List Active Directory group hierarchy

2
votes

I'm looking to build a script which would show Active Directory group hierarchy.

Unfortunately simple Get-ADGroupMember $group -Recursive lists only members, not groups.

Example:

Group1 is main group - it has 3 subgroups named GroupA,B,C. So GroupA,B,C is MemberOf Group1.

GroupA has no subgroups

GroupB has 2 subgroups named subGroup1,2

GroupC has 1 subgroup named subGroup3

subGroup1,2,3 has no subgroups

Ideally would be great to have output something like this:

Level1 Level2 Level3   Level4
Group1 GroupA 
       GroupB subGroup1
              subGroup2
       GroupC subGroup3

Of course I have Googled it for, I found two Web-Sites:

http://powershell.com/cs/forums/p/9588/15894.aspx

http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/Q_27346526.html

It's little over my scope to understand them, in first link there is simple script.

function Get-GroupHierarchy ($searchGroup)
{
    import-module activedirectory
    $groupMember = get-adgroupmember $searchGroup | sort-object objectClass -descending
       foreach ($member in $groupMember)
        {Write-Host $member.objectclass,":", $member.name;
        if ($member.ObjectClass -eq "group")
            {Get-GroupHierarchy $member.name}}
}

I put $searchGroup = "Administrators" before the script, but script doesn't show any results. It has 3 sub-groups if I do Get-ADGroupMember. Probably I don't know how to work with functions.

How to make those scripts to work or make something similar?

1
powershellrecursionhierarchyactive-directory-groupmembers
This should be helpful stackoverflow.com/questions/22217497/…Raf

1 Answers

0
votes

To directly answer your question of how to make that script work, you call the function as such:

Get-GroupHierarchy "Administrators"

But if you read further in the forum post somebody does note an issue with the function... circular references. Given this:

Group1    -GroupA    -GroupX
          -GroupB    -GroupY
                     -Group1

The function would never finish. It would get the members of Group1, then GroupA, then GroupX. After GroupX it wouldn't have any more nested groups so it would move down to GroupB, and then GroupY, and would then Group1, where it would start on GroupA again. It would cycle over, and over. I've never tried it, so I don't know if it can be done with AD groups, but if you can nest groups within groups that are nested within themselves then this will give you problems.