After going through many testing and successfully streamlining most of the Users and Groups member of in active directory environment using Powershell Active Directory: List complete hierarchy of upstream nested groups recursively of User. I was still facing some of the issues, Earlier script was not smart enough to detect the loop and will keep running if same group is in members and memberof, this will keep running indefinitely. One thing to notice it does not show any report for 'Domain Users'.
Another thing was my earlier script was not showing the result correctly as expected if there are multiple groups in memerof tab in upstream groups, Although it was working fine if single group is there. Also I wanted a true tree size view of the captured data. Here I have re-written this script from scratch again. To use this script check my earlier articles how to run script.
Different ways to bypass Powershell execution policy :.ps1 cannot be loaded because running scripts is disabled
POWERSHELL: INSTALLING AND CONFIGURING ACTIVE DIRECTORY
As here I am going to use this script frequently, I have added it to Powershell profiles, each time powershell is launched this script is loaded into memory automatically, If PowerShell profile file does not exists it will be created with command if (!(Resolve-Path $PROFILE -eq SilentlyContinue)) {New-Item $PROFILE}, I have copied below script in file name Get-AdGroupTreeViewmemberOf.ps1, and coping file content using cat C:\temp\Get-AdGroupTreeViewMemberOf.ps1 | Add-Content $PROFILE. I can verify the same by opening file location C:\Users\UserName\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1.
Installing, importing and using any module in powershell
After launching powershell simply run function to show tree map for group use Get-AdGroupTreeViewMemberOf -GroupName 'Domain Admins' and for user Get-ADGroupTreeViewMemberOf -UserName 'Administrator'. Results are as below, Loop is shown in Red color and it is skipped.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 |
# function Get-ADGroupTreeViewMemberOf { #requires -version 4 <# .SYNOPSIS Show UpStream tree view hierarchy of memberof groups recursively of a Active Directory user and Group. .DESCRIPTION The Show-ADGroupTreeViewMemberOf list all nested group list of a AD user. It requires only valid parameter AD username, .PARAMETER UserName Prompts you valid active directory User name. You can use first character as an alias, If information is not provided it provides 'Administrator' user information. .PARAMETER GroupName Prompts you valid active directory Group name. You can use first character as an alias, If information is not provided it provides 'Domain Admins' group[ information. .INPUTS Microsoft.ActiveDirectory.Management.ADUser .OUTPUTS Microsoft.ActiveDirectory.Management.ADGroup .NOTES Version: 1.0 Author: Janvi Udapi Creation Date: 10 September 2017 Purpose/Change: Get the exact nested group info of user Useful URLs: http://vcloud-lab.com .EXAMPLE PS C:\>.\Get-ADGroupTreeViewMemberOf -UserName Administrator This list all the upstream memberof group of an user. .EXAMPLE PS C:\>.\Get-ADGroupTreeViewMemberOf -GroupName DomainAdmins This list all the upstream memberof group of a Group. #> [CmdletBinding(SupportsShouldProcess=$True, ConfirmImpact='Medium', HelpURI='http://vcloud-lab.com', DefaultParameterSetName='User')] Param ( [parameter(ParameterSetName = 'User',Position=0, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true, HelpMessage='Type valid AD username')] [alias('User')] [String]$UserName = 'Administrator', [parameter(ParameterSetName = 'Group',Position=0, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true, HelpMessage='Type valid AD Group')] [alias('Group')] [String]$GroupName = 'Domain Admins', [parameter(ParameterSetName = 'Group', DontShow=$True)] [parameter(ParameterSetName = 'User', DontShow=$True)] [alias('U')] $UpperValue = [System.Int32]::MaxValue, [parameter(ParameterSetName = 'Group', DontShow=$True)] [parameter(ParameterSetName = 'User', DontShow=$True)] [alias('L')] $LowerValue = 2 ) begin { if (!(Get-Module Activedirectory)) { try { Import-Module ActiveDirectory -ErrorAction Stop } catch { Write-Host -Object "ActiveDirectory Module didn't find, Please install it and try again" -BackgroundColor DarkRed Break } } switch ($PsCmdlet.ParameterSetName) { 'Group' { try { $Group = Get-ADGroup $GroupName -Properties Memberof -ErrorAction Stop $MemberOf = $Group | Select-Object -ExpandProperty Memberof $rootname = $Group.Name } catch { Write-Host -Object "`'$GroupName`' groupname doesn't exist in Active Directory, Please try again." -BackgroundColor DarkRed $result = 'Break' Break } break } 'User' { try { $User = Get-ADUser $UserName -Properties Memberof -ErrorAction Stop $MemberOf = $User | Select-Object -ExpandProperty Memberof -ErrorAction Stop $rootname = $User.Name } catch { Write-Host -Object "`'$($User.Name)`' username doesn't exist in Active Directory, Please try again." -BackgroundColor DarkRed $result = 'Break' Break } Break } } } Process { $Minus = $LowerValue - 2 $Spaces = " " * $Minus $Lines = "__" "{0}{1}{2}{3}" -f $Spaces, '|', $Lines, $rootname $LowerValue++ $LowerValue++ if ($LowerValue -le $UpperValue) { foreach ($member in $MemberOf) { $UpperGroup = Get-ADGroup $member -Properties Memberof $LowerGroup = $UpperGroup | Get-ADGroupMember $LoopCheck = $UpperGroup.MemberOf | ForEach-Object {$lowerGroup.distinguishedName -contains $_} if ($LoopCheck -Contains $True) { $rootname = $UpperGroup.Name Write-Host "Loop found on $($UpperGroup.Name), Skipping..." -BackgroundColor DarkRed Continue } #"xxx $($LowerGroup.name)" #$Member #"--- $($UpperGroup.Name) `n" Get-ADGroupTreeViewMemberOf -GroupName $member -LowerValue $LowerValue -UpperValue $UpperValue } #foreach ($member in $MemberOf) { } } #Process } #Get-ADGroupTreeViewMemberOf -groupname a1 #Get-ADGroupTreeViewMemberOf -UserName user2 #Get-ADGroupTreeViewMemberOf -UserName user1 |
Find this script on github.
Powershell Active Directory: Show treeview of nested Group members downstream hierarchy