List users in groups in AD

vCole · January 2009

My boss wants me to list all users in all groups in AD.

How would I do this? I'm assuming a VB script? Which I have never used before

help?

dynamik · January 2009

HP, where's your powershell script?

vCole · January 2009

dynamik wrote: »

HP, where's your powershell script?

eh?

Dell servers.

dynamik · January 2009

Just wait, you'll see

meadIT · January 2009

What's a PowerShell?

(contributes to the devaluation of the royal™)

Vogon Poet · January 2009

Hope this helps.

http://www.petri.co.il/list_all_users_and_groups_in_domain.htm

HeroPsycho · January 2009

Me thinks dynamik was referring to yours truly.

Go get the quest AD cmdlets and powershell:

www.microsoft.com/powershell
http://www.quest.com/activeroles-server/arms.aspx

Ensure you launch the Quest Powershell tool, not a normal Powershell session (under start - programs - Quest).

You're wanting to enumerate every group?!

$groups = get-qadgroup * -sizelimit 0
$groups | foreach-object {get-qadgroupmember}

Try that, but we're gonna have to play around with it to get it in the format you want. Post back with a sample and description of the output you receive.

Surely he's not looking to see every freaking group membership. Are there certain groups he wants to see perhaps?

vCole · January 2009

HeroPsycho wrote: »

Me thinks dynamik was referring to yours truly.

Go get the quest AD cmdlets and powershell:

www.microsoft.com/powershell
http://www.quest.com/activeroles-server/arms.aspx

Ensure you launch the Quest Powershell tool, not a normal Powershell session (under start - programs - Quest).

You're wanting to enumerate every group?!

$groups = get-qadgroup * -sizelimit 0
$groups | foreach-object {get-qadgroupmember}

Try that, but we're gonna have to play around with it to get it in the format you want. Post back with a sample and description of the output you receive.

Surely he's not looking to see every freaking group membership. Are there certain groups he wants to see perhaps?

She wants like a list of the users and what groups they're in.

Like

USER GROUP MEMBERSHIPS
name xxxx,xxxx,xxx

Or how can I output a list per group. Say, administrators and I want to find out who's in it and have it output to a txt file.

Silver Bullet · January 2009

This would do what you want (separate list for each group), but you would need to do it manually for each group

dsquery group -name Administrators | dsget group -members >c:\administrators.txt

That could possibly be scripted... if I get a sec I'll see if I can write one out.

HeroPsycho · January 2009

get-qaduser * -sizelimit 0 | select name,memberof | export-csv report.csv

If you want additional information in the report, use:

get-qaduser * -includeallproperties | get-member

Take a look at all the properties available, and add them into the select list above. For example, if you also wanted to include "city" in the report...

get-qaduser * -sizelimit 0 | select name,memberof,city | export-csv report.csv

Hope this helps!

HeroPsycho · January 2009

FadeToBright wrote: »

Or how can I output a list per group. Say, administrators and I want to find out who's in it and have it output to a txt file.

get-qadgroupmember "domain admins" | export-csv report.csv

You can also use convertto-html for a webpage formatted report, too.

royal · January 2009

Come on HP, dynamik said he wanted some scripts, not some cmdlets! Let's see you bust out some scripting!

HeroPsycho · January 2009

I'm at work. I'll make a simple script tonight if you're that needy for it. LOL...

royal · January 2009

Fade, do you still need something? I can script you out something if you need in PowerShell that'll go out and parse all groups and **** their users into a CSV for each group and without needing the Quest Snapin. Let me know and I'll write it up quick for you.

HeroPsycho · January 2009

http://www.itsatrap.net/

vCole · January 2009

royal wrote: »

Fade, do you still need something? I can script you out something if you need in PowerShell that'll go out and parse all groups and **** their users into a CSV for each group and without needing the Quest Snapin. Let me know and I'll write it up quick for you.

That would be terrific, honestly.

royal · January 2009

FadeToBright wrote: »

That would be terrific, honestly.

