List users in groups in AD

vColevCole Member Posts: 1,573 ■■■■■■■□□□
My boss wants me to list all users in all groups in AD.

How would I do this? I'm assuming a VB script? Which I have never used before icon_redface.gif

help?

Comments

  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    HP, where's your powershell script?
  • vColevCole Member Posts: 1,573 ■■■■■■■□□□
    dynamik wrote: »
    HP, where's your powershell script?


    eh?

    Dell servers.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Just wait, you'll see ;)
  • meadITmeadIT Member Posts: 581 ■■■■□□□□□□
    What's a PowerShell?





    (contributes to the devaluation of the royal™)
    CERTS: VCDX #110 / VCAP-DCA #500 (v5 & 4) / VCAP-DCD #10(v5 & 4) / VCP 5 & 4 / EMCISA / MCSE 2003 / MCTS: Vista / CCNA / CCENT / Security+ / Network+ / Project+ / CIW Database Design Specialist, Professional, Associate
  • Vogon PoetVogon Poet Member Posts: 291
    No matter how paranoid you are, you're not paranoid enough.
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    Me thinks dynamik was referring to yours truly.

    Go get the quest AD cmdlets and powershell:

    www.microsoft.com/powershell
    http://www.quest.com/activeroles-server/arms.aspx

    Ensure you launch the Quest Powershell tool, not a normal Powershell session (under start - programs - Quest).

    You're wanting to enumerate every group?!

    $groups = get-qadgroup * -sizelimit 0
    $groups | foreach-object {get-qadgroupmember}

    Try that, but we're gonna have to play around with it to get it in the format you want. Post back with a sample and description of the output you receive.

    Surely he's not looking to see every freaking group membership. Are there certain groups he wants to see perhaps?
    Good luck to all!
  • vColevCole Member Posts: 1,573 ■■■■■■■□□□
    HeroPsycho wrote: »
    Me thinks dynamik was referring to yours truly.

    Go get the quest AD cmdlets and powershell:

    www.microsoft.com/powershell
    http://www.quest.com/activeroles-server/arms.aspx

    Ensure you launch the Quest Powershell tool, not a normal Powershell session (under start - programs - Quest).

    You're wanting to enumerate every group?!

    $groups = get-qadgroup * -sizelimit 0
    $groups | foreach-object {get-qadgroupmember}

    Try that, but we're gonna have to play around with it to get it in the format you want. Post back with a sample and description of the output you receive.

    Surely he's not looking to see every freaking group membership. Are there certain groups he wants to see perhaps?

    She wants like a list of the users and what groups they're in.

    Like

    USER GROUP MEMBERSHIPS
    name xxxx,xxxx,xxx



    Or how can I output a list per group. Say, administrators and I want to find out who's in it and have it output to a txt file. icon_scratch.gif
  • Silver BulletSilver Bullet Member Posts: 676 ■■■□□□□□□□
    This would do what you want (separate list for each group), but you would need to do it manually for each group
    dsquery group -name Administrators | dsget group -members >c:\administrators.txt
    
    That could possibly be scripted... if I get a sec I'll see if I can write one out.
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    get-qaduser * -sizelimit 0 | select name,memberof | export-csv report.csv

    If you want additional information in the report, use:

    get-qaduser * -includeallproperties | get-member

    Take a look at all the properties available, and add them into the select list above. For example, if you also wanted to include "city" in the report...

    get-qaduser * -sizelimit 0 | select name,memberof,city | export-csv report.csv

    Hope this helps!
    Good luck to all!
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    Or how can I output a list per group. Say, administrators and I want to find out who's in it and have it output to a txt file. icon_scratch.gif

    get-qadgroupmember "domain admins" | export-csv report.csv

    You can also use convertto-html for a webpage formatted report, too.
    Good luck to all!
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Come on HP, dynamik said he wanted some scripts, not some cmdlets! Let's see you bust out some scripting!
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    I'm at work. I'll make a simple script tonight if you're that needy for it. LOL...
    Good luck to all!
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Fade, do you still need something? I can script you out something if you need in PowerShell that'll go out and parse all groups and **** their users into a CSV for each group and without needing the Quest Snapin. Let me know and I'll write it up quick for you.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
  • vColevCole Member Posts: 1,573 ■■■■■■■□□□
    royal wrote: »
    Fade, do you still need something? I can script you out something if you need in PowerShell that'll go out and parse all groups and **** their users into a CSV for each group and without needing the Quest Snapin. Let me know and I'll write it up quick for you.


