Sunday, June 2, 2013

Export AD group members - nested / recursive group members

Hi Readers,

As my love for powershell is growing so is my repository of scripts.

This script that I have written has been requested by various community members & by front facing Teams in our organization.

By using this script you have to just in put CN of a group (otherwise it will not work) & it will recurse thru to extract the group members from all the nested group. (machine from which you are running it must have "ADSI Edit"--this is part of administration tools)

Just paste the script in any folder, run getmembers.bat

It will ask you to enter group CN
After you enter the name it will loop thru the group & extract the information in the form of text files in same folder.

uniquemembers is the list of users that are part of the group & unique group is the name of groups that are nested.(including the main group)



PowerShell
##################################################################################  
#       Author: Vikas Sukhija  
#       Date: 06/31/2013  
#       Description: Extract group members recursevely  
###################################################################################  
  
$Group = Read-Host "Enter the group CN name"  
 
######################check if object is group or not ############################# 
function checkgroup ($Group1) 
{ 
 
$Search = New-Object DirectoryServices.DirectorySearcher([ADSI]""$Search.filter = "(&(objectCategory=group)(objectClass=group)(cn=$Group1))" 
$input=$Search.Findall() 
 
if($input -ne $null) 
{ 
##Write-Host "$Group1 is a valid" 
return $true 
} 
else  
{ 
##Write-Host "$Group1 is a invalid" 
return $false 
} 
} 
##################################Recurse thru groups ############################## 
 
function getallmembersrecursively ($Group)  
{  
$Search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")  
$Search.filter = "(&(objectCategory=group)(objectClass=group)(cn=$Group))"  
$input=$Search.Findall()  
  
if($input -ne $null)  
{  
Foreach($group in $input){  
$groupname = $group.GetDirectoryEntry()  
$GPName = $groupname.DistinguishedName  
$GPMember = $groupname.member  
$GPName1 = [string]$GPName  
$gsplit1 = $GPName1.split(",")  
$fpiece1 = $gsplit1[0]  
$cnsplit1 = $fpiece1.split("=")  
$GPName2 = $cnsplit1[1]  
  
Write-Host "$GPName2 is a Group"  
Add-Content .\groups.txt $GPName2  
 
####get all groups from file to compare so as there is no circular nesting 
 
$getallgroups = Get-Content .\groups.txt 
 
Foreach($gmember in $GPMember){  
$gsplit = $gmember.split(",")  
$fpiece = $gsplit[0]  
$cnsplit = $fpiece.split("=")  
$Name = $cnsplit[1]  
 
$result = checkgroup $Name 
 
if ($result -eq "true") 
{ 
    if ($getallgroups -contains $Name) 
        { 
            Write-Host "$Name equals $GPName2" 
            #####not needed for troubleshooting######Add-Content .\conflict.txt "$Name equals $getallgroups -----"   
             
        } 
    else  
        { 
            #####not needed for troubleshooting######Add-Content .\donotconflict.txt "$Name recurse" 
            getallmembersrecursively $Name 
        } 
} 
 
else 
{ 
Write-Host $Name 
Add-Content .\members.txt $Name  
##############Write-Host "$Name not equals $GPName2" 
 
}  
}  
}  
}  
} 
####################################################################### 
getallmembersrecursively $Group  
sleep 5  
#########################unique members################################  
  
$uniquemembers = Get-Content .\members.txt  
$uniquemembers = $uniquemembers | select -uniq  
Add-Content .\uniquemembers.txt $uniquemembers  
  
$uniquegroups = Get-Content .\groups.txt  
$uniquegroups = $uniquegroups | select -uniq  
Add-Content .\uniquegroups.txt $uniquegroups  
  
  
#######################################################################  
 updated to handle looping of nested groups...
 
Note:- don't forget to delete the output files if the script has been run previously.

————————————————————————————————————————————————————
There is one more method for doing this task without this lengthy script, If you use Quest management AD shell. (Free Shell, thanks to Quest)


 Just use below command line if you have Quest shell installed.

Get-QADGroupMember “group name”  -Indirect  (you can pipe the output to text file by using > )


follow me :- http://msexchange.me
Regards
Sukhija Vikas

No comments:

Post a Comment