I need to get specific users from specific Groups in Active Directory.
So far I have this:
$Groupnames = get-adgroup -Filter "name -like '$Groupfilter'" -Properties * -SearchBase $Grouppath |
Select-Object Name, #{
Name='Username';
Expression={
Get-ADGroupMember -identity $($_.Name) -Recursive |
Get-ADUser -Property SamAccountName |
Select -ExpandProperty SamAccountName
}
}
This works to get the Groups with their names. Now I want to get all users from these groups. what works but the formating is completly off. I want this:
Name Username
---- --------
Group1 user1adm
Group2 {user1adm, user1, user2, user2adm...}
Group3 {user1adm, user3, user2adm, user6...}
But I get this:
{user1adm, user1, user2, user2adm...}
With that formatting I can't see all users.
My goal at the end is also to exclude users who end with adm, but I don't know how to do that.
Can you help me?
Get-ADGroupMember can return objects of type 'user', 'group' or 'computer', so piping the returned objects straight through to Get-ADUser could get you into trouble if one of the objects is not a user.
Having said that, the objects returned from Get-ADGroupMember already contain the SamAccountName property you are after, so you can eliminate Get-ADUser from the code.
$Groupnames = Get-ADGroup -Filter "name -like '$Groupfilter'" -SearchBase $Grouppath |
Select-Object Name,
#{Name = 'Username'; Expression = {
($_ | Get-ADGroupMember -Recursive |
Select-Object -ExpandProperty SamAccountName |
Where-Object { $_ -notmatch 'adm$' }
) -join ', '
}
}
# output the result on screen
$Groupnames | Format-Table -AutoSize
# output to CSV file
$Groupnames | Export-Csv -Path 'Path\To\The\GroupMembers.csv' -NoTypeInformation
Related
I need a PowerShell-Script that does the following:
Get the AD-Groupmember of six different AD-Groups.
Show only members who are in more than two of those AD-Groups.
Remove these members from those AD-Groups.
I could only come up with a Script, that finds all members of those six AD-Groups and show them grouped descending from the occurrence in the groups. I don't know how to go from here to automatically remove the members with count 3 or greater from the AD-Groups.
$arrMembersADGroup1 = Get-ADGroupMember -Identity "AD-Group1" -Recursive | Get-ADUser -Properties Mail | Select-Object Mail
$arrMembersADGroup2 = Get-ADGroupMember -Identity "AD-Group2" -Recursive | Get-ADUser -Properties Mail | Select-Object Mail
$arrMembersADGroup3 = Get-ADGroupMember -Identity "AD-Group3" -Recursive | Get-ADUser -Properties Mail | Select-Object Mail
$arrMembersADGroup4 = Get-ADGroupMember -Identity "AD-Group4" -Recursive | Get-ADUser -Properties Mail | Select-Object Mail
$arrMembersADGroup5 = Get-ADGroupMember -Identity "AD-Group5" -Recursive | Get-ADUser -Properties Mail | Select-Object Mail
$arrMembersADGroup6 = Get-ADGroupMember -Identity "AD-Group6" -Recursive | Get-ADUser -Properties Mail | Select-Object Mail
$arrAllGroupMembers = $arrMembersADGroup1 + $arrMembersADGroup2 + $arrMembersADGroup3 + $arrMembersADGroup4 + $arrMembersADGroup5 + $arrMembersADGroup6
$arrAllGroupMembers | Group-Object -Property Mail -NoElement | Sort-Object -Property count -Descendin | Select-Object Name,count
The following should do the trick, basically create an output having the user's samAccountName and their respective group they're a memberOf. Then that output is piped to Group-Object where the objects are grouped by their samAccountName to later be filtered where there are more than 2 grouped objects (meaning, they would be a member of 3 or more groups). The output you should get is the user's samAccountName and all the group's DistinguishedName they're a member of.
$groups = 'AD-Group1', 'AD-Group2', 'AD-Group3', 'AD-Group4', 'AD-Group5', 'AD-Group6'
$groups | ForEach-Object {
$dn = (Get-ADGroup $_).DistinguishedName
# find all recursive user object members of this group
foreach($member in Get-ADUser -LDAPFilter "(memberOf:1.2.840.113556.1.4.1941:=$dn)") {
[pscustomobject]#{
samAccountName = $member.samAccountName
MemberOf = $dn
}
}
} | Group-Object samAccountName | Where-Object Count -GT 2
I'm a beginner in programming in general..
What I'm trying to do is to create a powershell script that will:
Get information on each user on an Active Directory group.
Inside each group there may be another group, so I would want it to get the list of users from each nested group as well.