    That would be terrific, honestly. icon_cheers.gif
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    That would be terrific, honestly. icon_cheers.gif

    Well, here's what's done so far if you want to check it out. All it'll do is **** the data to the Powershell window in a very unorganized member but the below will get every group in AD and **** the membership out.

    Still need to finish the outputting. Do you want it in an excel? It'd be much easier for me to create a new folder on C:\, create a new Excel for every group, and **** the membership in there.

    Let me know. I love taking requests for scripts as it actually motivates me to script and learn. :)
    $erroractionpreference = "SilentlyContinue"
    function Get-GroupMembers {
    $filter = "(objectCategory=Group)"
    $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
    $objSearcher.Filter = $filter
    $colResults = $objSearcher.FindAll()
    $ldapGroup = @()
    $group = @()

    foreach ($group in $colResults) {
    $group = $group.properties
    $ldapGroup += $group.adspath
    }

    foreach ($aGroup in $ldapGroup) {
    $a = $aGroup
    $b = [ADSI]"$aGroup"
    foreach ($member in $b.member) { $member }
    }

    }
    get-GroupMembers
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    If you use Royal's script, and you're not familiar with PowerShell, couple of things you need to know to make the magic happen...

    A. Copy the text he has into a notepad file, and save it as scriptfilename.ps1
    B. Start PowerShell.
    C. Use the following command to allow scripts that have not been digitally signed:

    set-executionpolicy unrestricted

    D. Type the full pathname of the script, or if you're already in the same directory where the script file is stored, ensure you put a backslash before the filename, or use tab to autocomplete.
    E. When you're finished, use the following command to only allow digitally signed scripts to run as a security precaution if you're typically not running scripts:

    set-executionpolicy Restricted

    The above is why I proposed installing the Quest AD CMDLets and running this:

    get-qaduser * -sizelimit 0 | select name,memberof | export-csv report.csv

    In this case, a one liner is easier for you if you're trying to get a solution.

    Royal and I differ on how to do this, and there's nothing wrong with either way. Royal's method doesn't require you to install anything other than PowerShell, and it helps him to learn/practice different scripting techniques. I prefer to leverage CMDLets someone else already made. I just want to get the results I'm looking for the quickest, most efficient way. You will get better results using my method of leveraging prebuilt CMDLets in the short run, but you'll learn how to script better using Royal's way in the long run.
    Good luck to all!
  • jbaellojbaello Member Posts: 1,191 ■■■□□□□□□□
    Royal how about a script migrating Exchange 03 mailbox to Exchange 07 ;)
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • vColevCole Member Posts: 1,573 ■■■■■■■□□□
    royal wrote: »
    Well, here's what's done so far if you want to check it out. All it'll do is **** the data to the Powershell window in a very unorganized member but the below will get every group in AD and **** the membership out.

    Still need to finish the outputting. Do you want it in an excel? It'd be much easier for me to create a new folder on C:\, create a new Excel for every group, and **** the membership in there.

    Let me know. I love taking requests for scripts as it actually motivates me to script and learn. :)


    I don't even know if that server has excel on it. icon_scratch.gif

    Thanks Royal/HP/Dynamik for all the help! icon_cheers.gif
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    This is really useful for me too!

    Are you guys just using the MSDN .net class library to search for proper uses?

    I found royals class here:-

    DirectorySearcher Class (System.DirectoryServices)

    Note: They don't have powershell syntax examples yet, I hope they will soon.

    I still don't understand the construction of the variable $group in the foreach loop though. $group.properties for example. How did we get there?

    Maybe I need to read on and stop jumping the gun, but that's just me ;)
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • vColevCole Member Posts: 1,573 ■■■■■■■□□□
    So, is there a way I can make a good looking report out of this, or do I need to **** it into an excel file and go from there?


    Just trying to make myself look good guys icon_lol.gif
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    FadeToBright,

    You can make with PowerShell webpage reports with custom formatting using ConvertTo-HTML, CSV files you can open and manipulate with Excel if you have Excel skills using export-csv, and you can also create Excel spreadsheets via COM object capability from PowerShell that Royal has done in his script.

