3

I'm new to AD and Powershell so please forgive me if I use the wrong terminology.

I have a series of 50+ Active Directory groups called "ABC-something". Every active user needs to belong to exactly one group. Users are also members of other groups that are used for different purposes and that should not affect this exercise.

Since we're in the middle of a big move, my population is a moving target. I'm dealing with around 1000 users, so going through an export of all the memberships for all users is less than desirable.

I'm hoping to be able to write a script that will return the userid (or samAccountName) of every user that is a member of more than one group ABC* that I could run on demand. (I assume writing a script to find active AD users NOT in a group is a different question altogether.)

Putting on my database hat, I see the logic as follows:

1) Iterate trough all groups called ABC*. For each, capture all group members. I should end up with a table or object in memory looking like

Group1 PersonA
Group1 PersonB
Group2 PersonB

2) Find a way to group, or count, or iterate through this list.

This is where I get stuck because the Powershell examples I've seen so far don't manipulate the data much before exporting or displaying data.

Can you suggest a sample script to get me started, or at least point to online resources about manipulating data in Powershell?

chabzjo
  • 139
  • 1
  • 1
  • 3

3 Answers3

6

Using Get-ADUser -Filter * -Properties memberOf gets a list of all users, and the groups they are a member of.

You could pipe that into a foreach or where-object and apply any required criteria. If you wanted to know if a user was in foo, and bar you could run a command like this.

Get-ADUser -Filter * -Properties memberOf | `
Where-Object {
    $_.memberof.contains('CN=foo,OU=allsites,DC=example,DC=org') -and `
    $_.memberof.contains('CN=bar,OU=allsites,DC=example,DC=org' ) 
}

Or lets say you just wanted to know how many people were in at least 7 groups?

Get-ADUser -Filter * -Properties memberOf | `
Where-Object {$_.memberof.count -ge 7}
Zoredache
  • 128,755
  • 40
  • 271
  • 413
4

Unless you're just dead-set on going at it from the groups angle, I'd run through every user and look at their group membership, instead:

$Users = get-aduser -filter '*' -ResultSetSize 10

foreach ( $User in $Users ) {
    $uGroups = Get-ADPrincipalGroupMembership $User
    if ( $uGroups.Count -ne 1 ) {
        "{0} is a member of the following {1} groups:" -f $User.SamAccountName, $uGroups.Count
        foreach ( $group in $uGroups ) {
            "`t{0}" -f $group.Name
        }
    }
}

The -ResultSetSize 10 on the first line is just for testing, remove that part completely to run it against the entire domain. This will iterate through the users, and list the people w/ more than 1 group, and what they are.

Get-ADGroup and Get-ADGroupMember should work similarly to the above commands for users.

You could also use something like the following as a start for looking at it from the groups side of the equation:

Get-ADGroup 'ABC-something' | Get-ADGroupMember
Hunter Eidson
  • 493
  • 5
  • 8
1

Powershell can do most of the heavy lifting for you here. I'm using the Quest AD cmdlets for this example, but the standard ones should also work.

$FullList = @(ForEach $group in (Get-QADGroup -Identity ABC_))
{
    Get-QADGroupMember $group|Select @{name="Group";expression={$group.Name}}, @{name="Member";expression={$_.SAMAccountName}}
} )

$FullList | Group-Object -Property Member |Where {$_.Count -gt 1}

Will give you an output of all the user SAM Account Names and the number of the groups they're in, if greater than one.

Dave_J
  • 111
  • 2