Find users and groups in all domains of my organization - powershell

I need help finding users/groups that fall under multiple domains in my organization. As I have it right now it only looks through the main domain. I would want it to search for users/groups in all of my organizations domains.
This is what I have:
$Users = #()
$Groups = #()
$list = Get-Content C:\temp\ADGroups.txt
Foreach ($o in $list){
$ObjectClass = (Get-ADObject -Filter {SamAccountName -eq $o}).ObjectClass
If ($ObjectClass -eq "User")
{
$U = Get-ADUser -Properties * -Identity $o
$User = "" | Select FullUserName, LoginID, Description
$User.FullUserName = $U.DisplayName
$User.LoginID = $U.SamAccountName
$User.Description = $U.description
$Users += $User
}
Else
{
If ($ObjectClass -eq "Group")
{
$G = Get-ADGroup -Properties * -Identity $o
$GM = Get-ADGroupMember -Identity $G.name -Recursive | Get-ADUser -Properties *
Foreach ($gmember in $GM)
{
$Group = "" | Select GroupName, GroupDescription, GroupMemberName, GroupMemberLoginID, GroupMemberDesc
$Group.GroupName = $G.Name
$Group.GroupDescription = $G.Description
$Group.GroupMemberName = $gmember.Name
$Group.GroupMemberLoginID = $gmember.SamAccountName
$Group.GroupMemberDesc = $gmember.Description
$Groups += $Group
}
}
}
}
>> $Users | Export-Csv C:\temp\PCMUsers.csv -NoTypeInformation
>> $Groups | Export-Csv C:\temp\PCMGroups.csv -NoTypeInformation


Going off of TheIncorrigible1 comment, here is some code to accompany which may be useful.
$Domains = (Get-ADForest).Domains.ForEach{(Get-ADDomain $_).PDCEmulator}
$Users = #()
$Groups = #()
$list = Get-Content C:\temp\ADGroups.txt
ForEach ($dom in $Domains) {
Foreach ($o in $list){
$ObjectClass = (Get-ADObject -Filter {SamAccountName -eq $o}).ObjectClass
#Gets the users in that directory according to the ObjectClass rules
Get-ADUser -Identity $ObjectClass -Server $dom -Properties *
#....
}
}
#....
#....
Note: I don't have the AD-Module installed so I couldn't test it. let me know if it fails

Related

If user belongs to this group, show this, if not, show this

I am a novice to powershell and starting to learn the syntax and what logic is needed, but I have given this a good go.
I need to pop in a conditional field that does the below
If users are a member of the "Domain Admins" group, then show "Administrator"
If users are a member of the "ReadOnlyAccess" group, then show "Read Only"
But my script doesn't quite do this and I wandered how my script could be changed to get what I need it to do.
This is my script below:
Import-Module ActiveDirectory
$OUPath = "OU=1_Users,DC=DGDomain,DC=Local"
$filepath = "C:\temp\users.csv"
$readonlygroup = "ReadOnlyAccess"
$readonlygroupmembers = Get-ADGroupMember -Identity $readonlygroup | Get-ADUser -Properties SamAccountName | Select SamAccountName
$admingroup = "Domain Admins"
$admingroupmembers = Get-ADGroupMember -Identity $admingroup | Get-ADUser -Properties SamAccountName | Select SamAccountName
$users = Get-ADUser -Filter * -Properties * -SearchBase $OUPath |
Where-Object { $_.Enabled -eq $true } |
Select SamAccountName
Get-ADUser -Filter * -Properties * -SearchBase $OUPath |
Where-Object { $_.Enabled -eq $true } |
Select SamAccountName,
DisplayName,
#{Label = "Access Level"
Expression = {
foreach ($user in $users) {
if ($readonlygroupmembers -contains $users)
{ "Read Only" }
else {
if ($admingroupmembers -contains $users)
{ "Administrator" }
else
{ "None" }
}
} } } |
Export-csv $filepath -NoTypeInformation

