List users in groups in AD

[vCole]

My boss wants me to list all users in all groups in AD.

How would I do this? I'm assuming a VB script? Which I have never used before

help?

[dynamik]

HP, where's your powershell script?

[vCole]

HP, where's your powershell script?

eh?

Dell servers.

[dynamik]

Just wait, you'll see

[meadIT]

What's a PowerShell?





(contributes to the devaluation of the royal™)

[Vogon Poet]

Hope this helps.

http://www.petri.co.il/list_all_user..._in_domain.htm

[HeroPsycho]

Me thinks dynamik was referring to yours truly.

Go get the quest AD cmdlets and powershell:

www.microsoft.com/powershell
http://www.quest.com/activeroles-server/arms.aspx

Ensure you launch the Quest Powershell tool, not a normal Powershell session (under start - programs - Quest).

You're wanting to enumerate every group?!

$groups = get-qadgroup * -sizelimit 0
$groups | foreach-object {get-qadgroupmember}

Try that, but we're gonna have to play around with it to get it in the format you want. Post back with a sample and description of the output you receive.

Surely he's not looking to see every freaking group membership. Are there certain groups he wants to see perhaps?

[vCole]

Me thinks dynamik was referring to yours truly.

Go get the quest AD cmdlets and powershell:

www.microsoft.com/powershell
http://www.quest.com/activeroles-server/arms.aspx

Ensure you launch the Quest Powershell tool, not a normal Powershell session (under start - programs - Quest).

You're wanting to enumerate every group?!

$groups = get-qadgroup * -sizelimit 0
$groups | foreach-object {get-qadgroupmember}

Try that, but we're gonna have to play around with it to get it in the format you want. Post back with a sample and description of the output you receive.

Surely he's not looking to see every freaking group membership. Are there certain groups he wants to see perhaps?

She wants like a list of the users and what groups they're in.

Like

USER GROUP MEMBERSHIPS
name xxxx,xxxx,xxx



Or how can I output a list per group. Say, administrators and I want to find out who's in it and have it output to a txt file.

[Silver Bullet]

This would do what you want (separate list for each group), but you would need to do it manually for each group

Code:

dsquery group -name Administrators | dsget group -members >c:\administrators.txt

That could possibly be scripted... if I get a sec I'll see if I can write one out.

[HeroPsycho]

get-qaduser * -sizelimit 0 | select name,memberof | export-csv report.csv

If you want additional information in the report, use:

get-qaduser * -includeallproperties | get-member

Take a look at all the properties available, and add them into the select list above. For example, if you also wanted to include "city" in the report...

get-qaduser * -sizelimit 0 | select name,memberof,city | export-csv report.csv

Hope this helps!

[HeroPsycho]

Or how can I output a list per group. Say, administrators and I want to find out who's in it and have it output to a txt file.

get-qadgroupmember "domain admins" | export-csv report.csv

You can also use convertto-html for a webpage formatted report, too.

[royal]

Come on HP, dynamik said he wanted some scripts, not some cmdlets! Let's see you bust out some scripting!

[HeroPsycho]

I'm at work. I'll make a simple script tonight if you're that needy for it. LOL...

[royal]

Fade, do you still need something? I can script you out something if you need in PowerShell that'll go out and parse all groups and dump their users into a CSV for each group and without needing the Quest Snapin. Let me know and I'll write it up quick for you.

[HeroPsycho]

http://www.itsatrap.net/

[vCole]

Fade, do you still need something? I can script you out something if you need in PowerShell that'll go out and parse all groups and dump their users into a CSV for each group and without needing the Quest Snapin. Let me know and I'll write it up quick for you.

That would be terrific, honestly.

[royal]

That would be terrific, honestly.

Well, here's what's done so far if you want to check it out. All it'll do is dump the data to the Powershell window in a very unorganized member but the below will get every group in AD and dump the membership out.

Still need to finish the outputting. Do you want it in an excel? It'd be much easier for me to create a new folder on C:\, create a new Excel for every group, and dump the membership in there.

Let me know. I love taking requests for scripts as it actually motivates me to script and learn.

