf).MemberOf

/// List all groups (recursive)
Get-ADGroup -LDAPFilter "(member:1.2.840.113556.1.4.1941:=CN=XXXXXX,OU=User,OU=Accounts,OU=P01,DC=domain,DC=com)" | measure

where I've used the LDAP_MATCHING_RULE_IN_CHAIN identifier ("1.2.840.113556.1.4.1941"): https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax?redirectedfrom=MSDN

You can create a script to remove departed users from all groups and schedule it to run weekly once you confirm they are gone.

Hello@Scouter_Ted !

 

You could do a simple powershell script with a "foreach" loop and a "if" statement together with a CSV file to quite easily remove AD users from the license groups autimatically with the help of the CSV file ( Spreadsheet ). 

 

It also helps if the license groups follow some kind of name standard. 

 

Let me know if you need further guidance with the powershell script. 

 

Cheers! 
Kind regards
Oliwer