List ActiveDirectory users belonging specified groups with powershell

1
votes

I would like to create a report of the active directory users who are part of certain groups.

With powershell I can get username and objectClass:

Get-ADGroup -Filter {name -Like "admin_*"} | Get-ADGroupMember | Select-Object name, objectClass

How can I add a column with the ADGroup they belong to?

I would a report like

Group           Name             objectClass
------          -------          ------------
admin_a         user1            user
admin_a         user2            user
admin_b         user1            user
admin_c         user3            user
....
3
powershellactive-directory

3 Answers

2
votes

You can use the PipelineVariable common parameter:

#requires -Version 4

Get-ADGroup -Filter 'Name -like "admin_*"' -PipelineVariable group |
    Get-ADGroupMember |
    Select-Object -Property @{L='Group'; E={$group.Name}}, name, objectClass
1
votes

This one might help, it gathers information about different groups in different domains, including nested groups in audit groups and export data to csv file. 

#groups to audit
$groups = "Domain Admins", "Schema Admins","Enterprise Admins","Administrators"
#domains to audit
$domains = "domain.local"
$date = $([System.DateTime]::Now)
$reportdate = $date.ToString("yyyy_MM_dd_HH_mm_ss")
$data = @()


foreach ($domain in $domains){

foreach ($group in $groups){
Write-Verbose "Working with $group in $domain" -Verbose
#get group
try{
$gr = $null
$gr = Get-ADGroup -Identity $group -Properties Description,created,modified,distinguishedname -ErrorAction Stop -Server $domain
#get group members
try{
$grm = $null
$grm = Get-ADGroupMember -Identity $gr -ErrorAction Stop -Server $domain

#get group members information
foreach ($groupmember in $grm){
$grmname = $groupmember.name


#
$userdomain =([RegEx]::Matches($groupmember.distinguishedname, '(?i)DC=\w{1,}?\b')|ForEach-Object { $_.Value -replace ("DC=","") }) -join '.';

try{$gm = Get-ADObject -Identity $groupmember.distinguishedname -Properties Name,ObjectClass,Samaccountname,Created,Modified,DistinguishedName,Description -Server $userdomain -ErrorAction Stop }
catch {Write-Verbose "Something is wrong with group member $grmname. Error: $_" -Verbose}

$Property = [Ordered]@{
ReportDomain = $domain;
ParrentGroup = $gr.Name;
ParrentGroupModified = $gr.Modified;
ParrentGroupCreated = $gr.Created;
MemberName = $gm.Name;
MemberClass = $gm.ObjectClass;
MemberSamaccountname = $gm.Samaccountname;
MemberDescription = $gm.Description;
MemberDN = $gm.DistinguishedName;
MemberCreated = $gm.Created;
ReportDate = $date
}

$row = New-Object -TypeName psobject -Property $Property
$data+=$row


}#foreach group member end
}#end try get group members
catch {Write-Verbose "Something is wrong with group members: $_" -Verbose}

}#end try get group
catch {Write-Verbose "Something is wrong with group: $_" -Verbose}
}#foreach group end

}#foreach domain end


$data|Export-Csv -Path C:\Temp\Group_report_$reportdate.csv -NoTypeInformation -Encoding UTF8 -Force
$data

Write-Verbose "File created: C:\Temp\Group_report_$reportdate.csv" -Verbose
1
votes

If you use ForEach-Object instead of just piping it, you can save the group's name to a variable that you can then use in the output.

Get-ADGroup -Filter {Name -like 'admin_*'} | ForEach-Object {

    $groupName = $_.Name

    $_ | Get-ADGroupMember | 
        Select-Object @{N='Group';E={$groupName}}, Name, objectClass

}

That @{N='Group';E={$groupName}} notation creates a new column with the name you choose and value you specify. The N is short for Name, and E is short for Expression. You can use those full names if you want, like @{Name='Group';Expression={$groupName}}