Monday, 13 August 2012

Find Members of AD Group - PowerShell Script

This is one of the powershell script I have been using quite regularly from the day I developed. Most of SQL Server logins have AD groups as logins and for any security issues we would need to back track the user and group he is associated with, this script will recursively loop all sub group of the specified AD group and list all the sub group and its members too. Hope its useful.

1:  # Script to Find AD Group Members  
2:  # Created by - Vinoth N Manoharan  
3:  # Version 1.1  
4:  # Date - 05/10/2011  
5:  # Script Help :-  
6:  #---------------  

7:  # Please Enter $usr variable some valid AD Group you want to Search  
8:  $usr = "AD Group Name"  
9:  function Findusers($objparam)  
10:  {  
11:  foreach($ent in $objparam)  
12:  {  
13:  $objuser1 = New-Object System.DirectoryServices.DirectoryEntry("LDAP://"+$ent)  
14:  #$objuser1  
15:  $usrtype = $objuser1.sAMAccountType  

16:  #$usrtype  
17:  #if %sAMAccountType% EQU 268435456 set desc=SAM_GROUP_OBJECT  
18:  #if %sAMAccountType% EQU 268435457 set desc=SAM_NON_SECURITY_GROUP_OBJECT  
19:  #if %sAMAccountType% EQU 536870912 set desc=SAM_ALIAS_OBJECT  
20:  #if %sAMAccountType% EQU 536870913 set desc=SAM_NON_SECURITY_ALIAS_OBJECT  
21:  #if %sAMAccountType% EQU 805306368 set desc=SAM_NORMAL_USER_ACCOUNT  
22:  #if %sAMAccountType% EQU 805306369 set desc=SAM_MACHINE_ACCOUNT  
23:  #if %sAMAccountType% EQU 805306370 set desc=SAM_TRUST_ACCOUNT  
24:  #if %sAMAccountType% EQU 1073741824 set desc=SAM_APP_BASIC_GROUP  
25:  #if %sAMAccountType% EQU 1073741825 set desc=SAM_APP_QUERY_GROUP  
26:  #if %sAMAccountType% EQU 2147483647 set desc=SAM_ACCOUNT_TYPE_MAX 
 
27:  if($usrtype -eq 268435456 -or $usrtype -eq 268435457)  
28:  {  
29:  "`n`t" + $objuser1.name + "`n"  
30:  $objmem_inner = $objuser1.member  
31:  #$ent.member  
32:  Findusers($objmem_inner)  
33:  }  
34:  else  
35:  {  
36:  "`t`t"+$objuser1.cn+" -- "+$objuser1.Displayname  
37:  }  
38:  }  
39:  }  
40:  Clear-Host  
41:  #$usr = ""  
42:  $str = $usr + ":-"  
43:  $str  
44:  Echo "---------------------------------------------"  
45:  $objItem = @()  
46:  $strFilter = "(&(objectCategory=Group)(name=$usr))"  
47:  $objDomain = New-Object System.DirectoryServices.DirectoryEntry  
48:  #$objDomain |Get-Member  
49:  $objSearcher = New-Object System.DirectoryServices.DirectorySearcher  
50:  #$objSearcher | Get-Member  
51:  $objSearcher.SearchRoot = $objDomain  
52:  $objSearcher.PageSize = 1000  
53:  $objSearcher.Filter = $strFilter  
54:  $objSearcher.SearchScope = "Subtree"  
55:  #$colProplist = "name"  
56:  #foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}  
57:  $colResults = $objSearcher.FindAll()  
58:  #$colResults|Get-Member  
59:  foreach ($objResult in $colResults)  
60:  {  
61:  $objItem = $objResult.GetDirectoryEntry()  
62:  #$objItem  
63:  #$objItem.sAMAccountName  
64:  $objmem = $objItem.member  
65:  #$objmem  
66:  Findusers($objmem)  
67:  }  

Copyright © 2012 Vinoth N Manoharan.The information provided in this post is provided "as is" with no implied warranties or guarantees.

1 comment: