Jeff Wouters's Blog

Last week a fellow Dutch IT Pro named Kees Baggerman mentioned something about the ability to use PowerShell to report all members of the Domain Admins in an Active Directory.
So just for the fun of it I started to script… but instead of reporting for the members of a specific group I’ve written a function you can use to get the users from ANY group you specify… I hope you find it useful!

<#
.Synopsis
   Get all (nested) members of an Active Directory Group.
.DESCRIPTION
   Get all (nested) members of an Active Directory Group.
.EXAMPLE
   Get-ADNestedGroupMembers "Domain Admins"
.EXAMPLE
   Get-ADNestedGroupMembers "Domain Admins" | Select-Object DistinguishedName
#>

function Get-ADNestedGroupMembers {
  [cmdletbinding()]
  param ( [String] $Group )            
  Import-Module ActiveDirectory
  $Members = Get-ADGroupMember -Identity $Group
  $members | % {
    if($_.ObjectClass -eq "group") {
      Get-ADNestedGroupMembers -Group $_.distinguishedName
    } else {
      return $_
    }
  }            
}

And based on the comment below from Robert Martin, here’s a more elegant version:

<#
.Synopsis
   Get all (nested) members of an Active Directory Group.
.DESCRIPTION
   Get all (nested) members of an Active Directory Group.
.EXAMPLE
   Get-ADNestedGroupMembers "Domain Admins"
.EXAMPLE
   Get-ADNestedGroupMembers "Domain Admins" | Select-Object DistinguishedName
#>

function Get-ADNestedGroupMembers {
  [cmdletbinding()]
  param ( [String] $Group )            
  Import-Module ActiveDirectory
  $Members = Get-ADGroupMember -Identity $Group -Recursive
  $members
}

Today I’ve been asked to find all disabled user accounts in a OU named “Branch Offices”.
Next, we wanted to move those accounts to an OU named “Disabled Users”.
It seems this is fairly simple by using the Search-ADAccount and Move-ADObject cmdlets:

Search-ADAccount –AccountDisabled –UsersOnly –SearchBase “OU=Branch Offices, DC=Company,DC=LAN” | 
Move-ADObject –TargetPath “OU=Disabled Users, DC=Company,DC=LAN”

But… what if the user objects are in a OU protected against accidental deletion? You’ll get an error:

So you could either use the GUI to remove this setting, move the users and then re-apply the setting… or you can script it:

# To remove the protection 
Get-ADOrganizationalUnit –Filter “Name –eq ‘Branch Offices’” -Properties ProtectedFromAccidentalDeletion | 
Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $False 

# To move the users 
Search-ADAccount –AccountDisabled –UsersOnly –SearchBase “OU=Branch Offices, DC=Company,DC=LAN”  | 
Move-ADObject –TargetPath “OU=Disabled Users, DC=Company,DC=LAN”

# To re-apply the protection 
Get-ADOrganizationalUnit –Filter “Name –eq ‘Branch Offices’” -Properties ProtectedFromAccidentalDeletion | 
Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True