This should do the trick:
$OUPath = "OU=1_Users,DC=DGDomain,DC=Local"
$filepath = "C:\temp\users.csv"
$readonlygroup = "ReadOnlyAccess"
$readonlygroupmembers = (Get-ADGroupMember -Identity $readonlygroup | Get-ADUser -Properties SamAccountName).SamAccountName
$admingroup = "Domain Admins"
$admingroupmembers = (Get-ADGroupMember -Identity $admingroup | Get-ADUser -Properties SamAccountName).SamAccountName
$users = Get-ADUser -Filter { Enabled -eq $true } -SearchBase $OUPath -Properties DisplayName
foreach ($user in $users) {
if ($user.SamAccountName -in $admingroupmembers) { $groupMembership = 'DomainAdmin'}
elseif ($user.SamAccountName -in $readonlygroupmembers) { $groupMembership = 'ReadOnly' }
else {$groupMembership = 'None'}
[PSCustomObject]#{
DisplayName = $user.DisplayName
SamAccountName = $user.SamAccountName
AccessLevel = $groupMembership
}
}
Export-csv $filepath -NoTypeInformation

Is it possible to filter through results and assign to variable?

Currently I am creating a hash table with ClientCode as the key and values being any groups within the AD that have the 'Clientcode_' in its name. For example groups called 'Managers_for_client_1234_group' and 'Developers_for_client_1234_group'
$clientTable = #{ }
foreach ($row in $cemTable) {
$clientCode = "$($row.ClientCode)"
$groups = #(Get-ADGroup -Filter "Name -like '*$($row.ClientCode)_*'" -SearchScope OneLevel -SearchBase "OU=Client-related Groups,OU=SomeGroups,DC=somecompany,DC=com" | select -Expand Name)
write-host "Found $($groups.count) group(s) for: $($row.ClientCode)"
$clientTable[$clientCode] = $groups -join ","
}
$clientTable
I now want to search through the results of my Get-AdGroup search and assign them to a variables depending on the group. For example all the groups within my search that are managers will be assigned to managers variable and the same for other roles. This will allow me to automate and change telemetry in the future if i want to change/restrict/give access etc. So far i've edited it to this.
foreach($row in $cemTable) {
$clientCode = "$($row.ClientCode)"
$groups = #(Get-ADGroup -Filter "Name -like '*$($row.ClientCode)_*'" -SearchScope OneLevel -SearchBase "OU=Client-related Groups,OU=Some Groups,DC=somecompany,DC=com" | select -Expand Name)
write-host "Found $($groups.count) group(s) for: $($row.ClientCode)"
$managers_group =
$developers_group =
}
UPDATE
$combined = #()
foreach($rec in $hashTable) {
if (!($Combined | ? { $_.ClientCode -eq $rec.ClientCode })) {
$filter = "*$($rec.ClientCode)_*"
$groups = (Get-ADGroup -Filter 'Name -like $filter' -SearchScope OneLevel -SearchBase $MY_OU | select Name).Name
$managers = $groups | ? { $_ -like "_Man*" }
$developers = $groups | ? {$_ -like "_Dev*" }
$object = [PSCustomObject]#{
ClientCode = $rec.ClientCode
Groups = $groups
Managers = $managers
Developers = $developers
}
$Combined += $object
}
}
$combined
$managers.Count
$developers.Count

You could try:
$managers = $groups -like "Manager*"
$developers = $groups -like "Developers*"
Then use
$managers.count
$developers.count
to see how many items are stored in your variable

