List off all AD groups that have between 1 and 3 users

Copper Contributor

I am looking for help with listing off all AD Groups that have between 1 and 3 members.

14 Replies

@sparkislife I made this in my test DC, it will create a list of all groups containing 1,2 or 3 members and output them to c:\temp\groups.csv

 

 

$total = @()
foreach ($group in Get-ADGroup -Filter * -ResultSetSize 100000 | Sort-Object Name) {
    $members = get-adgroup $group.name | Get-ADGroupMember | Sort-Object Name
    $count = @(Get-ADGroupMember -Identity $Group).Count
    if ($count -ge 1 -and $count -le 3) {
        foreach ($member in $members) {
            $info = [PSCustomObject]@{
                Group           = $group.Name
                "Total Members" = $count
                Member          = $member.SamAccountName
            }
            $total += $info
        }
    }
}
$total | export-csv -NoTypeInformation -Encoding UTF8 -Delimiter ';' -Path c:\temp\groups.csv

 

 

Output looks like:

 

"Group";"Total Members";"Member"
"Administrators";"3";"Administrator"
"Administrators";"3";"Domain Admins"
"Administrators";"3";"Enterprise Admins"
"Cert Publishers";"1";"W2K22DC$"
"Certificate Service DCOM Access";"1";"Authenticated Users"
"Domain Admins";"1";"Administrator"
"Domain Controllers";"1";"W2K22DC$"
"Domain Guests";"1";"Guest"
"Enterprise Admins";"1";"Administrator"
"Group 1";"1";"test.user1"
"Group 2";"2";"test.user1"
"Group 2";"2";"test.user2"
"Group Policy Creator Owners";"1";"Administrator"
"Guests";"2";"Domain Guests"
"Guests";"2";"Guest"
"Helpdesk";"3";"test.user1"
"Helpdesk";"3";"test.user2"
"Helpdesk";"3";"test.user3"
"Pre-Windows 2000 Compatible Access";"2";"Authenticated Users"
"Pre-Windows 2000 Compatible Access";"2";"W2K22DC$"
"RDS Endpoint Servers";"2";"NETWORK SERVICE"
"RDS Endpoint Servers";"2";"W2K22DC$"
"RDS Management Servers";"2";"NETWORK SERVICE"
"RDS Management Servers";"2";"W2K22DC$"
"RDS Remote Access Servers";"1";"W2K22DC$"
"Remote Desktop Users";"1";"Domain Users"
"Schema Admins";"1";"Administrator"
"Terminal Server License Servers";"2";"NETWORK SERVICE"
"Terminal Server License Servers";"2";"W2K22DC$"
"Users";"3";"Authenticated Users"
"Users";"3";"Domain Users"
"Users";"3";"INTERACTIVE"
"Windows Authorization Access Group";"1";"ENTERPRISE DOMAIN CONTROLLERS"

 

There was a bug/glitch listing groups with only 1 member, but this article fixed that for me https://community.spiceworks.com/topic/2237955-more-different-results-get-adgroupmember-count-null

@Harm_Veenstra 

 

It'd be useful to know from the poster if this is explicit or transitive, and related to members that are users or of any object type.

 

I couldn't motivate myself to ask but they're all things that would definitely impact the script.

 

Here's a quick one-liner that demonstrates pulling the transitive membership, which requires an additional round trip per group (since it's only available on base searches) and the explicit requesting of the msds-memberTransitive constructed attribute (i.e. using "-Properties *" doesn't cut it.)

 

(Get-ADGroup -SearchBase ((Get-ADGroup -Identity "Domain Admins").distinguishedName) -SearchScope Base -Filter * -Properties msds-memberTransitive).'msds-memberTransitive'.Count

 

Anyhow, that's all from me as the question's too open to know how best to answer at the moment.

 

Cheers,

Lain

@LainRobertson It was the most simple one to get a list of groups which match the 1-3 member requirement. But the get-adgroupmember also has a -recursive parameter which lists all nested membership too.

Did my example help you?

@Harm_Veenstra 

Sorry had a busier weekend. Many thanks but lines 3 and 4 throw the error below. 

sparkislife_0-1650907488150.png

 

Ok, thats strange... After running the script, did it do anything? Did it create a c:\temp\groups.csv file? Does running Get-ADGroup -Filter * -ResultSetSize 100000 | Sort-Object Name give you any results?
Looking at explicit and am looking for user count per group.
Get-ADGroup -Filter * -Properties Member | Select-Object Name,@{n="MemberCount";e={$_.Member.Count}} |export-csv -NoTypeInformation -Encoding UTF8 -Delimiter ';' -Path C:\temp\groups.csv got me the each group by name and count
Want it filtered to groups with between 1 - 3 users only.

The output looks like the one in my first reply, it lists every group than contains 1,2 or 3 members and gives the amount of members in that group and the member names in a csv. So it does that, not sure what you want?

 

You can also run this to only show the group and the number of members in it:

 

$total = @()
foreach ($group in Get-ADGroup -Filter * -ResultSetSize 100000 | Sort-Object Name) {
$members = get-adgroup $group.name | Get-ADGroupMember | Sort-Object Name
$count = @(Get-ADGroupMember -Identity $Group).Count
if ($count -ge 1 -and $count -le 3) {
$info = [PSCustomObject]@{
Group = $group.Name
"Total Members" = $count
}
$total += $info
}
}
$total | export-csv -NoTypeInformation -Encoding UTF8 -Delimiter ';' -Path c:\temp\groups.csv

I am looking to get almost a thousand groups. Am sorry I had to abort it as it kept throwing the unspecified error at me.
I went this route so far.
Get-ADGroup -Filter * -Properties Member | Select-Object Name,@{n="MemberCount";e={$_.Member.Count}} |export-csv -NoTypeInformation -Encoding UTF8 -Delimiter ';' -Path C:\temp\groups.csv got me the each group by name and count

 


@sparkislife wrote:
Looking at explicit and am looking for user count per group.

@sparkislife 

 

Okay, in this case, something like this will suffice. You can add and remove any attributes you'd like.

 

Get-ADObject -Filter { (objectClass -eq "group") -and (member -like "*") } -Properties member | Select-Object -Property objectGUID, name, @{n="count"; e={ $_.member.Count; }} | Where-Object { $_.Count -in 1 .. 3 }

 

Cheers,

Lain

Not sure why the error is there in your case, it does work on a 2022 DC with not that many groups but should work with a lot more groups without any problems. @LianRobertson posted an adjustment to your line below which should work
Yes that did the trick. Many thanks

worked fine thx.