I have a text file with different user names inside.
Now I want to get all groups where the users are inside, compare the user and only output the groups where ALL users are inside.
$users = Get-Content -path "C:\users.txt"
foreach($user in $users)
{
write-host "Group Membership for: " $user
Get-ADPrincipalGroupMembership -Identity $user | Select name
}
If the user list is not huge, the following is a simple way to group all groups that are common among the users:
$users = Get-Content -path "C:\users.txt"
$users | Foreach-Object {
# Grouping groups based on distinguishedName
# List groups that appear as many times as the number of users
Get-ADPrincipalGroupMembership -Identity $_
} | Group-Object DistinguishedName | Where {$_.Count -eq $users.Count} |
Select-Object #{n='Name';e={$_.Group[0].Name}}
Related
Hope all is well.
Trying to see if this possible.
Task: I have list of AD group that I need find members of each group. Only get the list active users.
Issue: I wanted to see if I can put the name of the group as Column name and Group Members under each column. Not sure if this possible. So far. I was only able to use Write-Output - Group and add extra line in way to difference each group.
$data = Import-Csv -Path C:\Source\Listofusers.csv
$results = Foreach ($datauser in $data)
{
$getadgroupmember = Get-ADGroupMember -Identity $datauser.ADGroups -Recursive | ? {$_.objectclass -eq "user"}
write-output "`n"
write-output $datauser.ADGroups
write-output "-----------------------------------------------------------------"
foreach ($activeanddisabledusers in $getadgroupmember)
{
Get-ADUser -Identity $activeanddisabledusers -Properties enabled | Where-Object {$_.Enabled -eq 'true'} | Select-Object -ExpandProperty SamAccountName}
}
I'm a beginner in programming in general..
What I'm trying to do is to create a powershell script that will:
Get information on each user on an Active Directory group.
Inside each group there may be another group, so I would want it to get the list of users from each nested group as well.
Only give me the information for each group once.
This is what I have so far:
$list = Get-ADGroupMember Admins
foreach($u in $list) {
Get-ADObject $u
}
foreach ($_ in $u) {
if ($u.ObjectClass -eq 'user') {
Get-ADUser $u -Properties * | select givenname, surname, samaccountname | ft -autosize
} else {
Get-ADGroupMember $u -Recursive | select name, samaccountname | ft -autosize
}
}
So far I'm trying to get it to work with that one group 'Admins' and then if it does I would want to run the code for more groups at the same time.
Any help or guidance would be appreciated.
You seem to want only properties that are returned by default by Get-ADUser aswell as Get-ADGroup, so in both cases, there is no need to specify the -Properties parameter.
Get-ADGroupMember can return user, computer and group objects, so at the moment, your else condition expects groups, where you could end up with a computer object..
In your code, you output to console with ft -autosize both in the if and the else, but it would be simpler to capture both types of resulting objects in a variable at the start of the loop and output it as a whole afterwards:
# you can load a list of group names from a predefined array:
$Groups = 'Admins', 'Users'
# or load from a file, each group name listed on a separate line:
# $Groups = Get-Content -Path 'D:\Test\ADGroups.txt'
# or get all AD groups in the domain:
# $Groups = (Get-ADGroup -Filter *).Name
$result = foreach ($group in $Groups) {
Get-ADGroup -Filter "Name -eq '$group'" | ForEach-Object {
# we could use the $group variable, but this ensures correct casing
$groupName = $_.Name
$members = $_ | Get-ADGroupMember -Recursive
foreach ($member in $members) {
if ($member.objectClass -eq 'user') {
Get-ADUser -Identity $member.DistinguishedName |
Select-Object #{Name="GroupName"; Expression={$groupName}},
#{Name="MemberType";Expression={'User'}},
Name,
GivenName,
Surname,
SamAccountName
}
elseif ($member.objectClass -eq 'group') {
Get-ADGroup -Identity $member.DistinguishedName |
Select-Object #{Name="GroupName";Expression={$groupName}},
#{Name="MemberType";Expression={'Group'}},
Name,
#{Name="GivenName";Expression={''}}, # groups don't have this property
#{Name="Surname";Expression={''}}, # groups don't have this property
SamAccountName
}
}
}
}
# output is console
$result | Format-Table -AutoSize
# write to CSV file
$result | Export-Csv -Path 'D:\Test\GroupsInfo.csv' -NoTypeInformation
The trick is here to output objects with equal properties for both a user and a group object
How could I get a List of Members on multible AD Groups with more than 5000 Users
Example:
Group1 = includes 6000 Members and Group2
Group2 = includes 7000 Members
the result of the get-adgroupmember of Group1 should 13000
how can I do that? Here I have the Problem, that it will not look in sub groups recursive will not work with get-adgroup
$group = "group1"
$ADInfo = Get-ADGroup -Identity $Group -Properties Members
$outputfile = $group
$ADInfo.Members | get-aduser | Select name, enabled, UserPrincipalName, SamAccountName
#$ADInfo.Members | get-aduser | Select name, enabled, UserPrincipalName, SamAccountName | Export-Csv c:\temp\$outputfile-member.csv -Delimiter "," -NoTypeInformation
# to show output
$members = #()
$members = $ADInfo.members
$members.count
With groups that large, it will be slow, but this should do what you want:
$groups = 'group1', 'group2' # array of group names
foreach ($group in $groups) {
Write-Host "Working on group '$group'"
$result = Get-ADGroupMember -Identity $group -Recursive | Where-Object { $_.objectClass -eq 'user' } | ForEach-Object {
Get-ADUser -Identity $_.distinguishedName | Select-Object Name, Enabled, UserPrincipalName, SamAccountName
}
# show result on screen
$result | Format-Table -AutoSize
# write to export file
$result | Export-Csv -Path "c:\temp\$group-members.csv" -NoTypeInformation
}
Hope that helps
The easiest solution would be to adjust the MaxGroupOrMemberEntries parameter in ADWS on the DC you are targeting. You can see information on ADWS defaults here.
