Home > Powershell > Powershell: Get all Groupnames and Memberships

Powershell: Get all Groupnames and Memberships

In this post I will show you how to get all group names and memberships of a specific OU in Active Directory. If you want to get all memberships and display groupnames with Powershell you can use the combination of Get-QADGroup and Get-QADGroupmember of the Quest AD Cmdlets.

#List groupnames with memberships from a specific OU
#https://jthys.wordpress.com

#Define OU:
$SecurityGroups = "Joris.Local/Groups/Security"

Get-QADGroup -SearchRoot $SecurityGroups -SizeLimit 0 | Foreach-Object{
       $group = $_
       Get-QADGroupmember $group -sizelimit 0 | `
       select @{n="GroupName";e={$group}},samaccountname,firstname,lastname
} | export-Csv  C:\Powershell\ADGroups\SecurityGroups.csv

First you get all Groups of a specific OU with Get-QADGroup and then pipe the results to a Foreach-Object with the combination of Get-QADGroupmeber which loops through all Groups to retrieve the users of each AD Group. I get the required output with the select-object
cmdlet and I make use of a hashtable ” @{n=”GroupName”;e={$group}}”. There are two pairs – first one with a key “Name” that specifies the name of the resulting property(groupname) and second one with the key “Expression” that specifies the value of the property which is in this case just the group name we have gotten from Get-QADGroup. I made also an export to a CSV File.

Advertisements
Categories: Powershell
  1. October 29, 2012 at 3:56 pm

    I think this is something close to what I want to do. However, is there a way to include ALL security groups? Meaning, I want to get a list of all security groups and their individual members, but ultimately processed the same. Thanks!

  2. Trey
    February 11, 2013 at 8:20 pm

    Works great!
    Is there a way I can list the email address of the groups, along with group name? The list below just gives me “Group Name, member, member email”.

    #List groupnames with memberships from a specific OU

    #Define OU:
    $Group = “Company.com/Distribution_List”

    Get-QADGroup -searchroot $group -SizeLimit 0 -LdapFilter ‘(mail=*)’ | Foreach-Object{
    $group = $_
    Get-QADGroupmember $group -sizelimit 0 | `
    select @{n=”GroupName”;e={$group}},displayname,email
    } | export-Csv C:\DistGroups01.csv

    • Joris
      February 11, 2013 at 8:40 pm

      Maybe with the ProxyAddress?
      select @{n=”GroupName”;e={$group}},displayname,ProxyAddress

      I didn’t try this yet.

  3. Trey
    February 12, 2013 at 2:01 pm

    Hi Joris, thank you so much for replying.

    Using Email, instead of ProxyAddress works for me.
    What I’m looking for is to add the email address of the group, as well as the members in the group.
    For example, currently by running the script I get:
    GroupName | Member | Member Email

    What I’m looking to achieve is:
    GroupName | GroupName Email | Member | Member Email

    • Joris
      February 12, 2013 at 2:44 pm

      I understand now what you mean.

      Try this, it works for me: GroupName | GroupName Email | Member | Member Email

      #List groupnames with memberships from a specific OU
      #Define OU:
      $Group = “Joris.Local/Groups/Security”

      Get-QADGroup -searchroot $group -SizeLimit 0 -LdapFilter ‘(mail=*)’ | Foreach-Object{
      $group = $_
      $PrimarySMTP = $_.PrimarySMTPAddress
      Get-QADGroupmember $group -sizelimit 0 | `
      select @{n=”GroupName”;e={$group}},@{n=”PrimarySMTPAddress”;e={$PrimarySMTP}},displayname,email
      }

      • Trey
        March 11, 2013 at 4:55 pm

        Joris,
        Think you might have time to help me hash out another syntax problem?
        I’m trying to list all shared mailboxes. Along with that, I have to list Users who have access to those shared maiboxes and enumerate any groups (universal or security) that also might have access to those shared mailboxes.
        I cannot, so far, find the right syntax that will enumerate these nested groups that have full mailbox rights.

        Get-QADUser -searchroot ‘dc=company,dc=com’ -sizelimit 0 | Get-QADPermission -ErrorAction SilentlyContinue | where { ($_.AccessRights -like “*FullAccess*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) -and -not ($_.AccountName -like “SELF”) } >C:\EnumerateSharedMailbox.csv

        Please help me??

  4. Trey
    February 12, 2013 at 3:03 pm

    Exactly like that. It worked, brilliant! Truly brilliant! Thank you Joris!!!

  5. Craig
    December 13, 2013 at 12:16 am

    Would anyone know how I can list all groups even if they are empty? The script works great however if there is an empty group it does not list it.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: