Get-NestedGroupMember

 

Summary : Gets GroupMembership  from groups on remote member servers & AD.

Description : Returns Group Membership information for groups on Member servers as well as groups in Active Directory.

Information can be presented to the user in the following ways:

  • Non-Recursive – ParameterSet1 – This is the default view. It lists both user as well as group objects
  • Recursive         – ParameterSet2 – lists unique users from all nested groups.
  • TreeView          – ParameterSet3 – Displays groups along with their members in a treeview.

Syntax

 Get-NestedGroupMember [-ComputerName] <string[]> [-Group] <string> [-logfile <string>]  [<CommonParameters>]

   

 Get-NestedGroupMember [-ComputerName] <string[]> [-Group] <string> [-Recursive] [-logfile <string>]  [<CommonParameters>]

   

 Get-NestedGroupMember [-ComputerName] <string[]> [-Group] <string> [-ShowtreeView] [-logfile <string>]  [<CommonParameters>]

 

 

Parameters

Name

 

Type
Alias
Description
Required
Pipeline Input?
Pipeline Input by Propertyname?

ComputerName

String Array

__Server, PSComputername, Hostname

Remote Computer

True

True

True

Group

String

 

Group on remote computer to be queried

True

False

False

LogFile

String

 

Errorlog

False

False

False

Recursive

Switch

 

Recursive group member enumeration

False

False

False

ShowTree

Switch

 

Treeview display

False

False

False

CommonParams

Switch

 

Verbose

False

False

False

 

 

 

Importing the Function

 

PS C:\Users\kiran> Import-Module NestedGroup -Verbose

VERBOSE: Loading module from path ‘C:\Users\kiran\Documents\WindowsPowerShell\Modules\nestedgroup\nestedgroup.psm1′.

VERBOSE: Importing function ‘Get-NestedGroupMember’.

 

 

I have named the module as ‘NestedGroup’ you may name it whatever you want. If you don’t have a folder named windowspowershell in your documents folder just create one along with a sub-folder named modules .

Note: The NestedGroup PSM1 file will need to be placed inside a folder named ‘NestedGroup’ . The name of the folder and the name of the PSM1 file should be the same.

 

Examples

 

PS C:\> Get-NestedGroupMember -ComputerName KKS-2012R2-MEMBER1 -Group ‘Administrators’ -Verbose

 

VERBOSE: KKS-2012R2-MEMBER1 : Begin Processing….

WARNING: KKS-2012R2-MEMBER1 : did not respond to Ping

 

 

oops I think I had switched off the VM. Lets power it on and re-run the command.

PS C:\> Get-NestedGroupMember -ComputerName KKS-2012R2-MEMBER1 -Group ‘Administrators’ -Verbose

Location of the ErrorLog –> C:\Users\User001\AppData\Local\Temp\2\Get_NestedGroupMembers_ErrorLog_26Apr14_11.txt

 

 

VERBOSE: KKS-2012R2-MEMBER1 : Begin Processing….

VERBOSE: KKS-2012R2-MEMBER1 : Trying PING

VERBOSE: KKS-2012R2-MEMBER1 : Trying WMI Query

VERBOSE: KKS-2012R2-MEMBER1 : Collecting Information……

VERBOSE: KKS-2012R2-MEMBER1 : Computer is part of the VMLAB.COM Domain.Context is Machine

VERBOSE: KKS-2012R2-MEMBER1 : There were no Unresolved Sids in the Group –> Administrators

VERBOSE: KKS-2012R2-MEMBER1 : Enumerating Members of the Administrators Group NonRecursively ……….

 

Properties    DisplayName LogonName     Type      

———-    ———– ———     —-      

Administrator             Administrator LocalUser 

User001       User001     User001       LocalUser 

Labuser1 L1   Labuser1 L1 Labuser1      DomainUser

Domain Admins             Domain Admins DomainGroup

 

lets analyze the output above. KKS-2012R2-MEMBER1 is a member server in the domain ‘VMLAB.COM’ and I am going to list out the members of the administrators group on that server.

Since we didn’t use any switch parameters the default parameterset which is Non-Recursive enumeration will be used.

The first line in green tells us the location of the error-log.( Will only be created if any errors are encountered during the operation)

The verbose commands detail the various checks that are being performed.