You could do something like the following, which is potentially convoluted:
function Get-ADGroupMembers
{
param ($groupname)
Get-ADGroupMember $groupname | where ObjectClass -eq 'Group' | ForEach-Object {
$_.Name
Get-ADGroupMembers $_.Name
}
}
$maingroup = 'group1'
$subgroups = Get-ADGroupMembers $maingroup
$allGroups = #($maingroup)+#($subgroups)
$regexEscapes = $allGroups |% { [regex]::Escape($_) }
$filter = "CN=({0})" -f ($regexEscapes -join "|")
$output = foreach ($group in $allGroups) {
Get-AdGroup $group -Properties Members | Select #{n='Members';e={$_.Members -notmatch $filter}}
}
$output.Members
Explanation:
The function will list the Name property value for each recursively discovered member group.
Since the -notmatch regex operator is used in filtering, a regex match string needs to be constructed. There could be multiple groups so the | (regex OR) character needs to be used.
The [regex]::Escape method escapes all backslashes and other special regex characters that may appear in the name strings.
$output is an array of PSCustomObjects that contain the Members property. The Members property contains the DN of all members that are users.
Non-PowerShell commands may be better suited for this particular case if the ADWS default limits are not modified.
I am quite new to PowerShell and on the site.
My issue is that I found a script which I have modified. The script is working, but only partial; it is not returning all the groups. Only 4 groups and after that is displaying "....." and no other info (you can see the picture).
Basically what I want to do is the following:
I have 100 users and I need to export the group membership of these 100 users.
[$users = Get-Content "D:\users.txt"
$adjob = foreach ($user in $users) {
Get-ADUser -server "myserver" –Identity $user –Properties MemberOf
}
$adjob | Select-Object Name,#{N='Group';E={$_.MemberOf -replace '^CN=(\[^,\]+),OU=.+$','$1'}} | Format-Table -AutoSize | out-file D:\users.csv][1]
Thise script should return:
name
user1
user2
user3
group
group1,group2,group3,rest of the groups for each User
group1,group2,group3,rest of the groups for each User
group1,group2,group3,rest of the groups for each User
Thank you for the help!
Try this:
$users = Get-Content "D:\users.txt"
$adjob = foreach ($user in $users) {
Get-ADUser -server "myserver" –Identity $user –Properties MemberOf
}
$adjob | foreach {"`n`n";$_.name, $((($_.MemberOf -split ",")| Select-String "CN") -replace "CN=","")}
The output should be username and group names right below. "`n`n" Will put two blank lines after every user.
For your particular case please try this:
Enter this on PowerShell first $FormatEnumerationLimit=-1 and then replace Format-Table -AutoSize in your original script with Format-Table -AutoSize -Wrap or Format-List
I am trying to create a CSV for AD cleanup work that will contain a couple hundred users' SamAccountName and a list of groups to remove the user from. Each user will have a different list of groups to remove them from.
CSV will look like this:
SamAccountName,ADgroupName1,ADgroupName2,ADgroupName3,ADgroupName4,etc...
user1,Group1,Group2,Group3,Group4
user2,Group2,Group3,,,
user3,Group5,,,,
The script I have so far:
# Get the list of SAMAccountNames
$user = Import-Csv .\GroupsToRemove.csv | Select-Object -ExpandProperty SAMAccountName
foreach ($user in $users) {
# Loop through the user list and select the list of groups to remove for each user
# from the CSV and set to the $Groups array
$Group = #()
$Group = %{(Import-Csv .\GroupsToRemove.csv | Where-Object {$_.SamAccountName -eq $user})} | select "GroupName*"
foreach ($group in $Groups) {
# Remove the AD groups from each User
Remove-ADPrincipalGroupMembership $user -Member $Group -Confirm:$false
}
}
I think part of the problem is that when I'm importing the group names from the CSV it also adds the column names into the $Group array? So the Remove-ADPrincipalGroupMembership command is failing?
$groups output is like below:
GroupName1 : Group1
GroupName2 : Group2
GroupName3 : Group3
GroupName4 : Group4
Don't define the AD groups as separate columns in the CSV. Make the groups one column with a comma (or other delimiter) separated string:
SamAccountName,Groups
user1,"Group1,Group2,Group3,Group4"
user2,"Group2,Group3"
user3,"Group5"
That way you can handle the groups from the CSV like this:
$csv = Import-Csv .\GroupsToRemove.csv
foreach ($user in $csv) {
$groups = $user.Groups -split ',' |
Get-ADGroup |
Select-Object -Expand DistinguishedName
Remove-ADPrincipalGroupMembership $user.SamAccountName -Member $groups -Confirm:$false
}