Microsoft provides PowerShell commands for all roles and features including Active Directory. There are 900-plus PowerShell cmdlets provided for Active Directory alone, which can be used to access and manage information from domain controllers, global catalog servers, domains and Active Directory forests. Whatever your requirements, you have PowerShell cmdlets available. For example, if you need to read Active Directory users in an Active Directory domain, you can use the Get-ADUser PowerShell cmdlet. Similarly, if you need to manipulate Active Directory group membership or get a list of Active Directory sites created you can use Get-ADGroupMembers and Get-ADSite, respectively. In this article, we are going to show you how by using PowerShell, you can collect the Active Directory Group Membership of security groups.
Prior to PowerShell, you had no direct way to collect group membership of an Active Directory group. If you needed to know who was part of an Active Directory security group or check members of more than one security groups, you had to either check using the GUI tool manually or design a VB script to check the group membership. The task to check group membership of security groups has been changed drastically with PowerShell. Now with just a single PowerShell cmdlet you are able to get the group membership of a specific or multiple security groups. What you can do is just use the Get-ADGroupMember PowerShell cmdlet. The Get-ADGroupMember PowerShell cmdlet requires that you provide a group name to check the members for. For example, the cmdlet below will list the group members of the administrators security group in the Active Directory environment.
Get-ADGroupMember –Identity “Administrators”
Similarly, if you need to check group membership of another security group, let’s say “Production Admins”, just executing below command would do it:
Get-ADGroupMember –Identity “Production Admins”
As you can see in the above commands, it doesn’t take more than a few seconds to check Active Directory group membership of individual security groups. If you need to check Active Directory group membership of admin security groups every day, what you can do is just add the above command in a batch file and then execute it manually or execute it via a scheduled task. As an example, adding the commands below in a batch file will give you the results in the CSV file. Let’s assume you created a batch or CMD file named GetMembers.CMD and added the lines below:
Get-ADGroupMember –Identity “Production Admins” | Export-CSV C:\Temp\PrdAdmins.CSV
Get-ADGroupMember –Identity “BDO Admins1” | Export-CSV C:\Temp\BDOAdmins1.CSV
Get-ADGroupMember –Identity “BDO Admins2” | Export-CSV C:\Temp\BDOAdmins2.CSV
Get-ADGroupMember –Identity “BDO Admins3” | Export-CSV C:\Temp\BDOAdmins3.CSV
As you can see, the above commands when they execute will return the list of members in a specified group and store the output in their corresponding files. While the command provides a simple way to collect members from groups, this approach requires more time and in the case you need to add more groups as part of the above file your script will get lengthy and then you would have to check all group member CSV files manually to perform any check that you would like to do as part of this exercise.
Creating Active Directory group membership reports
Let’s say you would like to create a report on the Active Directory group membership of selected security groups and store the output in an easy-to-read format and then check the output using Microsoft Excel or similar tool. Adding a little more work by writing a PowerShell script can help you generate a report on group membership. Let’s assume we have four security groups named “BDOAdmin1”, “BDOAdmin2”, “BDOAdmin3”, and “BDOAdmin4”. Let’s assume we have a file named CheckGroups.TXT and it is stored in the C:\Temp folder. The C:\Temp\CheckGroups.TXT stores the group names that you would like to check by the PowerShell script. Once you have two files ready and stored in the C:\Temp directory, execute the PowerShell script below. The script will create a report that includes Distinguished Name and Group Name that the member belongs to.
$GroupFile = “C:\Temp\CheckGroups.TXT”
$ReportFile = “C:\Temp\GroupMemReport.CSV”
Remove-item $ReportFile -ErrorAction SilentlyContinue
$STR = “Distinguished Name, Belong To Group”
Add-Content $ReportFile $STR
ForEach ($ThisGroup in GC $GroupFile)
$AllMembers = Get-ADGroupMember –Identity “$ThisGroup”
ForEach ($ThisMem in $AllMembers)
$STR = $ThisMem.DistinguishedName+”,”+$ThisMem.Name
Add-Content $ReportFile $STR
Once the above script is executed from a PowerShell computer that has access to the Active Directory domain, a report in the CSV file will be generated as shown in the screenshot below:
Wrapping it up
In this article, we provided a few commands that you can use to get members of the security groups by using Get-ADGroupMember PowerShell cmdlet and also provided a PowerShell script that can be used to gather the member of specified security groups and store the output in a CSV file for reporting purposes. If you need to generate the report every week or so you can schedule the script on a server that has access to Active Directory domain.
Featured image: Shutterstock