Powershell Active Directory: Show treeview of nested Group members downstream hierarchy

January 3, 2018 01:29PM

This script is second part of my earlier article Powershell Active Directory: Show treeview of User or Group memberof hierarchy, earlier was showing upstream tree view of nested MemberOf groups. After writing the first script I got another requirement to show treeview in reverse order, Group members hierarchy in downstream order from Members tab. To write this script I have made very few changes to my earlier script.

To use it use cmdlet .\Show-ADGroupTreeViewMembers -GroupName Administrators. This only accept GroupName parameter, It shows only groups in tree, It will not show Users as there could be hundred to thousand user account in the branches as it will make little hard if you want to troubleshoot nested group permissions.

This script can be downloaded from GitHub as well as from here.

#
function Show-ADGroupTreeViewMembers {
#requires -version 4
<#
.SYNOPSIS
    Show DownStream tree view hierarchy of members groups recursively of a Active Directory Group.
.DESCRIPTION
    The Show-ADGroupTreeViewMembers list all nested group list of a AD user. It requires only valid parameter AD username, 
.PARAMETER GroupName
    Prompts you valid active directory Group name. You can use first character as an alias, If information is not provided it provides 'Domain Admins' group information.
.INPUTS
    Microsoft.ActiveDirectory.Management.ADGroup
.OUTPUTS
    Microsoft.ActiveDirectory.Management.ADGroup
    Microsoft.ActiveDirectory.Management.ADuser
.NOTES
    Version:        2.0
    Author:         Janvi Udapi
    Creation Date:  10 September 2017
    Purpose/Change: Get the nested downstream group info of member
    Useful URLs: http://vcloud-lab.com
.EXAMPLE
    PS C:\>.\Show-ADGroupTreeViewMembers -GroupName 'Administrators'

    This list all the upstream memberof group of a Group.
#>

[CmdletBinding(SupportsShouldProcess=$True,
    ConfirmImpact='Medium',
    HelpURI='http://vcloud-lab.com')]
Param
(
    [parameter(Position=0, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true, HelpMessage='Type valid AD Group')]
    [alias('Group')]
    [String]$GroupName = 'Domain Admins',
    [parameter(DontShow=$True)]
    [alias('U')]
    $UpperValue = [System.Int32]::MaxValue,
    [parameter(DontShow=$True)]
    [alias('L')]
    $LowerValue = 2
)
    begin {
        if (!(Get-Module Activedirectory)) {
            try {
                Import-Module ActiveDirectory -ErrorAction Stop 
            }
            catch {
                Write-Host -Object "ActiveDirectory Module didn't find, Please install it and try again" -BackgroundColor DarkRed
                Break
            }
        }
        try {
            $Group =  Get-ADGroup $GroupName -Properties members -ErrorAction Stop 
            $Members = $Group | Select-Object -ExpandProperty members 
            $rootname = $Group.Name
        }
        catch {
            Write-Host -Object "`'$GroupName`' groupname doesn't exist in Active Directory, Please try again." -BackgroundColor DarkRed
            $result = 'Break'
            Break
        }
    }
    Process {
        $Minus = $LowerValue - 2
        $Spaces = " " * $Minus
        $Lines = "__"
        "{0}{1}{2}{3}" -f $Spaces, '|', $Lines, $rootname        
        $LowerValue++
        $LowerValue++
        if ($LowerValue -le $UpperValue) {
            foreach ($member in $Members) {
                try {
                    $UpperGroup = Get-ADGroup $member -Properties Members, Memberof -ErrorAction Stop
                }
                catch {
                    Continue
                }
                #$LowerGroup = $UpperGroup |
                $LowerGroup = $UpperGroup | Get-ADGroupMember
                $LoopCheck = $UpperGroup.memberof | ForEach-Object {$_ -contains $lowerGroup.distinguishedName}
                if ($LoopCheck -Contains $True) {
                    $rootname = $UpperGroup.Name
                    Write-Host "Loop found on $($UpperGroup.Name), Skipping..." -BackgroundColor DarkRed
                    Continue
                }
                #"xxx $($LowerGroup.name)"
                #$Member
                #"--- $($UpperGroup.Name) `n"
                Show-ADGroupTreeViewMembers -GroupName $member -LowerValue $LowerValue -UpperValue $UpperValue
            } #foreach ($member in $MemberOf) {
        }
    } #Process
}

  Show-ADGroupTreeViewMembers -GroupName Administrators

Useful Articles
Powershell one liner: Create multiple user accounts
Active Directory Powershell: Create bulk users from CSV file
Active Directory Powershell: Aduser A value for the attribute was not in the acceptable range of values
Powershell Active Directory: ADGroup Managedby - Checkbox Manager can update membership list

Go Back

5 comments

Posted in Active Directory

Comment

Blog Search

Page Views

12599486

Comments

Azrael

Microsoft Powershell: Download a whole folder of files/subfolders from the web directory

January 28, 2025 01:28AM
raghavendra

Active Directory Powershell: Aduser A value for the attribute was not in the acceptable range of values

January 16, 2025 02:13PM
jose antonio

Install and configure certificate authority (CA) on Microsoft Windows server with Group Policy

January 11, 2025 09:53PM
Dan

VMware vCenter server vcsa Setting IP IPv6 configuration failed, IP configuration not allowed

December 22, 2024 10:49PM
ChriS

Part 3: Using HashiCorp Packer to build a Windows Server VM template for VMware vSphere

December 1, 2024 05:27PM

Virtual Geek

Tales from real IT system administrators world and non-production environment