  • Begin processing : tells us which server is being worked on.
  • Trying PING : does a ping check to see if the server can be reached on the network.
  • Trying WMI Query : does a WMI query to check if the current user can be authenticated against the remote machine which is required in order to run this function.
  • Collecting Information : Gets information such as the computer NetBIOS name, domain membership etc..
  • Unresolved Sids : checks to see if the group contains any unresolved sids ( Users or Groups that are deleted in AD but whose links are still retained in the localgroup membership as an unresolved SID instead of a name)

This check is required because the System.DirectoryServices.AccountManagement  class has a requirement that all objects in the group are accessible or an exception will be thrown.

This issue has been logged on the MS connect site but so far there hasn’t been a fix.

So the workaround employed in this module is to check the group for any unresolved sids and then filter them off.

Note: this will still fail if a group in AD contains any unresolved sids which might be a result of multi-domain groups memberships.

 

If you don’t want to see any of the verbose messages just don’t include the –Verbose parameter.

The output shows 5 columns:

  • Computer –  Computername
  • LogonName – SamAccountName
  • Displayname – displayname of the user or group
  • Type – Local user or domain User/Group
  • Properties – a list of properties of the user or group listed in the corresponding row.

Since the output contains both user as well as group objects you may want to filter the output for like objects.

For example: Lets run the same command as above but this time we will store the results in a variable named Results.

 

PS C:\> $Results  = Get-NestedGroupMember KKS-2012R2-MEMBER1 ‘Administrators’

Location of the ErrorLog –> C:\Users\koln001\AppData\Local\Temp\2\Get_NestedGroupMembers_ErrorLog_26Apr14_11.txt

 

 

PS C:\>  

 

Note: I haven’t specified the Computername or the Group parameters because they are positional.

 

Filter the results variable to show just the user objects:

PS C:\> $results | where {$_.Type -match ‘User’}

 

Properties  DisplayName LogonName     Type     

———-  ———– ———     —-     

                        Administrator LocalUser

            User001     User001       LocalUser

Labuser1 L1 Labuser1 L1 Labuser1      DomainUser

 

To look at the properties of each user we need to run select with the Expandproperty parameter.You may ignore any errors that you get when you run the command below.

PS C:\> $results | where {$_.Type -match ‘User’} | Select -ExpandProperty Properties

 

 

GivenName                         :

MiddleName                        :

Surname                           :

EmailAddress                      :

VoiceTelephoneNumber              :

EmployeeId                        :

AdvancedSearchFilter              : System.DirectoryServices.AccountManagement.AdvancedFilters

Enabled                           : True

AccountLockoutTime                :

LastLogon                         : 4/15/2014 4:07:44 AM

PermittedWorkstations             : {}

PermittedLogonTimes               : {255, 255, 255, 255…}

 

you may want to output the results to a csv file for documentation purposes.

 

to output group object properties to a csv file change the filter string to ‘Group’.

 

Example-2:

Recursive Enumeration

PS C:\> Get-NestedGroupMember -ComputerName KKS-2012R2-MEMBER1 -Group ‘Administrators’ -Recursive

 

 

 

Properties     DisplayName    LogonName     Type     

———-     ———–    ———     —-     

Administrator                 Administrator LocalUser

User001        User001        User001       LocalUser

Labuser1 L1    Labuser1 L1    Labuser1      DomainUser

Administrator                 Administrator DomainUser

User001 turner User001 turner User001       DomainUser

Sales User     Sales User     SalesUser     DomainUser

Labuser1 L1    Labuser1 L1    Labuser1      DomainUser

Labuser3 L3    Labuser3 L3    Labuser3      DomainUser

Labuser2 L2    Labuser2 L2    labuser2      DomainUser

Labuser4 L4    Labuser4 L4    Labuser4      DomainUser

 

Note: The type column doesn’t contain any group objects. This is because all group objects are enumerated and only the user objects are listed.

 

Logging results to a file.

