I’m making an effort to teach myself PowerShell when the opportunity arises. Next week I will be reorganizing several VMware View desktop pools and the Active Directory Security Groups that are tied to them. Since I’ll be moving large groups of users around, I taught myself a few PowerShell one liners that should help.
Table of Contents
- Get Members of a Group
- Add Members of Group-A to Group-B
- Get all Groups that begin with “Group-“
- Get Members of all Groups that begin with “Group-“
- Get Members of a Group recursively
- Add Members of Group-A recursively to Group-C
- Remove Members of Group-A who are in Group-B
- Get Members of Group-A whose accounts are Disabled
- Get Members of all Groups that begin with “Group-” that have Disabled accounts
- Remove Disabled Accounts from Group-A
Get Members of a Group
List all users that belong to an Active Directory group. Helpful if you want to export a list of group members.
- Get-ADGroupMember -Identity “Group-A” | Format-Table Name
Result
1 2 3 4 5 6 7 8 9 10 11 12 | PS C:\> Get-ADGroupMember -Identity "Group-A" | Format-Table Name Name ---- User1 User2 User3 User4 User5 User6 PS C:\> |
Add Members of Group-A to Group-B
Copy all users that are members of one Active Directory group to another Active Directory group. Helpful if you want to copy all users of a Department Group to a Shared Folder or Applicaton group (to avoid too many levels of group-to-group nesting).
- Get-ADGroupMember -Identity “Group-A” | Format-Table Name
- Get-ADGroupMember -Identity “Group-B” | Format-Table Name
- Get-ADGroupMember “Group-A” | Get-ADUser | ForEach-Object {Add-ADGroupMember -Identity “Group-B” -Members $_}
- Get-ADGroupMember -Identity “Group-A” | Format-Table Name
- Get-ADGroupMember -Identity “Group-B” | Format-Table Name
Result
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | PS C:\> Get-ADGroupMember -Identity "Group-A" | Format-Table Name Name ---- User1 User2 User3 User4 User5 User6 PS C:\> Get-ADGroupMember -Identity "Group-B" | Format-Table Name Name ---- User4 User5 User6 User7 User8 User9 PS C:\> Get-ADGroupMember "Group-A" | Get-ADUser | ForEach-Object {Add-ADGroupMember -Identity "Group-B" -Members $_} PS C:\> Get-ADGroupMember -Identity "Group-A" | Format-Table Name Name ---- User1 User2 User3 User4 User5 User6 PS C:\> Get-ADGroupMember -Identity "Group-B" | Format-Table Name Name ---- User1 User2 User3 User4 User5 User6 User7 User8 User9 PS C:\> |
Get all Groups that begin with “Group-“
List all Active Directory groups that begin with a prefix or similar naming convention. You could easily do the same for a suffix (name=-Security) or even similarities in the middle of a name (name=Department*). Helpful if similarly named groups are distributed among many organizational units.
- Get-ADGroup -LDAPFilter “(name=Group-*)” | Format-Table
Result
1 2 3 4 5 6 7 8 9 10 | PS C:\> Get-ADGroup -LDAPFilter "(name=Group-*)" | Format-Table Distingui GroupCate GroupScop Name ObjectCla ObjectGUI SamAccoun SID shedName gory e ss D tName --------- --------- --------- ---- --------- --------- --------- --- CN=Gro... Security Global Group-A group 96a77c... Group-A S-1-5-... CN=Gro... Security Global Group-B group a7ceb5... Group-B S-1-5-... CN=Gro... Security Global Group-C group 06dc9d... Group-C S-1-5-... PS C:\> |
Get Members of all Groups that begin with “Group-“
List all Active Directory users that are members of all groups that being with a similar prefix or naming convention. Helpful way to create an aggregate list of users from similarly named groups.
- Get-ADGroupMember -Identity “Group-A” | Format-Table Name
- Get-ADGroupMember -Identity “Group-B” | Format-Table Name
- Get-ADGroup -LDAPFilter “(name=Group-*)” | Get-ADGroupMember | Format-Table Name
Result
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | PS C:\> Get-ADGroupMember -Identity "Group-A" | Format-Table Name Name ---- User1 User2 User3 User4 User5 User6 PS C:\> Get-ADGroupMember -Identity "Group-B" | Format-Table Name Name ---- User4 User5 User6 User7 User8 User9 PS C:\> Get-ADGroup -LDAPFilter "(name=Group-*)" | Get-ADGroupMember | Format-Table Name Name ---- User1 User2 User3 User4 User5 User6 User4 User5 User6 User7 User8 User9 PS C:\> |
Get Members of a Group recursively
List all users that are members of a group or are nested members of any other child group. Helpful in finding all inheritable membership of a group by retrieving users who are members of child, grandchild, and soforth sub-groups.
