Group Nesting Powershell report using Quest Activeroles

 

I was recently asked to provide a report on the number (and depth) of nested groups in AD.

Getting a list of the groups inside a group is pretty simple using get-qadgroupmember <groupname> -type group, however getting the groups inside that group (inside that group) requires some iteration, and can be a bit tricky to display in a format that is appealing to the eye.

This script will create a “tree” view of nested groups, starting from top down.

 

Add-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue

function get-groupmembers($groupname,$iteration)

{

  $groups=get-qadobject $groupname -type group

  foreach ($group in $groups)

  {

    $members=get-qadgroupmember $group -type group

    if ($members)

    {

      if ($iteration -eq “0”){write-host -foregroundcolor yellow $group}

      ++$iteration

      foreach ($member in $members)

      {

        for($i=$iteration; $i -gt 0; $i){write-host ”    “ -nonewline}

        write-host “|”

        for($i=$iteration; $i -gt 0; $i){write-host ”    “ -nonewline}

        write-host “+—-$member”

        get-groupmembers -groupname $member -iteration $iteration

      }

    }

  }

}

$groups = get-qadgroup

foreach($group in $groups){get-groupmembers -groupname $group -iteration 0}

Reader Comments

  1. Hi dkegg, just want to say thanks very much for this.
    I’ve been asked for the very same thing and this was a godsend!
    I already use the Quest Active Roles shell, this worked a treat with no editing.
    Cheers

  2. Hi

    The script it’s awesome, however I can’t find the way to add -SizeLimit 0 in the code and also the Export-CSV, I get an error, where should I put that information?

    Thanks!

  3. Hello,
    I ran into a challenge with this script and leveraged a way to have it alert when the FOR loop got stuck on a circular reference and kept going. it throws an alert stating there’s a problem with a group.

    #This script shows the groups in a directory with nesting. if a circular reference is found it will loop 5 times and then exit.
    #modify the -service parameter to search the appropriate domain

    Add-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue

    function get-groupmembers($groupname,$iteration)

    {

    $groups=get-qadobject $groupname -type group -Service ‘ENTER AD SERVICE NAME HERE’

    foreach ($group in $groups)

    {

    $members=get-qadgroupmember $group -type group

    if ($members)

    {

    if ($iteration -eq "0") {write-host -foregroundcolor RED $group}
    #Write-Host "STAGE 0 this is the current member being addressed : $member"
    #Write-Host "STAGE 0 this is the current iteration value :$iteration"

    ++$iteration
    #Write-Host "STAGE 1 this is the current member being addressed : $member"
    #Write-Host "STAGE 1 this is the current iteration value :$iteration"

    ###CHECKS for a looping caused by circular reference

    IF ($iteration -lt 5)
    {
    foreach ($member in $members)

    {

    FOR($i=$iteration; $i -gt 0; $i–){write-host " " -nonewline}

    write-host "|"

    FOR($i=$iteration; $i -gt 0; $i–){write-host " " -nonewline}

    write-host "+—-$member"

    get-groupmembers -groupname $member -iteration $iteration

    #Write-Host "STAGE 2 this is the current member being addressed : $member"
    #Write-Host "STAGE 2 this is the current iteration value :$iteration"

    }
    }
    Else
    {write-host "WARNING: $member is causing a circular nesting issue for $members." }

    }

    }

    }

    ###SCRIPT START###

    #BUILD LIST OF Security GROUPS FROM AD
    #############################

    $groups = get-qadgroup -SizeLimit 0 -Service ‘ENTER AD SERVICE NAME HERE’ -GroupType:Security -DontUseDefaultIncludedProperties -IncludedProperties groupname

    #$groups | ft

    ##Pipe group list into the function#####
    Start-Transcript -Path c:circulargroups_INTL.txt -NoClobber
    Write-Host "This script returns all groups with child groups – and notifies of a circular reference."
    foreach($group in $groups){get-groupmembers -groupname $group -iteration 0} #| Export-Csv c:circulargroups.csv
    Stop-Transcript

Comments are closed.