 

Example-3:

TreeView

 

PS C:\> Get-NestedGroupMember -ComputerName KKS-DC2 -Group TempAdminGroup  -ShowtreeView

 

 

|      TempAdminGroup             –> TOP LEVEL GROUP

|        User001 U1

 

|      |      Domain Admins        –> Group Nested Under TempAdminGroup  – Level – 2

|      |        Administrator

|      |        User001 U1

|      |        kiran LabAccount

|      |        Sales User

 

|      |      |      TempAdmin4           –> Group Nested Under Domain Admins  – Level – 3

|      |      |        Labuser1 L1

|      |      |        Labuser3 L3

 

|      |      |      |      TempAdmin5           –> Group Nested Under TempAdmin4  – Level – 4

|      |      |      |        Labuser1 L1

|      |      |      |        Labuser2 L2

 

|      |      |      |      |      TempAdmin3           –> Group Nested Under TempAdmin5  – Level – 5

       |      |      |      |      |      Domain Admins        –> Group has already been Enumerated once so skipping it.

|      |      |      |      |        Labuser1 L1

|      |      |      |      |        Labuser4 L4

 

|      |      |      |      |      |      TempAdmin7           –> Group Nested Under TempAdmin3  – Level – 6

 

|      |      |      |      |      TempAdmin6           –> Group Nested Under TempAdmin5  – Level – 5

|      |      |      |      |        Labuser3 L3

       |      |      |      |      |      TempAdmin7           –> Group has already been Enumerated once so skipping it.

|        kiran LabAccount

 

|      |      TempAdmin2           –> Group Nested Under TempAdminGroup  – Level – 2

|      |        Labuser1 L1

|      |        Labuser2 L2

|      |        Labuser3 L3

       |      |      TempAdmin3           –> Group has already been Enumerated once so skipping it.  

 

Additional Information

=========================

Unique Group Names   :     Domain Admins,TempAdmin2,TempAdmin3,TempAdmin4,TempAdmin5,TempAdmin6,TempAdmin7

Unique Domain Users  :     Administrator,kiran LabAccount,User001 U1,Labuser1 L1,Labuser2 L2,Labuser3 L3,Labuser4 L4,Sales User

DomainGroups with No Members : TempAdmin7

 

PS C:\> 

 

 

KKS-DC2 – is a domain controller in the domain VMLAB.COM & TempAdminGroup is the AD group being queried.

The output is shown as a treeview with unique groups being enumerated once. The level starts from – 2 but should be considered as 1.   My attempts to fix this broke several other components of the treeview so I just left it as is. The neat thing about this is that you can export this display to a text file like so:

 

Example-4:

Multiple Computers – Recursive

 

PS C:\Users\kiran> Get-NestedGroupMember -ComputerName KKS-DC2,KKS-2012R2-Member1 -Group ‘Administrators’ -Recursive | Select Computer,Type,LogonName,Properties

 

 

 

Computer        Type       LogonName     Properties   

——–        —-       ———     ———-   

KKS-DC2         DomainUser kiran         kiran reddy  

KKS-DC2         DomainUser User001       User001 U1

KKS-DC2         DomainUser Administrator Administrator

KKS-DC2         DomainUser SalesUser     Sales User   

KKS-DC2         DomainUser Labuser3      Labuser3 L3  

KKS-DC2         DomainUser labuser2      Labuser2 L2  

KKS-DC2         DomainUser Labuser1      Labuser1 L1  

KKS-DC2         DomainUser Labuser4      Labuser4 L4  

KKS-2012R2-MEMB LocalUser  Administrator Administrator

KKS-2012R2-MEMB LocalUser  User001       User001      

KKS-2012R2-MEMB DomainUser Labuser1      Labuser1 L1  

KKS-2012R2-MEMB DomainUser Administrator Administrator

KKS-2012R2-MEMB DomainUser User001       User001 U1

KKS-2012R2-MEMB DomainUser kiran         kiran LabAccount  

KKS-2012R2-MEMB DomainUser SalesUser     Sales User   

KKS-2012R2-MEMB DomainUser Labuser1      Labuser1 L1  

KKS-2012R2-MEMB DomainUser Labuser3      Labuser3 L3  

KKS-2012R2-MEMB DomainUser labuser2      Labuser2 L2  

KKS-2012R2-MEMB DomainUser Labuser4      Labuser4 L4  

 

 

 

PS C:\Users\kiran> 

 

Gets the group membership info from the Administrators group in Active Directory as well as the from the member server – KKS-2012R2-Member1.

