Listing users in ad group recursively with powershell script without CmdLets
Asked Answered
P

3

11

I'm trying to list everyone in a security group in an active directory without using CmdLets in PowerShell. The weird thing with my script is that it works if I list the entire directory but if I try and specify with an ldap query what I want to be listed it does not work. I know my ldap query is correct because I have used it in another similar vbs and it works. The commented lines are where i have tried to put in the query.

$strFilter = "(&(objectCategory=person)(objectClass=user))"
#$strFilter = "(&(objectCategory=person)(objectClass=user)(memberOf=CN=Common Name,OU=User Groups,...,DC=ad,DC=domain,DC=com))" #... is just left out part of query

#$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=Common Name,OU=User Groups,...,DC=ad,DC=domain,DC=com") #... is just left out part of query

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"

$colProplist = "name"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)
    {$objItem = $objResult.Properties; $objItem.name}
Palila answered 8/11, 2011 at 18:28 Comment(4)
Why can't you use cmdlets? That's like saying "I want to program something in C# without using methods".Pictogram
The ones people are suggesting i would have to install and i want this to run on any computer with just the script.Palila
CmdLets are available with active directory module in PowerShell 2.0.Hysterectomy
Sometimes security access controls and permissions restrict the ability to install/use non-default AD cmdlets, in that case this question is still quite relevant.Highup
H
9

Here is something working in an Active-Directory 2003 SP2 and 2008 R2. I use ADSI and Microsoft LDAP_MATCHING_RULE_IN_CHAIN. It Search recursively (but in one query) all the users from a group (be careful it return users from security and distributions group)

Clear-Host
$dn = New-Object System.DirectoryServices.DirectoryEntry ("LDAP://WM2008R2ENT:389/dc=dom,dc=fr","[email protected]","PWD")

# To find all the users member of groups "MonGrpPlusSec"  : 
# Set the base to the groups container DN; for example root DN (dc=societe,dc=fr)  
# Set the scope to subtree 
# Use the following filter : 
# (member:1.2.840.113556.1.4.1941:=CN=MonGrpPlusSec,OU=ForUser1,DC=dom,DC=fr) 

$dsLookFor = new-object System.DirectoryServices.DirectorySearcher($dn)
$dsLookFor.Filter = "(&(memberof:1.2.840.113556.1.4.1941:=CN=MonGrpPlusSec,OU=ForUser1,DC=dom,DC=fr)(objectCategory=user))"; 
$dsLookFor.SearchScope = "subtree"; 
$n = $dsLookFor.PropertiesToLoad.Add("cn"); 
$n = $dsLookFor.PropertiesToLoad.Add("distinguishedName");
$n = $dsLookFor.PropertiesToLoad.Add("sAMAccountName");

$lstUsr = $dsLookFor.findall()
foreach ($usrTmp in $lstUsr) 
{
  Write-Host $usrTmp.Properties["samaccountname"]
}
Hysterectomy answered 8/11, 2011 at 19:30 Comment(4)
for have a complete list of users,computers and groups use this line changed: $dsLookFor.Filter = "(&(memberof:1.2.840.113556.1.4.1941:=CN=sg01,OU=sg,DC=int,DC=io,DC=local)(objectCategory=*))";Magnetostriction
These both worked perfectly but this one had more functionality like what i was looking for so i chose this one. Thanks a ton for your help!Palila
I don't understand what the variable $n is being used for?Zinck
$n is just here to receive th Add() method output to prevent to receive it on the console.Hysterectomy
C
9

This will get all members of the domain Administrators group, including nested members (requires .NET 3.5).

$Recurse = $true

Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
$group=[System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($ct,'Administrators')
$group.GetMembers($Recurse)
Crackbrained answered 8/11, 2011 at 21:1 Comment(1)
These both worked perfectly but the 2nd one had more functionality like what i was looking for so i chose that one. Thanks a ton for your help! Sorry i could not give both of you credit...Palila
H
3

So long as you know the group name, you can run the following (ugly) quasi-one-liner:

## List Members in a Group
$groupname = 'GroupNameHere'
(New-Object System.DirectoryServices.DirectoryEntry((New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=Group)(name=$($groupname)))")).FindOne().GetDirectoryEntry().Path)).member | % { (New-Object System.DirectoryServices.DirectoryEntry("LDAP://"+$_)) } | Sort-Object sAMAccountName | SELECT @{name="User Name";expression={$_.Name}},@{name="User sAMAccountName";expression={$_.sAMAccountName}}

Also since you rarely do one without the other, I'm also going to include the way to list all groups for a user using the same basic approach:

## List Groups for a Username
$username = 'UsernameHere'
(New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$($username)))")).FindOne().GetDirectoryEntry().memberOf | % { (New-Object System.DirectoryServices.DirectoryEntry("LDAP://"+$_)) } | Sort-Object sAMAccountName | SELECT @{name="Group Name";expression={$_.Name}},@{name="Group sAMAccountName";expression={$_.sAMAccountName}}

Both of these query your current domain and do not require any domain qualification, nor do they require any modules or additional libraries be installed. I also find myself working in a pretty vanilla environment from time-to-time with minimal permissions where I need to search through AD, and I find these two commands help me with that quite a bit.

Highup answered 7/4, 2017 at 16:39 Comment(2)
how do i get the group description field using ADSI if a group name is provided??Oread
@John Eisbrener - Thank you for this. I use accounts which can't install cmdlets and so this is exactly what I needed.Rockrose

© 2022 - 2024 — McMap. All rights reserved.