5

I'm trying get a list of all members from a AD Group showing active \ inactive users. The purpose is get all the members on the groups and list the ones with Admin privileges.

I did the following commands:

$GROUPNAME = "Domain Admins" 
Get-ADGroupMember -identity $GROUPNAME -Recursive | Select name, SamAccountName, objectclass | Sort-Object Name

Tried to combine with Get-ADUser -Filter {Enabled -eq $false} but I need the first cmdlet to output for me Users, so I can filter with Get-ADuser.

Tks in advance

Marlon
  • 329
  • 3
  • 7
  • 20
  • 1
    What about pulling the output from Get-ADGroupMember to a variable $USERS and then running a ForEach loop that pulls them through Get-ADUser to check for Enabled? I'm playing with this now modifying a script that is similar-ish, but haven't worked out the kinks yet. – music2myear Nov 10 '17 at 00:31
  • 1
    @music2myear Seems that worked! Did the following: `$GROUPNAME = 'Domain Admins'` `Get-ADGroupMember -identity $GROUPNAME -Recursive | Select name, SamAccountName, objectclass | Sort-Object Name` `foreach ($USERS in $USERS) { Get-ADUser -Filter {Enabled -eq $false } | Select Name, Enabled, SamAccountName, UserPrincipalName }` – Marlon Nov 13 '17 at 01:04
  • Sweet, write that up as the answer. I may have pointed you in the right direction, but you solved it. – music2myear Nov 13 '17 at 16:41
  • 1
    Though, I'd personally leave off the Select and Sort-object off of the first line. Get-ADGroupMember is outputting objects which Get-ADUser should be able to handle just fine, and the Select command on the last line should be sufficient. – music2myear Nov 13 '17 at 16:43
  • Did some tests here but seems that statement: `Get-ADGroupMember -identity $GROUPNAME -Recursive` is not getting all the members from Domain Admins group or whatever group on the cmdlet. With last cmdlet filtering results just show disabled users at general on AD. – Marlon Nov 13 '17 at 20:42
  • In the code you've posted it doesn't look as though you writing the contents of Domain Admins to a variable, and then you're just looping through every user account in the domain with Get-ADUser. – music2myear Nov 13 '17 at 21:49
  • It seems that you doing the command `Get-ADGroupMember -identity $GROUPNAME` without recursive option shows the members. Just does not show a group inserted into the Domain Admins members. – Marlon Nov 16 '17 at 18:05
  • @music2myear I tested these cmdlets and seems to be working now! Unfortunatelly I can't vote for my own reply, if you could do will be appreciate. – Marlon Nov 27 '17 at 21:04

3 Answers3

4

Did this way:

$groupname = "Domain Admins"
$users = Get-ADGroupMember -Identity $groupname | ? {$_.objectclass -eq "user"}
foreach ($activeusers in $users) { Get-ADUser -Identity $activeusers | ? {$_.enabled -eq $true} | select Name, SamAccountName, UserPrincipalName, Enabled }

If you want disabled just replace last cmdlet:

foreach ($activeusers in $users) { Get-ADUser -Identity $activeusers | ? {$_.enabled -eq $false} | select Name, SamAccountName, UserPrincipalName, Enabled }
Marlon
  • 329
  • 3
  • 7
  • 20
1

using Marlon's answer above. if you want to output it as a list to text or CSV you can do this:

$groupname = "Domain Admins"
$users = Get-ADGroupMember -Identity $groupname | ? {$_.objectclass -eq "user"}
$result = @()
foreach ($activeusers in $users) { $result += (Get-ADUser -Identity $activeusers | ? {$_.enabled -eq $true} | select Name, SamAccountName, UserPrincipalName, Enabled) }
$result | Export-CSV  -NoTypeInformation .\active_domain_admins.csv

you can switch the last line to this, if you just want output to a text file:

$result | Out-File .\active_domain_admins.txt
Vicer
  • 111
  • 2
1

Are you looking for something like this?

$GrpName = '[Group Name]'
$ExportPath = 'C:\\Temp\\' + $GrpName + '-GroupMembers.csv'
$Grp = Get-ADGroup $GrpName | Get-ADGroupMember -Recursive | Get-ADUser -Properties Name,Mail,Enabled  | Select-Object Name,Mail,Enabled | Where-Object {$_.Enabled -eq $True}
$Grp.Count
$Grp | Export-Csv -NoType $ExportPath
Toto
  • 17,001
  • 56
  • 30
  • 41
Chris
  • 11
  • 2