PowerShell - Extract All User Active Diretory Memberof with Primary Group

Sergio Siqueira 41 Reputation points
2022-07-04T18:49:00.807+00:00

Hi Guys
I need to extract all AD users and all their groups from the memberof, including the primary group, the "Memberof" attribute does not get the primary group, so I developed the script below to get the primary group as well.
The script works well in environments with few users, however in environments with many users the script crashes and does not complete the extraction.
Does anyone know how I should adjust the script so that I can extract the information this way?

Thank you in advance

    Function CriarObjeto($users){   
      
        $properties = [ordered] @{  
      
                        'valor fixo1' = "USR";  
                        'valor fixo2' = ":";  
                        'ENVIRONMENT NAME' = $textBoxEnvironmentName.text;  
                        'valor fixo3' = ":";  
                        'DEVICE' = $textBoxDeviceDomain.text;   
                        'valor fixo4' = ":";  
                        'LOGIN'=$users.SamAccountName;  
                        'valor fixo5' = ":";  
                        'valor fixo6' = "0";  
                        'valor fixo7' = ":";  
                        'valor fixo8' = "0";  
                        'valor fixo9' = ":";  
                        'FULL NAME'=$users.Name;  
                        'valor fixo10' = ":";  
                        'LABEL' = $users.Description;  
                        'valor fixo11' = ":";  
                        'valor fixo12' = "0";  
                        'valor fixo13' = ":";                      
                        'LAST LOGON' =[dateTime]::FromFileTime($users.LastLogonTimestamp).ToString("MM/dd/yyyy");                      
                        'valor fixo14' = ":";  
                        'PRIVILEGE'= (((($(Get-ADPrincipalGroupMembership $users.SamAccountName).distinguishedName) -replace "\,.*") -replace "CN=","" ) -join ",");  
                        'valor fixo15' = ":";  
                        'ACCOUNT STATUS' = if(($users.Enabled -eq $true)) {'1'} Else {'2'};  
                        'valor fixo16' = ":";  
      
               }  
               $object = New-Object -TypeName psobject -Property $properties  
      
            return $object  
      
      
    }  
      
    $users = @()  
    $users = Get-ADUser -ldapfilter "(objectclass=user)" -properties *   
    $resutls = @()  
    foreach($user in $users){  
          
      $resutls +=  CriarObjeto($user)  
      
    }  
      
    $resutls | Export-Csv -Path $CsvReportFile -NoTypeInformation -Encoding Utf8  






  
  
  
  
  
  
  
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,277 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Rich Matheisen 43,931 Reputation points
    2022-07-04T21:51:10.177+00:00

    Try replacing line 38 - 47 in your script with this:

    Get-ADUser -ldapfilter "&((objectclass=user)(objectCategory=person))" -properties * |  
        ForEach-Object{  
            CriarObjeto($_)  
        } | Export-Csv -Path $CsvReportFile -NoTypeInformation -Encoding Utf8  
    

    The unqualified "user" objectClass also includes computer objects. There's no need to include those in your data (5392.active-directory-ldap-syntax-filters.aspx)

    The use of streaming and pipelines reduces the need for gobs of memory to store information (e.g., user objects, and the psobjects from the CriarObjeto function) when you need them only once.


  2. Rich Matheisen 43,931 Reputation points
    2022-07-05T02:38:57.273+00:00

    Try this code. If doesn't use a function and it doesn't keep recreating the hash for each user:

    # create the hash and fill in all the constants.  
    $properties = [ordered] @{  
        'valor fixo1' = "USR"  
        'valor fixo2' = ":"  
        'ENVIRONMENT NAME' = $textBoxEnvironmentName.text  
        'valor fixo3' = ":"  
        'DEVICE' = $textBoxDeviceDomain.text  
        'valor fixo4' = ":"  
        'LOGIN'= ""  
        'valor fixo5' = ":"  
        'valor fixo6' = "0"  
        'valor fixo7' = ":"  
        'valor fixo8' = "0"  
        'valor fixo9' = ":";  
        'FULL NAME'= ""  
        'valor fixo10' = ":"  
        'LABEL' = ""  
        'valor fixo11' = ":"  
        'valor fixo12' = "0"  
        'valor fixo13' = ":"                      
        'LAST LOGON' = ""  
        'valor fixo14' = ":"  
        'PRIVILEGE'= ""  
        'PRIMARY GROUP RID' = ""  
        'valor fixo15' = ":"  
        'ACCOUNT STATUS' = ""  
        'valor fixo16' = ":"  
    }  
         
    Get-ADUser -ldapfilter "&((objectclass=user)(objectCategory=person))" -properties * |  
        ForEach-Object{  
            $properties.LOGIN = $_.SamAccountName  
            $properties."FULL NAME" = $.Name  
            $properties.LABEL = $_.Description  
            $properties."LAST LOGON" = [dateTime]::FromFileTime($_.LastLogonTimestamp).ToString("MM/dd/yyyy")  
            $properties.PRIVILEGE = (Get-ADPrincipalGroupMembership $_.SamAccountName).Name -join ";"   # This gets just the data from the memberof property, but NOT the primay group id  
            $properties."ACCOUNT STATUS" = if(($_.Enabled -eq $true)) {'1'} Else {'2'}  
            $properties."PRIMARY GROUP RID" = $_.PrimaryGroupID     # RID is just a number. You need to add the DOMAIN ID to get the complete SID  
            [PSCustomObject]$properties  
        } | Export-Csv -Path $CsvReportFile -NoTypeInformation -Encoding Utf8  
    

    Note that your code doesn't get the user's primary group id. The primary group is just the RID of the group. To retrieve the group you'd have to add the domain ID of the user to form a SID, and then get the group (unless the RID is a "well-known" RID (like 513 for Domain Users)>

    0 comments No comments