You can use the $groups you already have to create new variable with filtered objects.
$groups = (Get-ADGroup -Filter "Name -like '*$($row.ClientCode)_*'" -SearchScope OneLevel -SearchBase "OU=Client-related Groups,OU=Some Groups,DC=somecompany,DC=com" | select -Expand Name).Name
$managers = $groups | ? { $_ -like "Manager*" }
$developers = $groups | ? {$_ -like "Developers*" }
Once you have the three things, you can save them to a list of PSObject.
Create a list of objects
$combined = #()
foreach($rec in $csv) {
if (!($Combined | ? { $_.ClientCode -eq $rec.ClientCode })) {
$filter = "*$($rec.ClientCode)_*"
$groups = (Get-ADGroup -Filter 'Name -like $filter' -SearchScope OneLevel -SearchBase "OU=Client-related Groups,OU=Some Groups,DC=somecompany,DC=com" | select Name).Name
$managers = $groups | ? { $_ -like "Manager*" }
$developers = $groups | ? {$_ -like "Developers*" }
$object = [PSCustomObject]#{
ClientCode = $rec.ClientCode
Groups = $groups
Managers = $managers
Developers = $developers
}
$Combined += $object
}
}
$combined
Update
Note that managers and developers are part of $combined list. Each item in $combined will have a different count of managers and developers, which is I believe what you are looking for.
# Use this after you are done with your foreach loop to display the values in $combined
$combined | % { Write-Output "$($_.ClientCode) has $($_.Groups.Count) groups, $($_.Managers.Count) managers, and $($_.Developers.Count) developers" }
You can also look up groups, managers or developers for specific clientCode like this,
$result = $combined | ? {$_.ClientCode -eq "TestClientCode"}
$result.Groups
$result.Managers
$result.Developers

Export AD groups, usernames and full names to csv

i'm trying to retrieve all groups, userID and names from AD and export this to CSV file with three columns, one for ParentGroupNames, then DisplayName, then memberName. The below works accept for DisplayName which seems to repeat one name for all groups.
function getGroups{
$Groups += Get-ADGroup -Filter * -SearchBase "ou=Groups,ou=DCM,ou=NTG,dc=prod,dc=main,dc=ntgov" | Select-Object -ExpandProperty samaccountname
return $Groups
}
$Groups = getGroups
write-host "Groups:" $Groups.Count
$date = $(get-date).ToString("dd MMM yyyy")
$global:FileName = "Active Directory Group Membership - DCM -" + $date
$results = #();
foreach ($GroupName in $Groups){
Get-ADGroupMember -Identity $GroupName | Sort-Object $_.SamAccountName |
ForEach-Object {
$ItemProperties = #{
"ParentGroupName" = (Get-ADGroup -Identity $GroupName).SamAccountName;
"MemberName" = $_.SamAccountName
}
if ($_.ObjectClass -eq 'group') {
$ItemProperties.Add("DisplayName","-");
} elseif ($_.ObjectClass -eq 'user') {
$ItemProperties.Add("DisplayName",(Get-ADUser -Identity $MemberName -Properties DisplayName).DisplayName);
}
$MyItem = New-Object -TypeName psobject -property $ItemProperties;
$Results += $MyItem;
$ItemProperties = $null;
}
}
$results | export-csv -path "C:

There an error in your code, change $MemberName to $ItemProperties.MemberName here's fixed code:
function getGroups{
$Groups += Get-ADGroup -Filter * -SearchBase "ou=Groups,ou=DCM,ou=NTG,dc=prod,dc=main,dc=ntgov" | Select-Object -ExpandProperty samaccountname
return $Groups
}
$Groups = getGroups
write-host "Groups:" $Groups.Count
$date = $(get-date).ToString("dd MMM yyyy")
$global:FileName = "Active Directory Group Membership - DCM -" + $date
$results = #();
foreach ($GroupName in $Groups){
Get-ADGroupMember -Identity $GroupName | Sort-Object $_.SamAccountName |
ForEach-Object {
$ItemProperties = #{
"ParentGroupName" = (Get-ADGroup -Identity $GroupName).SamAccountName;
"MemberName" = $_.SamAccountName
}
if ($_.ObjectClass -eq 'group') {
$ItemProperties.Add("DisplayName","-");
} elseif ($_.ObjectClass -eq 'user') {
$ItemProperties.Add("DisplayName",(Get-ADUser -Identity $ItemProperties.MemberName -Properties DisplayName).DisplayName);
}
$MyItem = New-Object -TypeName psobject -property $ItemProperties;
$Results += $MyItem;
$ItemProperties = $null;
}
}
$results | export-csv -path "C:\1"

