I was recently asked to provide a report on the number (and depth) of nested groups in AD.
Getting a list of the groups inside a group is pretty simple using get-qadgroupmember <groupname> -type group, however getting the groups inside that group (inside that group) requires some iteration, and can be a bit tricky to display in a format that is appealing to the eye.
This script will create a “tree” view of nested groups, starting from top down.
Add-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
function get-groupmembers($groupname,$iteration)
{
$groups=get-qadobject $groupname -type group
foreach ($group in $groups)
{
$members=get-qadgroupmember $group -type group
if ($members)
{
if ($iteration -eq “0”){write-host -foregroundcolor yellow $group}
++$iteration
foreach ($member in $members)
{
for($i=$iteration; $i -gt 0; $i—){write-host ” “ -nonewline}
write-host “|”
for($i=$iteration; $i -gt 0; $i—){write-host ” “ -nonewline}
write-host “+—-$member”
get-groupmembers -groupname $member -iteration $iteration
}
}
}
}
$groups = get-qadgroup
foreach($group in $groups){get-groupmembers -groupname $group -iteration 0}
thanks!
Hi dkegg, just want to say thanks very much for this.
I’ve been asked for the very same thing and this was a godsend!
I already use the Quest Active Roles shell, this worked a treat with no editing.
Cheers
Hi
The script it’s awesome, however I can’t find the way to add -SizeLimit 0 in the code and also the Export-CSV, I get an error, where should I put that information?
Thanks!
Is there a way to push the results out to a text file or CSV?
Hello,
I ran into a challenge with this script and leveraged a way to have it alert when the FOR loop got stuck on a circular reference and kept going. it throws an alert stating there’s a problem with a group.
#This script shows the groups in a directory with nesting. if a circular reference is found it will loop 5 times and then exit.
#modify the -service parameter to search the appropriate domain
Add-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
function get-groupmembers($groupname,$iteration)
{
$groups=get-qadobject $groupname -type group -Service ‘ENTER AD SERVICE NAME HERE’
foreach ($group in $groups)
{
$members=get-qadgroupmember $group -type group
if ($members)
{
if ($iteration -eq "0") {write-host -foregroundcolor RED $group}
#Write-Host "STAGE 0 this is the current member being addressed : $member"
#Write-Host "STAGE 0 this is the current iteration value :$iteration"
++$iteration
#Write-Host "STAGE 1 this is the current member being addressed : $member"
#Write-Host "STAGE 1 this is the current iteration value :$iteration"
###CHECKS for a looping caused by circular reference
IF ($iteration -lt 5)
{
foreach ($member in $members)
{
FOR($i=$iteration; $i -gt 0; $i–){write-host " " -nonewline}
write-host "|"
FOR($i=$iteration; $i -gt 0; $i–){write-host " " -nonewline}
write-host "+—-$member"
get-groupmembers -groupname $member -iteration $iteration
#Write-Host "STAGE 2 this is the current member being addressed : $member"
#Write-Host "STAGE 2 this is the current iteration value :$iteration"
}
}
Else
{write-host "WARNING: $member is causing a circular nesting issue for $members." }
}
}
}
###SCRIPT START###
#BUILD LIST OF Security GROUPS FROM AD
#############################
$groups = get-qadgroup -SizeLimit 0 -Service ‘ENTER AD SERVICE NAME HERE’ -GroupType:Security -DontUseDefaultIncludedProperties -IncludedProperties groupname
#$groups | ft
##Pipe group list into the function#####
Start-Transcript -Path c:circulargroups_INTL.txt -NoClobber
Write-Host "This script returns all groups with child groups – and notifies of a circular reference."
foreach($group in $groups){get-groupmembers -groupname $group -iteration 0} #| Export-Csv c:circulargroups.csv
Stop-Transcript