- Get-ADGroupMember -Identity “Group-A” | Format-Table Name
- Get-ADGroupMember -Identity “Group-B” | Format-Table Name
- Get-ADGroupMember -Identity “Group-C” | Format-Table Name
- Get-ADGroupMember -Identity “Group-A” -Recursive | Format-Table Name
Result
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | PS C:\> Get-ADGroupMember -Identity "Group-A" | Format-Table Name Name ---- User1 User2 User3 Group-B PS C:\> Get-ADGroupMember -Identity "Group-B" | Format-Table Name Name ---- User4 User5 User6 Group-C PS C:\> Get-ADGroupMember -Identity "Group-C" | Format-Table Name Name ---- User7 User8 User9 PS C:\> Get-ADGroupMember -Identity "Group-A" -Recursive | Format-Table Name Name ---- User1 User2 User3 User4 User5 User6 User7 User8 User9 PS C:\> |
Add Members of Group-A recursively to Group-C
Recursively copy all users and nested/child users of one group to another group. Helpful in flattening out and simplifying group memberships.
- Get-ADGroupMember -Identity “Group-A” | Format-Table Name
- Get-ADGroupMember -Identity “Group-B” | Format-Table Name
- Get-ADGroupMember -Identity “Group-C” | Format-Table Name
- Get-ADGroupMember -Identity “Group-A” -Recursive | Get-ADUser | ForEach-Object {Add-ADGroupMember -Identity “Group-C” -Members $_}
- Get-ADGroupMember -Identity “Group-C” | Format-Table Name
Result
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 | PS C:\> Get-ADGroupMember -Identity "Group-A" | Format-Table Name Name ---- User1 User2 User3 Group-B PS C:\> Get-ADGroupMember -Identity "Group-B" | Format-Table Name Name ---- User4 User5 User6 PS C:\> Get-ADGroupMember -Identity "Group-C" | Format-Table Name Name ---- User7 User8 User9 PS C:\> Get-ADGroupMember -Identity "Group-A" -Recursive | Get-ADUser | ForEach-Object {Add-ADGroupMember -Identity "Group-C" -Members $_} PS C:\> Get-ADGroupMember -Identity "Group-C" | Format-Table Name Name ---- User1 User2 User3 User4 User5 User6 User7 User8 User9 PS C:\> |
Remove Members of Group-A who are in Group-B
Remember users of one group who also belong to another group. Helpful if you want to ensure users uniquely belong to only type of security group.
- Get-ADGroupMember -Identity “Group-A” | Format-Table Name
- Get-ADGroupMember -Identity “Group-B” | Format-Table Name
- Get-ADGroupMember -Identity “Group-B” | Get-ADUser | ForEach-Object {Remove-ADGroupMember -Identity “Group-A” -Members $_ -Confirm:$False}
- Get-ADGroupMember -Identity “Group-A” | Format-Table Name
- Get-ADGroupMember -Identity “Group-B” | Format-Table Name
Result
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | PS C:\> Get-ADGroupMember -Identity "Group-A" | Format-Table Name Name ---- User1 User2 User3 User4 User5 User6 PS C:\> Get-ADGroupMember -Identity "Group-B" | Format-Table Name Name ---- User4 User5 User6 User7 User8 User9 PS C:\> Get-ADGroupMember -Identity "Group-B" | Get-ADUser | ForEach-Object {Remove-ADGroupMember -Identity "Group-A" -Members $_ -Confirm:$False} PS C:\> Get-ADGroupMember -Identity "Group-A" | Format-Table Name Name ---- User1 User2 User3 PS C:\> Get-ADGroupMember -Identity "Group-B" | Format-Table Name Name ---- User4 User5 User6 User7 User8 User9 PS C:\> |
Get Members of Group-A whose accounts are Disabled
List all user accounts from a group that are disabled. Helpful at finding accounts that you might want to remove.
