Last week a fellow Dutch IT Pro named Kees Baggerman mentioned something about the ability to use PowerShell to report all members of the Domain Admins in an Active Directory.
So just for the fun of it I started to script… but instead of reporting for the members of a specific group I’ve written a function you can use to get the users from ANY group you specify… I hope you find it useful!
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
<# .Synopsis Get all (nested) members of an Active Directory Group. .DESCRIPTION Get all (nested) members of an Active Directory Group. .EXAMPLE Get-ADNestedGroupMembers "Domain Admins" .EXAMPLE Get-ADNestedGroupMembers "Domain Admins" | Select-Object DistinguishedName #> function Get-ADNestedGroupMembers { [cmdletbinding()] param ( [String] $Group ) Import-Module ActiveDirectory $Members = Get-ADGroupMember -Identity $Group $members | % { if($_.ObjectClass -eq "group") { Get-ADNestedGroupMembers -Group $_.distinguishedName } else { return $_ } } } |
And based on the comment below from Robert Martin, here’s a more elegant version:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
<# .Synopsis Get all (nested) members of an Active Directory Group. .DESCRIPTION Get all (nested) members of an Active Directory Group. .EXAMPLE Get-ADNestedGroupMembers "Domain Admins" .EXAMPLE Get-ADNestedGroupMembers "Domain Admins" | Select-Object DistinguishedName #> function Get-ADNestedGroupMembers { [cmdletbinding()] param ( [String] $Group ) Import-Module ActiveDirectory $Members = Get-ADGroupMember -Identity $Group -Recursive $members } |
|
1 |
There is a much simpler solution —
Get-ADGroupMember “Domain Admins” -Recursive
The Recursive switch does wonders
help get-adgroupmember -parameter recursive:
-Recursive
Specifies that the cmdlet get all members in the hierarchy of a group that do not contain child objects. The following example shows a hierarchy for the group SaraDavisReports.
+SaraDavisReports [group]
-KarenToh [user]
-MattHinkLaptop [computer]
+JohnSmithReports [group]
-JoshPollock [user]
-ArmandoPinto [user]
+JohnSmithComputers [group]
-JoshComputer [computer]
If you specify SaraDavisReports as the group and specify the Recursive parameter, the following members and sub-members are returned.
KarenToh
MattHinkLaptop
JoshPollock
ArmandoPinto
JoshComputer
Hi Robert,
Good comment! I completly forgot that there was a -Recursive parameter to the Get-ADGroupMember cmdlet.
I’ve updated the post accordingly.
Thanks!
Jeff.
Also, in your original example, there is an error.
Get-ADNestedGroupMembers -GroupName $_.distinguishedName
should be
Get-ADNestedGroupMembers -Group $_.distinguishedName
You’re right, thanks for posting your comment! Changed the post.