Only give me the information for each group once.
This is what I have so far:
$list = Get-ADGroupMember Admins
foreach($u in $list) {
Get-ADObject $u
}
foreach ($_ in $u) {
if ($u.ObjectClass -eq 'user') {
Get-ADUser $u -Properties * | select givenname, surname, samaccountname | ft -autosize
} else {
Get-ADGroupMember $u -Recursive | select name, samaccountname | ft -autosize
}
}
So far I'm trying to get it to work with that one group 'Admins' and then if it does I would want to run the code for more groups at the same time.
Any help or guidance would be appreciated.
You seem to want only properties that are returned by default by Get-ADUser aswell as Get-ADGroup, so in both cases, there is no need to specify the -Properties parameter.
Get-ADGroupMember can return user, computer and group objects, so at the moment, your else condition expects groups, where you could end up with a computer object..
In your code, you output to console with ft -autosize both in the if and the else, but it would be simpler to capture both types of resulting objects in a variable at the start of the loop and output it as a whole afterwards:
# you can load a list of group names from a predefined array:
$Groups = 'Admins', 'Users'
# or load from a file, each group name listed on a separate line:
# $Groups = Get-Content -Path 'D:\Test\ADGroups.txt'
# or get all AD groups in the domain:
# $Groups = (Get-ADGroup -Filter *).Name
$result = foreach ($group in $Groups) {
Get-ADGroup -Filter "Name -eq '$group'" | ForEach-Object {
# we could use the $group variable, but this ensures correct casing
$groupName = $_.Name
$members = $_ | Get-ADGroupMember -Recursive
foreach ($member in $members) {
if ($member.objectClass -eq 'user') {
Get-ADUser -Identity $member.DistinguishedName |
Select-Object #{Name="GroupName"; Expression={$groupName}},
#{Name="MemberType";Expression={'User'}},
Name,
GivenName,
Surname,
SamAccountName
}
elseif ($member.objectClass -eq 'group') {
Get-ADGroup -Identity $member.DistinguishedName |
Select-Object #{Name="GroupName";Expression={$groupName}},
#{Name="MemberType";Expression={'Group'}},
Name,
#{Name="GivenName";Expression={''}}, # groups don't have this property
#{Name="Surname";Expression={''}}, # groups don't have this property
SamAccountName
}
}
}
}
# output is console
$result | Format-Table -AutoSize
# write to CSV file
$result | Export-Csv -Path 'D:\Test\GroupsInfo.csv' -NoTypeInformation
The trick is here to output objects with equal properties for both a user and a group object
So im trying to return a report that will list each user and each group they are in using -Filter "name-like 'BLAH'"
the user may be apart multiple "BLAH" groups but no more than 3. How can i get an output like?
Member | Group1 | Group2 | Group3
I tried the below but not quite what i need
$adgroups = Get-ADGroup -Filter "name -like '*BLAH*'" | sort name
$data = foreach ($adgroup in $adgroups) {
$members = $adgroup | get-adgroupmember |select name| sort name
foreach ($member in $members) {
[PSCustomObject]#{
Members = $member
Group = $adgroup.name
}
}
}
This is what i get when using #Adam Luniewski solution
Try this:
$adgroups = Get-ADGroup -Filter "name -like '*BLAH*'" | Sort-Object Name
$data = ForEach ($adgroup in $adgroups){
$adgroup | get-adgroupmember | Select-Object #{n='Members';e={$_}},#{n='Group';e={(Get-ADUser $_.SamAccountName -Properties MemberOf).MemberOf}}
}
Here Get-ADUser is used to retrieve user group memberships (first said #Olaf) then I used calculated properties to format the output.
This should work. Just watch out if you have StrictMode set in your script, it might throw an error if $usrgrp count is less than 3, then you'd have to modify this part.
# get a list of all users and groups in two columns
$dat = #(Get-ADGroup -Filter "name -like '*BLAH*'" -PipelineVariable group | Get-ADGroupMember | select #{n='UserName';e={$_.name}},#{n='GroupName';e={$group.name}})
# for each user in a list add group fields
$dat | select UserName -Unique | ForEach-Object {
$usrgrp = #($dat | where username -eq $_.UserName | sort GroupName);
[pscustomobject]#{
UserName=$_.Username;
Group1=$usrgrp[0].GroupName;
Group2=$usrgrp[1].GroupName;
Group3=$usrgrp[2].GroupName;
};
}
I found a similar question here, but it doesn't quite fit my need and I am having trouble tweaking it to do so.
I need to create a .csv file of all users in a specific OU along with what their AD group membership is in the following format:
User, Group (This is a Header)
User1, Group1
User1, Group2
User1, Group3
User2, Group1
User3, Group1
User4, Group1
User4, Group2
I think this script gets me most of the way there:
$Users = Get-ADGroup -SearchBase "OU=OrgUnit1,OU=OrgUnit2,OU=OrgUnit3,DC=XXX,DC=LOCAL" -Filter * `
| Get-ADGroupMember -Recursive `
| ForEach-Object { Get-ADUser $_ –Properties MemberOf | Select SamAccountName, MemberOf; } `
| Sort-Object SamAccountName
| export-csv C:\Messaging\PowerShell\ADUsers\Test1.csv
The problem with this is two fold.
I want to search on OU=OrgUnit1 without having to search on the full distinguished name, because the sub OU's aren't always the same.
The .csv output has the full distinguished name of the AD Group and I need just the Name of the group with no qualifiers
Use Get-ADOrganizationalUnit to get the OU you want to search:
$ou = Get-ADOrganizationalUnit -Filter "Name -eq 'OrgUnit1'"
Get-ADGroup -Filter * -SearchBase $ou | ...
The memberOf property is a list of groups (or rather their distinguished names). To get the output you want you need to unroll and resolve the group names and create new custom objects with the desired properties:
... | ForEach-Object {
$account = $_.SamAccountName
$_.MemberOf | Get-ADGroup | ForEach-Object {
New-Object -Type PSCustomObject -Property #{
SamAccountName = $account
Group = $_.Name
}
}
} | ...
Also, there's no point in assigning pipeline output to a variable ($Users) if at the end of that pipeline you export the output to a file.
Modified code:
$ou = Get-ADOrganizationalUnit -Filter "Name -eq 'OrgUnit1'"
Get-ADGroup -Filter * -SearchBase $ou |
Get-ADGroupMember -Recursive |
ForEach-Object { Get-ADUser $_ -Properties MemberOf; } |
Sort-Object SamAccountName |
ForEach-Object {
$account = $_.SamAccountName
$_.MemberOf | Get-ADGroup | ForEach-Object {
New-Object -Type PSCustomObject -Property #{
SamAccountName = $account
Group = $_.Name
}
}
} | Export-Csv 'C:\Messaging\PowerShell\ADUsers\Test1.csv'
You don't need this much of code to write. User below code in PowerShell to export all AD user.
Something like this:
Import-Module ActiveDirectory
Get-ADUser -Filter * -Properties * | export-csv c:\ADusers.csv
If you have a big AD, that might take a while though.
I've been trying to get an extract of AD users and select mail, name, memberof. I then need to list only specific groups from the memberof output so I end up with a list for each user than contains their name, email address and specific groups that match a certain name and not all of the groups they are a member of.
Get-ADUser username -Properties memberof | Select-Object memberof
I can't seem to find a way of doing this as I end up with either noteproperty above or an empty pipeline. Is there a way to achieve what I am trying to do?
The memberOf attribute contains a list of distinguishedName (DN) values, each corresponding to a group.
Retrieve the groups you are interested in, before you run Get-ADUser, that way you can compare the Group DN to the entry in memberOf:
$GroupDNs = Get-ADGroup -Filter {Name -like "*finance*" -or Name -like "*creditcontrol*"} | Select-Object -ExpandProperty DistinguishedName
Now, you can use those DN's to filter the group memberships with a calculated property, like so:
$UserInfo = foreach($username in #("bob","alice","joe")){
$User = Get-ADUser -Identity $username -Properties mail,memberOf |Select Name,mail,memberof
$User | Select-Object Name,mail,#{Label="GroupDNs";Expr = {$_.memberof | Where-Object {$Groups -contains $_}}}
}
without doing a new Get-ADGroup query for each memberof entry.
If you want a string of group names, rather than a NoteProperty containing an array of strings, you could fill the Groups into a hashtable and use that to "look up" the memberof entries using the ContainsKey() method:
$Groups = #{}
Get-ADGroup -Filter {Name -like "*finance*" -or Name -like "*creditcontrol*"} | ForEach-Object {
$Groups[$_.DistinguishedName] = $_
}
$UserInfo = foreach($username in #("bob","alice","joe")){
$User = Get-ADUser -Identity $username -Properties mail,memberOf |Select Name,mail,memberof
$User | Select-Object Name,mail,#{Label="Groups";Expr = { ($_.memberof | Where-Object {$Groups.ContainsKey($_)} | ForEach-Object { $Groups[$_].Name}) -join ";" }}
}
$UserInfo | Export-Csv C:\aduserinfo.csv -NoTypeInformation