Well, here's what's done so far if you want to check it out. All it'll do is **** the data to the Powershell window in a very unorganized member but the below will get every group in AD and **** the membership out.

Still need to finish the outputting. Do you want it in an excel? It'd be much easier for me to create a new folder on C:\, create a new Excel for every group, and **** the membership in there.

Let me know. I love taking requests for scripts as it actually motivates me to script and learn.

$erroractionpreference = "SilentlyContinue"
function Get-GroupMembers {
$filter = "(objectCategory=Group)"
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.Filter = $filter
$colResults = $objSearcher.FindAll()
$ldapGroup = @()
$group = @()

foreach ($group in $colResults) {
$group = $group.properties
$ldapGroup += $group.adspath
}

foreach ($aGroup in $ldapGroup) {
$a = $aGroup
$b = [ADSI]"$aGroup"
foreach ($member in $b.member) { $member }
}

}
get-GroupMembers

HeroPsycho · January 2009

If you use Royal's script, and you're not familiar with PowerShell, couple of things you need to know to make the magic happen...

A. Copy the text he has into a notepad file, and save it as scriptfilename.ps1
B. Start PowerShell.
C. Use the following command to allow scripts that have not been digitally signed:

set-executionpolicy unrestricted

D. Type the full pathname of the script, or if you're already in the same directory where the script file is stored, ensure you put a backslash before the filename, or use tab to autocomplete.
E. When you're finished, use the following command to only allow digitally signed scripts to run as a security precaution if you're typically not running scripts:

set-executionpolicy Restricted

The above is why I proposed installing the Quest AD CMDLets and running this:

get-qaduser * -sizelimit 0 | select name,memberof | export-csv report.csv

In this case, a one liner is easier for you if you're trying to get a solution.

Royal and I differ on how to do this, and there's nothing wrong with either way. Royal's method doesn't require you to install anything other than PowerShell, and it helps him to learn/practice different scripting techniques. I prefer to leverage CMDLets someone else already made. I just want to get the results I'm looking for the quickest, most efficient way. You will get better results using my method of leveraging prebuilt CMDLets in the short run, but you'll learn how to script better using Royal's way in the long run.

jbaello · January 2009

Royal how about a script migrating Exchange 03 mailbox to Exchange 07

royal · January 2009

Lots of examples of that here:
You Had Me At EHLO... : Exchange 2007 migration overview

vCole · January 2009

royal wrote: »

Well, here's what's done so far if you want to check it out. All it'll do is **** the data to the Powershell window in a very unorganized member but the below will get every group in AD and **** the membership out.

Still need to finish the outputting. Do you want it in an excel? It'd be much easier for me to create a new folder on C:\, create a new Excel for every group, and **** the membership in there.

Let me know. I love taking requests for scripts as it actually motivates me to script and learn.

I don't even know if that server has excel on it.

Thanks Royal/HP/Dynamik for all the help!

Pash · January 2009

This is really useful for me too!

Are you guys just using the MSDN .net class library to search for proper uses?

I found royals class here:-

DirectorySearcher Class (System.DirectoryServices)

Note: They don't have powershell syntax examples yet, I hope they will soon.

I still don't understand the construction of the variable $group in the foreach loop though. $group.properties for example. How did we get there?

Maybe I need to read on and stop jumping the gun, but that's just me

vCole · January 2009

So, is there a way I can make a good looking report out of this, or do I need to **** it into an excel file and go from there?

Just trying to make myself look good guys

HeroPsycho · January 2009

FadeToBright,

You can make with PowerShell webpage reports with custom formatting using ConvertTo-HTML, CSV files you can open and manipulate with Excel if you have Excel skills using export-csv, and you can also create Excel spreadsheets via COM object capability from PowerShell that Royal has done in his script.

To use my one liner or Royal's script, you do NOT have to run it from the domain controller. Use either from your workstation with PowerShell, and if using my one liner, have the Quest AD CMDlets installed as well. Of course, you could use my one liner on the server to generate the CSV file report without Excel, too. Then copy it from there to a workstation with Excel, and pretty it up there.

