question

GlennMaxwell-2309 avatar image
0 Votes"
GlennMaxwell-2309 asked RichMatheisen-8856 commented

Get-ADGroupMember -Identity syntax

Hi All

I have an AD group, it has many subgroups and users, for example
Group1 is my AD group. it has many groups and users added to it, i want to export users and groups residing in it to csv file.
Lets say Group1 has below groups and users and i want the output as in the below format.

Group2
user1
user2
group4

will the below syntax work for me.

 Get-ADGroupMember -Identity "group1" -Recursive | Get-ADUser -Properties Name,Description,UserprincipalName,SamAccountName,office,Department | Select Name,Description,UserprincipalName,SamAccountName,office,Department | Export-CSV -Path C:\temp\output.csv -NoTypeInformation


windows-server-powershellwindows-active-directorywindows-server-2019windows-server-2016
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered

It looks okay to me. Why not run it and see?

I'm not a big fan of "one-liners", though. I'd have probably written it like this:

 $props = "Name,Description,UserprincipalName,SamAccountName,office,Department" -split ','
    
 Get-ADGroupMember -Identity "group1" -Recursive | 
     Get-ADUser -Properties $props | 
         Select-Object $props | 
             Export-CSV -Path C:\temp\output.csv -NoTypeInformation
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GlennMaxwell-2309 avatar image
0 Votes"
GlennMaxwell-2309 answered RichMatheisen-8856 commented

Rich, your syntax works perfectly but my requirement is not to fetch all users from subgroups.
Lets say Group1 has two subgroups and users

Group2
user2
group3
user3

The output i am getting is the list of all users of group2 and group3. i dont to fetch users from group2 and group3. i want to just now how many subgroups and users are in group1.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If that wasn't your intention why did you use the "-Recursive" switch in your code???

If you're only interested in the direct membership of Group1 then just remove the "-Recursive" switch.

Are you at all interested in discovering if (using your examples) if Group2 or Group3 have additional groups in their membership? Or if those tertiary groups have, themselves, groups as their members (and so on, and on, and on . . . )? If not, then removal of the -Recursive switch is all that's needed.

0 Votes 0 ·
GlennMaxwell-2309 avatar image
0 Votes"
GlennMaxwell-2309 answered RichMatheisen-8856 commented

if i remove recursive switch i am getting below error

Get-ADUser : Cannot find an object with identity: 'CN=Group1,OU=MYOU,DC=mydomain,DC=com' under: 'DC=mydomain,DC=com'.
At line:4 char:2
+ Get-ADUser -Properties $props |
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (CN=Group1...-now,DC=com:ADUser) [Get-ADUser], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADUser

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

That makes sense. Think about the code you wrote (which I just reorganized). The "syntax" was okay, but the semantics aren't. :-)

"Group1" isn't a "User" object, it's a "Group" object.

Using the "-Recursive" switch does alter the data that's returned, but that's mentioned in the description of the cmdlet (note that it doesn't mention the group names being returned):

If the Recursive parameter is specified, the cmdlet gets all members in the hierarchy of the group that do not contain child objects. For example, if the group SaraDavisReports contains the user KarenToh and the group JohnSmithReports, and JohnSmithReports contains the user JoshPollock, then the cmdlet returns KarenToh and JoshPollock.


0 Votes 0 ·
RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered

See if this works better for you (I haven't tested it, though):

 $props = "Name,Description,UserprincipalName,SamAccountName,office,Department,ObjectCategory" -split ','
        
 (Get-ADGroup -Identity "group1").Members | 
     Get-ADObject -Properties $props | 
         Select-Object $props | 
             Export-CSV -Path C:\temp\output.csv -NoTypeInformation
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GlennMaxwell-2309 avatar image
0 Votes"
GlennMaxwell-2309 answered RichMatheisen-8856 commented

this doesnot give any output

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Looks like the pipelining needs to supply a matching parameter name ("Identity" in this case).

 $props = "Name,Description,UserprincipalName,SamAccountName,office,Department,ObjectCategory" -split ','
        
 (Get-ADGroup -Identity "group1").Members | 
     Select-Object @{n=Identity;v={$_}} |
         Get-ADObject -Properties $props | 
             Select-Object $props | 
                 Export-CSV -Path C:\temp\output.csv -NoTypeInformation

If that doesn't work out, try this:

 $props = "Name,Description,UserprincipalName,SamAccountName,office,Department,ObjectCategory" -split ','
        
 (Get-ADGroup -Identity "group1").Members | 
     ForEach-Object{
         Get-ADObject -Identity $_ -Properties $props | 
             Select-Object $props
     } | Export-CSV -Path C:\temp\output.csv -NoTypeInformation
0 Votes 0 ·