1

Was wondering if you could help me with script.

This script would search a specific OU (let's say Disabled Users OU) and display all the AD groups all users are part of, the output to a CSV file showing Usernames and AD group names.

I have got a command that will display all AD groups of a user but I have to keep changing the username:

Get-ADPrincipalGroupMembership username_withoutdomain | select name

I have a script that requires the username entered and will display the AD group membership.

do { 
  write-host -NoNewline "Type username: "
  $user = read-host

  if ($user -eq "") { break }

  (get-aduser $user -Properties memberof).memberof |
    get-adgroup                                    |
    select -exp name
} while ($true)

I also know it is possible to do this via command prompt:

net userusername

Thanks for all assistance.

S.Mahmood
  • 129
  • 11

2 Answers2

2

You can query all users under an OU by using the -SearchBase parameter, from there you can enumerate each user and then enumerate each group the user is a memberOf to generate your report:

$base = 'OU=disabledUsers,DC=domain,DC=com'
Get-ADUser -Filter * -SearchBase $base -Properties memberOf |
    ForEach-Object {
        foreach($group in $_.memberOf) {
            [pscustomobject]@{
                User           = $_.Name
                SamAccountName = $_.SamAccountName
                MemberOf       = $group -replace '^CN=|(?<!\\),.+'
            }
        }
    } | Export-Csv path\to\report.csv -NoTypeInformation
Santiago Squarzon
  • 41,465
  • 5
  • 14
  • 37
  • Sorry to ask, if I wanted to add samAcountname the usernames as well to the output file, how would this be done? – S.Mahmood Feb 03 '23 at 11:46
  • 1
    @S.Mahmood Just adding `SamAccotunName = $_.SamAccotunName` to the custom object. See update – Santiago Squarzon Feb 03 '23 at 12:15
  • If it is not too much to ask I have another question I posted but I am unable to tag you in this should be straight forward for you https://stackoverflow.com/questions/75325028/specifying-a-list-of-usernames-to-be-deleted-from-ad-via-powershell?noredirect=1#comment132927600_75325028 – S.Mahmood Feb 03 '23 at 13:07
1

As Santiago already stated you can query your OU with the -SearchBase. And because the user and the group membership can not be queried with one command you have to create a table as Santiago points with [pscustomobject]@{...} When I was running a daily report on users and their group membership I was running the script:

function Get-ADUserGroups{
    #$Domain = 'Domain_name'
    $users= Get-AdUser -Filter * -Properties SamAccountName, DisplayName, Description -ResultPageSize 500 |
    select SamAccountName, DisplayName, Description
    $users|
        ForEach-Object{
        $p=[ordered]@{
            UserName=$_.SamAccountName
            FullName=$_.DisplayName
            User_Description=$_.Description         
            GroupName=$null         
            Group_Description=$null         
            }
            Get-ADPrincipalGroupMembership $_.SamAccountName | 
                ForEach-Object{
                    $p.GroupName=$_.Name
                    Get-ADGroup $_ -Properties description |
                    ForEach-Object{
                    New-Object PsObject -Property $p
                    }
                }
        }
}

Get-ADUserGroups | Export-Csv -Path "Your_Path\Groups.csv" -Delimiter "|" -Encoding UTF8 -NoTypeInformation
StefTheo
  • 429
  • 5
  • 9
  • Thanks your's seems more slicker report but seems like it search the whole of AD I guess that 'Domain_name' where as I wanted it to search a specific OU I can define in the code. – S.Mahmood Feb 02 '23 at 19:52