Hi - I need to create a csv that lists the members from multiple AD groups and for each member shows their displayname, username, distinquished name etc

So far I've got a script that lists members for each group:

$Groups = Get-ADGroup -Properties * -Filter * -SearchBase <path to OU>
Foreach($G In $Groups)
{
    Write-Host $G.Name
    Write-Host "-------------"
    $G.Members
}

But how do I modify this to display the properties for each user and also output to a csv?

Any help much appreciated

J

 

You could use Get-ADGroupMember to get basic properties of the members and export that to CSV.

$Groups = Get-ADGroup -Filter * -SearchBase <path to OU>
 Foreach($Group In $Groups)
 {
    $Path = "C:\Groups\$($Group.Name).csv"
     Get-ADGroupMember $Group | Export-Csv $Path -NoTypeInformation
 }

If you need more properties than that provides, you can use Get-ADUser.

$Groups = Get-ADGroup -Properties Members -Filter * -SearchBase <path to OU>
 Foreach($Group In $Groups)
 {
     $Path = "C:\Groups\$($Group.Name).csv"
     foreach ($Member in $Group.Members)
     {
        Get-ADUser $Member | Export-Csv $Path -NoTypeInformation -Append
     }
 }

Thanks - I've tried these changes but having some problems

The first one does create .csv files for each group but for each group that has members in it I get an error in the console - The corresponding .csv does get created - though empty when it should have content

Get-ADGroupMember : An unspecified error has occurred
At E:\Scripts\EnumSPGroups2.ps1:7 char:6
+      Get-ADGroupMember $Group | Export-Csv $Path -NoTypeInformation
+      ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=DLG-SEC-test-...=test,DC=COM:ADGroup) [Get-ADGroupMember], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

--> However I can't make any sense of this error

One of the .csv files does contain info and it is exactly what I need - just can't get the others to work

The second one runs without error but doesn't create any .csv files!

If you can help at all that would be great

Script 1: Seems to work fine here. I am not certain what that error may be. Can you run Get-ADGroupMember on it's own without any error? Which version of Powershell are you running? Are you running the console as an administrator?

Script 2: Also works fine here. Are you pointing the $Path variable to a valid location or using the one I provided? It may be failing if the folder doesn't exist, but you should get an error for that.

Thanks for the reply

The problems appears to be that the script fails when groups contain Foreign Security Principles. It's a problem because I the reason I'm trying to get this to work is so we can audit the FSP accounts in these groups.

In a group that has local Security Principles - it works fine - but for any group that has FSPs it just fails

Is there any way around this? I've been doing some reading and it seems this has happened to a few people - I found some code here that apparently works but I'm not sure how to add this to the script - https://social.technet.microsoft.com/Forums/scriptcenter/en-US/07e7595a-9e7d-43ed-a147-c8591adb1fb2/advice-with-getadgroupmember?forum=ITCG

Not sure this does everything I want it to either

Note - if I run the following on one of the groups with FSPs I get a list of SIDs

$G = get-adgroup DLG-SEC-GroupWithFSPs -properties member

$G.member

But I need to get the usernames, Distnames, etc - not just the SIDs

Any helps most appreciated - I'll continue to work on it

J

• Edited by jonjames Friday, January 02, 2015 10:00 AM

Sorry I don't have any FSPs to test this against. However, it appears a common solution to this may be to use the Quest AD cmdlets instead of the Microsoft ActiveDirectory module. You can find them here:

http://software.dell.com/products/activeroles-server/powershell.aspx

Unfortunately we may not be able to use the Quest cmdlets so I'm tasked with finding another way

The crazy thing is I can see the usernames in the GUI when I open the group in dsa.msc and click the members tab - they all show up with little red up arrows - though I can't even copy those to notepad

If I can find a way of just listing these users I'll update this thread

Cheers

J

OK - this is what I did in the end:

$SPGroups = Get-ADGroup -Filter * -SearchBase "OU=SHAREPOINT,OU=GROUPS,OU= etc" -Properties Members

if  (!($SPGroups))

{

    Log " - No SharePoint Groups could be found"

    exit 1

}

ForEach ($Group in $SPGroups )

{

    Log "$($Group.Name)"

    Foreach ($dn in $Group.Members)

    {

        if ( $dn.startswith("CN=S-1-5") )

        {

            $SIDText = ($dN.Split(","))[0].SubString(3)

            $SID = New-Object System.Security.Principal.SecurityIdentifier $SIDText

            $strSPUser = $($SID.Translate([System.Security.Principal.NTAccount]).Value)

        }

        else

        {

            $ADUser = get-aduser $dn -properties samaccountname,EmailAddress

            $strSPUser = "domain\$($ADUser.SamAccountName)"

        }

        Log " - $strSPUser"

        $BillingRecord = New-Object System.Object

        $BillingRecord | Add-Member -type NoteProperty -name "SAMAccountName" -value $strSPUser

        $BillingRecord | Add-Member -type NoteProperty -name "SMTPAddress" -value "SMTPADDRESSHERE"

        $BillingRecord | Add-Member -type NoteProperty -name "SPGroup" -value $Group.Name

        $BillingOutput += $BillingRecord

    } # End loop of DN's in a group

} # End loop of groups

$BillingOutput | ft

Log " - Adding SP Users to CSV File: "

$BillingOutput | export-csv -Path $SPCSVData -Force -ErrorAction SilentlyContinue -NoTypeInformation