 

Example-5:

Multiple Computers – TreeView

 

PS C:\Users\kiran> Get-NestedGroupMember -ComputerName KKS-DC2,KKS-2012R2-Member1 -Group ‘Backup Operators’ -ShowtreeView

 

 

|      Backup Operators           –> TOP LEVEL GROUP – Domain – VMLAB

|        Labuser4 L4

 

|      |      TempAdmin6           –> Group Nested Under Backup Operators  – Level – 2

|      |        Labuser3 L3

 

|      |      |      TempAdmin7           –> Group Nested Under TempAdmin6  – Level – 3

|        Labuser1 L1

 

 

 

 

ADDITIONAL INFORMATION

=========================

Unique Group Names   :     TempAdmin6,TempAdmin7

Unique Domain Users  :     Labuser1 L1,Labuser3 L3,Labuser4 L4

DomainGroups with No Members : TempAdmin7

 

 

 

 

Backup Operators           –> TOP LEVEL GROUP – KKS-2012R2-MEMB

 

|      TempAdmin6           –> Group Nested Under Root  – Level – 1

|        Labuser3 L3

 

|      |      TempAdmin7           –> Group Nested Under TempAdmin6  – Level – 2

 labuser2

 

|      Domain Admins        –> Group Nested Under Root  – Level – 1

|        Administrator

|        User001 U1

|        kiran Labaccount

|        Sales User

 

|      |      TempAdmin4           –> Group Nested Under Domain Admins  – Level – 2

|      |        Labuser1 L1

|      |        Labuser3 L3

 

|      |      |      TempAdminGroup             –> Group Nested Under TempAdmin4  – Level – 3

|      |      |        User001 U1

       |      |      |      Domain Admins        –> Group has already been Enumerated once so skipping it. Group Nested Under TempAdminGroup – level – 3

|      |      |        kiran labaccount

 

|      |      |      |      TempAdmin2           –> Group Nested Under TempAdminGroup  – Level – 4

|      |      |      |        Labuser1 L1

|      |      |      |        Labuser2 L2

|      |      |      |        Labuser3 L3

 

|      |      |      |      |      TempAdmin3           –> Group Nested Under TempAdmin2  – Level – 5

       |      |      |      |      |      Domain Admins        –> Group has already been Enumerated once so skipping it. Group Nested Under TempAdmin3 – level – 5

|      |      |      |      |        Labuser1 L1

|      |      |      |      |        Labuser4 L4

       |      |      |      |      |      TempAdmin7           –> Group has already been Enumerated once so skipping it. Group Nested Under TempAdmin3 – level – 5

 

|      |      |      TempAdmin5           –> Group Nested Under TempAdmin4  – Level – 3

|      |      |        Labuser1 L1

|      |      |        Labuser2 L2

       |      |      |      TempAdmin3           –> Group has already been Enumerated once so skipping it. Group Nested Under TempAdmin5 – level – 3

       |      |      |      TempAdmin6           –> Group has already been Enumerated once so skipping it. Group Nested Under TempAdmin5 – level – 3

 luser

 

 

 

 

ADDITIONAL INFORMATION

=========================

Unique Group Names   :     Domain Admins,TempAdmin2,TempAdmin3,TempAdmin4,TempAdmin5,TempAdmin6,TempAdmin7,TempAdminGroup

Unique Domain Users  :     Administrator,kiran labaccount,User001 U1,Labuser1 L1,Labuser2 L2,Labuser3 L3,Labuser4 L4,Sales User

Unique LocalUsers on KKS-2012R2-Member1  : luser

DomainGroups with No Members : TempAdmin7

 

 

 

 

 

 

WARNING: KKS-2012R2-MEMBER1 : There were Some Unresolved Sids in the Group –> Backup Operators. You will need to Remove them Manually(After Validation).

 

Gets the group membership info from the Backup Operators group in Active Directory(KKS-DC2 is a domain Controller)  as well as the from the member server – KKS-2012R2-Member1.

The last line shows a warning message about unresolved sids. That’s because the backup operators group on the member server KKS-2012R2-Member1 contains some unresolved sids which looks like this:

 

image