    To use my one liner or Royal's script, you do NOT have to run it from the domain controller. Use either from your workstation with PowerShell, and if using my one liner, have the Quest AD CMDlets installed as well. Of course, you could use my one liner on the server to generate the CSV file report without Excel, too. Then copy it from there to a workstation with Excel, and pretty it up there.

    It's all about what you want to do, what skills you're comfortable with, etc.
    Good luck to all!
  • vColevCole Member Posts: 1,573 ■■■■■■■□□□
    HeroPsycho wrote: »
    FadeToBright,

    You can make with PowerShell webpage reports with custom formatting using ConvertTo-HTML, CSV files you can open and manipulate with Excel if you have Excel skills using export-csv, and you can also create Excel spreadsheets via COM object capability from PowerShell that Royal has done in his script.

    To use my one liner or Royal's script, you do NOT have to run it from the domain controller. Use either from your workstation with PowerShell, and if using my one liner, have the Quest AD CMDlets installed as well. Of course, you could use my one liner on the server to generate the CSV file report without Excel, too. Then copy it from there to a workstation with Excel, and pretty it up there.

    It's all about what you want to do, what skills you're comfortable with, etc.

    I've never done either, so I'm really unsure of what's easier. icon_scratch.gif
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    You have destructions for both our methods. You gotta go play now! icon_cool.gif

    I was referring more about what you're comfortable with in skills as to how to make the report look professional, etc. If you're good with Excel, pretty up a CSV report created with PowerShell. Or you could make an HTML report, and pretty it up with your fav web editor.

    PowerShell is a tool to get something done. What's important is that you get it done, not so much which tool(s) you use to do it. There's nothing wrong necessarily with making a report with PowerShell and then pretty it up after the fact with another app.
    Good luck to all!
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Pash wrote: »
    This is really useful for me too!

    Are you guys just using the MSDN .net class library to search for proper uses?

    I found royals class here:-

    DirectorySearcher Class (System.DirectoryServices)

    Note: They don't have powershell syntax examples yet, I hope they will soon.

    I still don't understand the construction of the variable $group in the foreach loop though. $group.properties for example. How did we get there?

    Maybe I need to read on and stop jumping the gun, but that's just me ;)

    Pash, when you get a list of the groups, it's essentially an object. You can store something in a variable and do a $variable.GetType() and see all the properties. I typically do $variable.GetType().FullName. When you run a variable, you'll even see the type before it runs. You can go to MSDN and search for that Type and it'll show you Members, Properties, Etc...

    A quick way to find that though in PowerShell, is by taking the Object and piping it to Get-Member. That'll show you variables, properties, etc...

    So $a | Get-Member.

    You can also do $a | Get-Member -static.

    For example, one TYPE Shortcut out there is [math]. Do [Math] | GM -static. You'll see Round.

    So to call a static method you'd do:
    [math]::round($variable,2). If $variable was 2.6342244 it'll round it to 2.63.

    I suggest you get the Powershell for the absolute beginner if you want to get started.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    royal wrote: »
    Pash, when you get a list of the groups, it's essentially an object. You can store something in a variable and do a $variable.GetType() and see all the properties. I typically do $variable.GetType().FullName. When you run a variable, you'll even see the type before it runs. You can go to MSDN and search for that Type and it'll show you Members, Properties, Etc...

    A quick way to find that though in PowerShell, is by taking the Object and piping it to Get-Member. That'll show you variables, properties, etc...

    So $a | Get-Member.

    You can also do $a | Get-Member -static.

    For example, one TYPE Shortcut out there is [math]. Do [Math] | GM -static. You'll see Round.

    So to call a static method you'd do:
    [math]::round($variable,2). If $variable was 2.6342244 it'll round it to 2.63.

    I suggest you get the Powershell for the absolute beginner if you want to get started.

    Many thanks royal. I will look at getting the powershell for absolute beginners to add to my other materials.

    Cheers,
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • Gentleman1013Gentleman1013 Registered Users Posts: 1 ■□□□□□□□□□
    Royal, thank you for that excellent PS script! One further request to your script. My manager has requested a list of all security and distribution groups and the users that members of each of those groups. I am will to sort and clean the output in Excel from and exported .csv, but your script only reports back the AD group the user accounts are in. Can you provide a script that serves my requirements? Any help is appreciated as I am still pretty new to PS.
Sign In or Register to comment.