- Get-ADGroupMember -Identity “Group-A” | Get-ADUser | Format-Table Enabled,SamAccountName
- Get-ADGroupMember -Identity “Group-A” | Get-ADUser | Where-Object {$_.Enabled -eq $False} | Format-Table Enabled,SamAccountName
Result
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | PS C:\> Get-ADGroupMember -Identity "Group-A" | Get-ADUser | Format-Table Enabled,SamAccountName Enabled SamAccountName ------- -------------- True User1 False User2 True User3 False User4 True User5 False User6 PS C:\> Get-ADGroupMember -Identity "Group-A" | Get-ADUser | Where-Object {$_.Enabled -eq $False} | Format-Table Enabled,SamAccountName Enabled SamAccountName ------- -------------- False User2 False User4 False User6 PS C:\> |
Get Members of all Groups that begin with “Group-” that have Disabled accounts
List all disabled user accounts from all groups with a specific prefix. Helpful at finding accounts that you might want to remove.
- Get-ADGroupMember -Identity “Group-A” | Get-ADUser | Format-Table Enabled,SamAccountName
- Get-ADGroupMember -Identity “Group-B” | Get-ADUser | Format-Table Enabled,SamAccountName
- Get-ADGroup -LDAPFilter “(name=Group-*)” | Get-ADGroupMember | Get-ADUser | Where-Object {$_.Enabled -eq $False} | Format-Table Enabled,SamAccountName
Result
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | PS C:\> Get-ADGroupMember -Identity "Group-A" | Get-ADUser | Format-Table Enabled,SamAccountName Enabled SamAccountName ------- -------------- True User1 False User2 True User3 False User4 True User5 False User6 PS C:\> Get-ADGroupMember -Identity "Group-B" | Get-ADUser | Format-Table Enabled,SamAccountName Enabled SamAccountName ------- -------------- False User4 True User5 False User6 True User7 False User8 True User9 PS C:\> Get-ADGroup -LDAPFilter "(name=Group-*)" | Get-ADGroupMember | Get-ADUser | Where-Object {$_.Enabled -eq $False} | Format-Table Enabled,SamAccountName Enabled SamAccountName ------- -------------- False User2 False User4 False User6 False User4 False User6 False User8 PS C:\> |
Remove Disabled Accounts from Group-A
Remove all user accounts from a group that are disabled. Helpful at cleaning up group memberships.
- Get-ADGroupMember -Identity “Group-A” | Get-ADUser | Format-Table Enabled,SamAccountName
- Get-ADGroupMember -Identity “Group-A” | Get-ADUser | Where-Object {$.Enabled -eq $False} | ForEach-Object {Remove-ADGroupMember -Identity “Group-A” -Members $ -Confirm:$False}
- Get-ADGroupMember -Identity “Group-A” | Get-ADUser | Format-Table Enabled,SamAccountName
Result
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | PS C:\> Get-ADGroupMember -Identity "Group-A" | Get-ADUser | Format-Table Enabled,SamAccountName Enabled SamAccountName ------- -------------- True User1 False User2 True User3 False User4 True User5 False User6 PS C:\> Get-ADGroupMember -Identity "Group-A" | Get-ADUser | Where-Object {$_.Enabled -eq $False} | ForEach-Object {Remove-ADGroupMember -Identity "Group-A" -Members $_ -Confirm:$False} PS C:\> Get-ADGroupMember -Identity "Group-A" | Get-ADUser | Format-Table Enabled,SamAccountName Enabled SamAccountName ------- -------------- True User1 True User3 True User5 PS C:\> |
Hello Jason,
Excellent post and very helpfull.
I was wondering how I would be able to export all the users that belong to all groups that begin with GRP, in to a csv file. I would like them to be in seperate colums or in seperate csv files if possible.
Can you help with this?
Get-ADGroup -LDAPFilter “(name=grp-*)” | Get-ADGroupMember | Format-Table Name
Maz
@Mazhar –
I’d suggest something along the lines of :
$groups = Get-ADGroup -LDAPFilter “(name=grp-*)” $groups | ForEach-Object {$csvname = “membersof_” + $.name + “.csv”; get-adgroupmember $.distinguishedname | export-csv $csvname}
In, my above post by the way, there is supposed to be a line break before the second “$groups”. The edit box decided to merge those two lines… :/
So:
$groups = Get-ADGroup -LDAPFilter “(name=grp-*)”
$groups | ForEach-Object {$csvname = “membersof_” + $.name + “.csv”; get-adgroupmember $.distinguishedname | export-csv $csvname}
Hi Jason
Hope you can help. I would like a script that removes users from another Trusted domain. So I need to query our Current Domain for all groups and then remove users that belong to our other domain. This is so I can tidy up the groups. Users were added during the migration but not tidied up afterwards. So remove all users from all groups that belong to a specific domain.
Thanks
Zaheer. I have just a single domain, so I have yet to research or attempt a cross-domain script.