AD PowerShell - Replace nested groups with members of said group

gcarter · 2016-09-08T17:27:25.000Z

We are cleaning up AD and it’s a bear to do manually. What I have:

ProjectXYZ (Role Group)
- Members:
  - DepartmentJ (Role Group)
  - User 1
  - User 2

What I want:

ProjectXYZ (Role Group)
Members:
User 1
User 2
User 3
User 4
User 5

Basically, the idea is to extract the users from the nested AD Group, store it, add them back into ProjectXYZ role group. When completed, delete the nested Role Group, close the project and go drink something strong.

glenn-p · 2016-09-08T17:43:35.000Z

I assume that you are willing to specify the parent group rather than have this thing wading through your entire AD structure making mass changes throughout. Correct?

Neally · 2016-09-08T17:44:38.000Z

have you looked into Role Based Access Control (RBAC), rather than per user per project?

glenn-p · 2016-09-08T17:51:35.000Z

Also, do your nesting levels go more than 2 deep? (Groups within groups within groups…)

gcarter · 2016-09-08T17:55:38.000Z

Glenn_P:

Also, do your nesting levels go more than 2 deep? (Groups within groups within groups…)

Yes. We have Departments within Departments, so sub depts get nested. Project Groups are not nested - each project becomes it’s own Role Group.

gcarter · 2016-09-08T18:03:35.000Z

Neally:

have you looked into Role Based Access Control (RBAC), rather than per user per project?

We are. We have the following:Role Groups:
DEP_ (Department)

PRJ_ (Project)
Resource Groups:
FS_ FileShare
*and several others
Role Group:

DEP_HR
- DEP_HR_Recruiter (Members: Bob Smith, Sally Jones)
  - FS_Server1_HR
  - FS_Server2_HR_Resumes
  - FS_Server2_Accounting_Payroll
PRJ_HR (Member: Bob Smith)
FS_Server2_HR_JobsFair

glenn-p · 2016-09-08T18:24:07.000Z

This should get you started. Specify the name of the group that you want to clean up on line 1. It will roll through the members of that group looking for any that are also groups. Then it moves the “sub-group” members up one level and deletes the sub-group.

$TargetGroup = 'Users.RealPresence'
ForEach ($Member in Get-ADGroupMember -Identity $TargetGroup) {
    if ($Member.objectclass -eq 'group') {
        write-host $Member.name
        ForEach ($SubMember in Get-ADGroupMember -Identity $Member.Name) {
            Add-ADGroupMember -Identity $Member.name -Members $SubMember.SamAccountName -whatif
            write-host $SubMember.name
        }
    Remove-ADGroupMember -Identity $TargetGroup -Members $Member -whatif
    Remove-ADGroup -Identity $Member -whatif
    }
}

glenn-p · 2016-09-08T18:26:59.000Z

If you have nested you would have to run my suggested routine multiple times. I don’t have time to add the extra levels of recursion right now, but this would work if you are willing to run it on a target group repeatedly until it stops moving anything.

gcarter · 2016-09-15T10:07:25.000Z

Glenn_P:

This should get you started. Specify the name of the group that you want to clean up on line 1. It will roll through the members of that group looking for any that are also groups. Then it moves the “sub-group” members up one level and deletes the sub-group.
$TargetGroup = 'Users.RealPresence'
ForEach ($Member in Get-ADGroupMember -Identity $TargetGroup) {
    if ($Member.objectclass -eq 'group') {
        write-host $Member.name
        ForEach ($SubMember in Get-ADGroupMember -Identity $Member.Name) {
            Add-ADGroupMember -Identity $Member.name -Members $SubMember.SamAccountName -whatif
            write-host $SubMember.name
        }
    Remove-ADGroupMember -Identity $TargetGroup -Members $Member -whatif
    Remove-ADGroup -Identity $Member -whatif
    }
}

This worked. I don’t have the time to make the changes, myself, but for the groups I had, this worked well. Thanks!

glenn-p · 2016-09-16T17:21:58.000Z

Glad to be of service.