Powershell export csv with columns

i want to export csv file with columns "ParentGroupName", "MemberName", "DisplayName"
At the moment it is exporting the three datas into one column.
function getGroups{
$Groups += Get-ADGroup -Filter * -SearchBase "ou=Groups,ou=DCM,ou=NTG,dc=prod,dc=main,dc=ntgov" | Select-Object -ExpandProperty samaccountname
return $Groups
}
Measure-Command{
$Groups = getGroups
write-host "Groups:" $Groups.Count
}
Measure-Command{
$date = $(get-date).ToString("dd MMM yyyy")
$global:FileName = "Active Directory Group Membership - DCM -" + $date
$stringBuilder = New-Object System.Text.StringBuilder
foreach ($GroupName in $Groups){
Get-ADGroupMember -Identity $GroupName | Sort-Object $_.SamAccountName | ForEach-Object {
$ParentGroupName = (Get-ADGroup -Identity $GroupName).SamAccountName
$MemberName = $_.SamAccountName # Member of the Group.
if ($_.ObjectClass -eq 'group') {
$DisplayName = ' - '
} elseif ($_.ObjectClass -eq 'user') {
$a = (Get-ADUser -Identity $MemberName -Properties Displayname)
$DisplayName = $a.DisplayName
}
$null = $stringBuilder.Append("$ParentGroupName, $MemberName, $DisplayName")
}
}
outputArray = $stringBuilder.ToString()
out-file C:\Users\augut\Desktop\$FileName.csv
outputArray | out-file C:\Users\augut\Desktop\$FileName.csv
}

You're making a headache for yourself by manually constructing the CSV file. This can be simplified considerably by constructing a custom object for each item found with the properties you need recorded, then stuffing those into an array and exporting that array to a CSV file.
function getGroups{
$Groups += Get-ADGroup -Filter * -SearchBase "ou=Groups,ou=DCM,ou=NTG,dc=prod,dc=main,dc=ntgov" | Select-Object -ExpandProperty samaccountname
return $Groups
}
$Groups = getGroups
write-host "Groups:" $Groups.Count
$date = $(get-date).ToString("dd MMM yyyy")
$global:FileName = "Active Directory Group Membership - DCM -" + $date
$results = #();
foreach ($GroupName in $Groups){
Get-ADGroupMember -Identity $GroupName | Sort-Object $_.SamAccountName | ForEach-Object {
$ItemProperties = #{
"ParentGroupName" = (Get-ADGroup -Identity $GroupName).SamAccountName;
"MemberName" = $_.SamAccountName
}
if ($_.ObjectClass -eq 'group') {
$ItemProperties.Add("DisplayName","-");
} elseif ($_.ObjectClass -eq 'user') {
$ItemProperties.Add("DisplayName",(Get-ADUser -Identity $MemberName -Properties DisplayName).DisplayName);
}
$MyItem = New-Object -TypeName psobject -property $ItemProperties;
$Results += $MyItem;
$ItemProperties = $null;
}
}
$results | export-csv -path "C:\Users\augut\Desktop\$FileName.csv" -NoTypeInformation

Find out if a Security Account Manager (SAM) name is a user or a group

edited from original question because the real problem was something unrelated to the question
I got a list of trustees from NTFS permissions and now I want to expand the groups to show membership. If I have a SAM name like MyDomain\name, there's no indication of whether that is a group or not. The Get-ADobject command has an ObjectClass property which will indicate group or user if this is an Active Directory domain object. One can use:
Get-ADObject -filter 'SamAccountName -eq "My Users"' or
$sam = "My Users"
Get-ADObject -filter 'SamAccountName -eq $sam'
Thanks to JPBlanc who had an alternate form of writing that with a script block and some other suggestions.
And thanks, user2142466. That looks like a good suggestion for my original script.

