1

Description

We all experienced it before. You have an IT Audit and they ask you a list of all the AD users that belong to a group. Or even for your own sake to have a yearly access rights review. With this script you can export all the groups with the users that are member of those groups.

The only thing you need to install is the Quest One ActiveRoles Management Shell for Active Directory. You can find it here.

Once installed you run the ActiveRoles Management Shell and run the script.
The only thing you have to change in the script is the OU location of the groups.
$MyGroups = Get-QADGroup -SearchRoot “xxx.local/Company/Groups/Resources/Filesrv”

It will export a file allginfo.csv.

Source Code

$GroupInfo = '' | Select 'Group Name','Group Description','Member Name','Member Description'
$AllGroups = @()
$MyGroups = Get-QADGroup -SearchRoot "xxx.local/Company/Groups/Resources/Filesrv" -DontUseDefaultIncludedProperties  -IncludedProperties Name,Description,Member | select Name,Description,Member
foreach($Group in $MyGroups){
    $GroupInfo.'Group Name' = $Group.Name
    $GroupInfo.'Group Description' = $Group.Description
    foreach($Member in $Group.Member){
        $User = Get-QADUser $Member -DontUseDefaultIncludedProperties -IncludedProperties Name,Description | select Name,Description
        $GroupInfo.'Member Name' = $User.Name
        $GroupInfo.'Member Description' = $User.Description 
        #it takes a while to go through a lot of goups...this just lets you watch so you don't think it's broke and cancel it.
        $GroupInfo | select 'Group Name','Group Description','Member Name','Member Description'
        $AllGroups += $GroupInfo | Select 'Group Name','Group Description','Member Name','Member Description'
    }
}

$AllGroups | Export-Csv allginfo.csv -NoTypeInformation #Export all that group info to csv file.

Screenshots

Group_Export.png
Group_Export.png1024×503 120 KB
2 Spice ups
2

Thanks, does exactly what I wanted (once I read the instructions). We deploy software to VMware view virtual desktops using thinapp. I needed to do an inventory of all our thinapp groups. Steve.

3

This is great, but I’m using it for an audit right now and found it to have a major flaw. It only deals appropriately with domain users, not domain groups. Groups are just as important as users to list when auditing the membership of something. In the current state, this script essentially prints a blank line where a group would go; it doesn’t even say the name of the group. Is there a way to modify the script so it gets non-user objects, such as groups and computers (also have some groups with computers in them)? Below is the current version of the script I’m working on. I added additional fields since I need them also. >>>>> $GroupInfo = ‘’ | Select ‘Group Name’,‘Group Description’,‘LogonName’,‘Name’,‘Description’,‘Type’,‘AccountIsDisabled’,‘Department’,‘Title’,‘whenCreated’,‘whenChanged’,‘LastLogon’,‘PasswordNeverExpires’,‘AccountExpires’,‘AccountIsExpired’ $AllGroups = @() #The -SearchRoot value determines the groups that are checked. Some examples are shown below. # * All groups: -SearchRoot “ucn.net/Security Groups” # * Specific group: -SearchRoot “ucn.net/Security Groups/Domain Admins” $MyGroups = Get-QADGroup -SearchRoot “inucn.com/INUCN/Accounts/Groups/Domain Admins” -DontUseDefaultIncludedProperties -IncludedProperties Name,Description,Member | select Name,Description,Member foreach($Group in $MyGroups){ $GroupInfo.‘Group Name’ = $Group.Name $GroupInfo.‘Group Description’ = $Group.Description foreach($Member in $Group.Member){ $User = Get-QADUser $Member -DontUseDefaultIncludedProperties -IncludedProperties LogonName,Name,Description,Type,AccountIsDisabled,Department,Title,whenCreated,whenChanged,LastLogon,PasswordNeverExpires,AccountExpires,AccountIsExpired | select LogonName,Name,Description,Type,AccountIsDisabled,Department,Title,whenCreated,whenChanged,LastLogon,PasswordNeverExpires,AccountExpires,AccountIsExpired $GroupInfo.‘LogonName’ = $User.LogonName $GroupInfo.‘Name’ = $User.Name $GroupInfo.‘Description’ = $User.Description $GroupInfo.‘Type’ = $User.Type $GroupInfo.‘AccountIsDisabled’ = $User.AccountIsDisabled $GroupInfo.‘Department’ = $User.Department $GroupInfo.‘Title’ = $User.Title $GroupInfo.‘whenCreated’ = $User.whenCreated $GroupInfo.‘whenChanged’ = $User.whenChanged $GroupInfo.‘LastLogon’ = $User.LastLogon $GroupInfo.‘PasswordNeverExpires’ = $User.PasswordNeverExpires $GroupInfo.‘AccountExpires’ = $User.AccountExpires $GroupInfo.‘AccountIsExpired’ = $User.AccountIsExpired #It takes a while to go through a lot of goups. This just lets you watch so you don’t think it’s broken and cancel it. $GroupInfo | select ‘Group Name’,‘Group Description’,‘LogonName’,‘Name’,‘Description’,‘Type’,‘AccountIsDisabled’,‘Department’,‘Title’,‘whenCreated’,‘whenChanged’,‘LastLogon’,‘PasswordNeverExpires’,‘AccountExpires’,‘AccountIsExpired’ $AllGroups += $GroupInfo | Select ‘Group Name’,‘Group Description’,‘LogonName’,‘Name’,‘Description’,‘Type’,‘AccountIsDisabled’,‘Department’,‘Title’,‘whenCreated’,‘whenChanged’,‘LastLogon’,‘PasswordNeverExpires’,‘AccountExpires’,‘AccountIsExpired’ } } $AllGroups | Export-Csv AD_Group_Membership.csv -Append -NoTypeInformation #Export all the gathered data to a CSV file.

4

ActiveRoles is now owned by Dell, and they’re charging for it. I can’t find a download for the previously free version anywhere. I would say this solution should be retired.

5

Hi Friends, How can I do this same script without QUEST Active directory…? please help

6

Quest One ActiveRoles is not available any longer, and aside from that, I’m not sure how you can call something a “Powershell script” as opposed to a “3rd party utility script for powershell” when you absolutely need the 3rd party utility and the only thing powershell does for it, is provide the place for typing the 3rd party commands.