It's all about what you want to do, what skills you're comfortable with, etc.

vCole · January 2009

HeroPsycho wrote: »

FadeToBright,

You can make with PowerShell webpage reports with custom formatting using ConvertTo-HTML, CSV files you can open and manipulate with Excel if you have Excel skills using export-csv, and you can also create Excel spreadsheets via COM object capability from PowerShell that Royal has done in his script.

To use my one liner or Royal's script, you do NOT have to run it from the domain controller. Use either from your workstation with PowerShell, and if using my one liner, have the Quest AD CMDlets installed as well. Of course, you could use my one liner on the server to generate the CSV file report without Excel, too. Then copy it from there to a workstation with Excel, and pretty it up there.

It's all about what you want to do, what skills you're comfortable with, etc.

I've never done either, so I'm really unsure of what's easier.

HeroPsycho · January 2009

You have destructions for both our methods. You gotta go play now!

I was referring more about what you're comfortable with in skills as to how to make the report look professional, etc. If you're good with Excel, pretty up a CSV report created with PowerShell. Or you could make an HTML report, and pretty it up with your fav web editor.

PowerShell is a tool to get something done. What's important is that you get it done, not so much which tool(s) you use to do it. There's nothing wrong necessarily with making a report with PowerShell and then pretty it up after the fact with another app.

royal · January 2009

Pash wrote: »

This is really useful for me too!

Are you guys just using the MSDN .net class library to search for proper uses?

I found royals class here:-

DirectorySearcher Class (System.DirectoryServices)

Note: They don't have powershell syntax examples yet, I hope they will soon.

I still don't understand the construction of the variable $group in the foreach loop though. $group.properties for example. How did we get there?

Maybe I need to read on and stop jumping the gun, but that's just me

Pash, when you get a list of the groups, it's essentially an object. You can store something in a variable and do a $variable.GetType() and see all the properties. I typically do $variable.GetType().FullName. When you run a variable, you'll even see the type before it runs. You can go to MSDN and search for that Type and it'll show you Members, Properties, Etc...

A quick way to find that though in PowerShell, is by taking the Object and piping it to Get-Member. That'll show you variables, properties, etc...

So $a | Get-Member.

You can also do $a | Get-Member -static.

For example, one TYPE Shortcut out there is [math]. Do [Math] | GM -static. You'll see Round.

So to call a static method you'd do:
[math]::round($variable,2). If $variable was 2.6342244 it'll round it to 2.63.

I suggest you get the Powershell for the absolute beginner if you want to get started.

Pash · January 2009

royal wrote: »

Pash, when you get a list of the groups, it's essentially an object. You can store something in a variable and do a $variable.GetType() and see all the properties. I typically do $variable.GetType().FullName. When you run a variable, you'll even see the type before it runs. You can go to MSDN and search for that Type and it'll show you Members, Properties, Etc...

A quick way to find that though in PowerShell, is by taking the Object and piping it to Get-Member. That'll show you variables, properties, etc...

So $a | Get-Member.

You can also do $a | Get-Member -static.

For example, one TYPE Shortcut out there is [math]. Do [Math] | GM -static. You'll see Round.

So to call a static method you'd do:
[math]::round($variable,2). If $variable was 2.6342244 it'll round it to 2.63.

I suggest you get the Powershell for the absolute beginner if you want to get started.

Many thanks royal. I will look at getting the powershell for absolute beginners to add to my other materials.

Cheers,

Gentleman1013 · July 2016

Royal, thank you for that excellent PS script! One further request to your script. My manager has requested a list of all security and distribution groups and the users that members of each of those groups. I am will to sort and clean the output in Excel from and exported .csv, but your script only reports back the AD group the user accounts are in. Can you provide a script that serves my requirements? Any help is appreciated as I am still pretty new to PS.

List users in groups in AD

Comments