You can use a variavle using :
$sam = "My Users"
Get-ADObject -Filter {(SamAccountName -eq $sam)}
But I agree that using vars in -Filter sometimes results in strange behaviours with vars (see this question), so I prefer to use -LDAPFilter.
Get-ADObject -LDAPFilter "(SamAccountName =$user)"
Be careful the -LDAPFilter use polish notation for the filter, it's a bit disconcerting at the begining, but here, it's the natural way of filtering using the underlaying protocol LDAP.
You can get more information about this syntax in Search Filter Syntax, you can also get corresponding filters in About_ActiveDirectory_Filter.

I am guessing you are getting an array of trustees. (i.e User,Group,user,user,Group). So if you get a group then you want to pull the members from it too?
So I would look to see if it is a group, like how you are doing first and then pulling those members out of it. Add it to an another array which will contain every single user for your NTFS permissions.
$arraytrustees
#Create a blank Array
$NTFSUsers =#()
for each ($object in $arraytrustees){
$ObjectClass = (Get-ADObject -filter {SamAccountName -eq $object}).ObjectClass
If ($ObjectClass -eq "group"){
$AdGroupUsers = (Get-ADGroupMember -identity $object).SamAccountName
$NTFSUsers = $NTFSUsers + $AdGroupUsers
}else{
$NTFSUsers = $NTFSUsers + $ojbect
}
}

I was asked to list all members of the groups, along with their ID, Name, and Description as well, so I added a couple of lines.
cls
$Users = #()
$Groups = #()
$list = Get-Content z:\pcm2.txt
Foreach ($o in $list)
{
$ObjectClass = (Get-ADObject -Filter {SamAccountName -eq $o}).ObjectClass
If ($ObjectClass -eq "User")
{
$U = Get-ADUser -Properties * -Identity $o
$User = "" | Select FullUserName, LoginID, Description
$User.FullUserName = $U.DisplayName
$User.LoginID = $U.SamAccountName
$User.Description = $U.description
$Users += $User
}
Else
{
If ($ObjectClass -eq "Group")
{
$G = Get-ADGroup -Properties * -Identity $o
$GM = Get-ADGroupMember -Identity $G.name -Recursive | Get-ADUser -Properties *
Foreach ($gmember in $GM)
{
$Group = "" | Select GroupName, GroupDescription, GroupMemberName, GroupMemberLoginID, GroupMemberDesc
$Group.GroupName = $G.Name
$Group.GroupDescription = $G.Description
$Group.GroupMemberName = $gmember.Name
$Group.GroupMemberLoginID = $gmember.SamAccountName
$Group.GroupMemberDesc = $gmember.Description
$Groups += $Group
}
}
}
}
$Users | Export-Csv z:\PCMUsers.csv -NoTypeInformation
$Groups | Export-Csv z:\PCMGroups.csv -NoTypeInformation

I received a list and was asked to determine whether the objects were users or group, and I came up with this. It worked!
cls
$Users = #()
$Groups = #()
$list = Get-Content z:\pcm.txt
Foreach ($o in $list)
{
$ObjectClass = (Get-ADObject -Filter {SamAccountName -eq $o}).ObjectClass
If ($ObjectClass -eq "User")
{
$U = Get-ADUser -Properties * -Identity $o
$User = "" | Select FullUserName, LoginID, Description
$User.FullUserName = $U.DisplayName
$User.LoginID = $U.SamAccountName
$User.Description = $U.description
$Users += $User
}
Else
{
If ($ObjectClass -eq "Group")
{
$G = Get-ADGroup -Properties * -Identity $o
$Group = "" | Select GroupName, Description
$Group.GroupName = $G.Name
$Group.Description = $G.Description
$Groups += $Group
}
}
}
$Users | Export-Csv z:\Users.csv -NoTypeInformation
$Groups | Export-Csv z:\Groups.csv -NoTypeInformation