Geek Answers Handbook

How do I specify AD group membership for AD users using an input list?

I am a fairly new PS user ... Looking for some help with the powershell script to get a list of security groups the user is a member of.

To describe what I need:

  • I have an input list (txt file) with many users (samaccountnames). Each name is on a new line.
  • I need a script to search for these names in AD - the whole forest, not just one domain
  • the output should look like "samaccountname" and a list of groups in which this account is a member of one line, so I can sort it in excel

This is the script I have:

$users = Get-Content C:\users.txt ForEach ($User in $users) { $getmembership = Get-ADUser $User.Users -Properties MemberOf | Select -ExpandProperty memberof $getmembership | Out-File -Append c:\membership.txt }

but this causes me an error:

 Get-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try the command again. At line:4 char:28 + $getmembership = Get-ADUser <<<< $User.Users -Properties MemberOf | Select -ExpandProperty memberof + CategoryInfo : InvalidData: (:) [Get-ADUser], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADUser

Anyway, this script will not search the whole forest.

Example input list:

 username1 username2 username3 username4... etc

Results List Example

 username1;group1;group2;group3 username2;group1;group2;group3;group4... etc or something similar

Any help would be greatly appreciated.

+8
powershell active-directory membership
source share
5 answers

First one . As of now, the $User variable does not have the .Users property. In your code, $User simply represents one line (the "current" line in the foreach loop) from a text file.

 $getmembership = Get-ADUser $User -Properties MemberOf | Select -ExpandProperty memberof

Secondly, I don’t think you can query the whole forest with a single command. You will have to break it into smaller pieces:

  • Request forest for domain list
  • Call Get-ADUser for each domain (you may need to specify alternate credentials using the -Credential parameter

Thirdly , to get a list of groups the user is a member of:

 $User = Get-ADUser -Identity trevor -Properties *; $GroupMembership = ($user.memberof | % { (Get-ADGroup $_).Name; }) -join ';'; # Result: Orchestrator Users Group;ConfigMgr Administrators;Service Manager Admins;Domain Admins;Schema Admins

Fourth . To get the final desired line format, simply add the line $User.Name , semicolon and $GroupMembership :

 $User.SamAccountName + ';' + $GroupMembership;
+11
source share
 Get-ADPrincipalGroupMembership username | select name

Got this from another answer, but the script works magic. :)

+6
source share

Or add the "sort name" to the list alphabetically

 Get-ADPrincipalGroupMembership username | select name | sort name
+1
source share

The code below will return the username membership using the name samaccount. You can change it to get the input file or change the request to get accounts with non-expiring passwords, etc.

 $location = "c:\temp\Peace2.txt" $users = (get-aduser -filter *).samaccountname $le = $users.length for($i = 0; $i -lt $le; $i++){ $output = (get-aduser $users[$i] | Get-ADPrincipalGroupMembership).name $users[$i] + " " + $output $z = $users[$i] + " " + $output add-content $location $z }

Output Example:

 Administrator Domain Users Administrators Schema Admins Enterprise Admins Domain Admins Group Policy Creator Owners
 Guest Domain Guests Guests
 krbtgt Domain Users Denied RODC Password Replication Group
 Redacted Domain Users CompanyUsers Production
 Redacted Domain Users CompanyUsers Production
 Redacted Domain Users CompanyUsers Production
0
source share

All in one line:

 get-aduser -filter * -Properties memberof | select name, @{ l="GroupMembership"; e={$_.memberof -join ";" } } | export-csv membership.csv
-2
source share

More articles:


All Articles