$erroractionpreference = "SilentlyContinue"
function Get-GroupMembers {
$filter = "(objectCategory=Group)"
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.Filter = $filter
$colResults = $objSearcher.FindAll()
$ldapGroup = @()
$group = @()

foreach ($group in $colResults) {
$group = $group.properties
$ldapGroup += $group.adspath
}

foreach ($aGroup in $ldapGroup) {
$a = $aGroup
$b = [ADSI]"$aGroup"
foreach ($member in $b.member) { $member }
}

}
get-GroupMembers

[HeroPsycho]

If you use Royal's script, and you're not familiar with PowerShell, couple of things you need to know to make the magic happen...

A. Copy the text he has into a notepad file, and save it as scriptfilename.ps1
B. Start PowerShell.
C. Use the following command to allow scripts that have not been digitally signed:

set-executionpolicy unrestricted

D. Type the full pathname of the script, or if you're already in the same directory where the script file is stored, ensure you put a backslash before the filename, or use tab to autocomplete.
E. When you're finished, use the following command to only allow digitally signed scripts to run as a security precaution if you're typically not running scripts:

set-executionpolicy Restricted

The above is why I proposed installing the Quest AD CMDLets and running this:

get-qaduser * -sizelimit 0 | select name,memberof | export-csv report.csv

In this case, a one liner is easier for you if you're trying to get a solution.

Royal and I differ on how to do this, and there's nothing wrong with either way. Royal's method doesn't require you to install anything other than PowerShell, and it helps him to learn/practice different scripting techniques. I prefer to leverage CMDLets someone else already made. I just want to get the results I'm looking for the quickest, most efficient way. You will get better results using my method of leveraging prebuilt CMDLets in the short run, but you'll learn how to script better using Royal's way in the long run.

[jbaello]

Royal how about a script migrating Exchange 03 mailbox to Exchange 07

[royal]

Lots of examples of that here:
You Had Me At EHLO... : Exchange 2007 migration overview

[vCole]

Well, here's what's done so far if you want to check it out. All it'll do is dump the data to the Powershell window in a very unorganized member but the below will get every group in AD and dump the membership out.

Still need to finish the outputting. Do you want it in an excel? It'd be much easier for me to create a new folder on C:\, create a new Excel for every group, and dump the membership in there.

Let me know. I love taking requests for scripts as it actually motivates me to script and learn.

I don't even know if that server has excel on it.

Thanks Royal/HP/Dynamik for all the help!

[Pash]

This is really useful for me too!

Are you guys just using the MSDN .net class library to search for proper uses?

I found royals class here:-

DirectorySearcher Class (System.DirectoryServices)

Note: They don't have powershell syntax examples yet, I hope they will soon.

I still don't understand the construction of the variable $group in the foreach loop though. $group.properties for example. How did we get there?

Maybe I need to read on and stop jumping the gun, but that's just me

[vCole]

So, is there a way I can make a good looking report out of this, or do I need to dump it into an excel file and go from there?


Just trying to make myself look good guys

[HeroPsycho]

FadeToBright,

You can make with PowerShell webpage reports with custom formatting using ConvertTo-HTML, CSV files you can open and manipulate with Excel if you have Excel skills using export-csv, and you can also create Excel spreadsheets via COM object capability from PowerShell that Royal has done in his script.

To use my one liner or Royal's script, you do NOT have to run it from the domain controller. Use either from your workstation with PowerShell, and if using my one liner, have the Quest AD CMDlets installed as well. Of course, you could use my one liner on the server to generate the CSV file report without Excel, too. Then copy it from there to a workstation with Excel, and pretty it up there.

It's all about what you want to do, what skills you're comfortable with, etc.

[vCole]

FadeToBright,

You can make with PowerShell webpage reports with custom formatting using ConvertTo-HTML, CSV files you can open and manipulate with Excel if you have Excel skills using export-csv, and you can also create Excel spreadsheets via COM object capability from PowerShell that Royal has done in his script.

To use my one liner or Royal's script, you do NOT have to run it from the domain controller. Use either from your workstation with PowerShell, and if using my one liner, have the Quest AD CMDlets installed as well. Of course, you could use my one liner on the server to generate the CSV file report without Excel, too. Then copy it from there to a workstation with Excel, and pretty it up there.

It's all about what you want to do, what skills you're comfortable with, etc.

I've never done either, so I'm really unsure of what's easier.