Friday, December 11, 2009

get-nestedgroups

Here is a script i worked on that searches for the group you are looking for in AD and return the Name, Members, type, and domain that it is in and returns all other AD groups that may be nested (group within a group) in that group.  If the search is ambiguous it will return all groups with like names and you may get duplicates because of it.

$>./get-nestedgroups.ps1 "My Universal Group"

Group_Name                        Members                           Group_Type      Domain
----------                        -------                           ----------      ------
MyAdminGroup                      {jarrettirons, MyAdminGroup-Gl... Universal       mydomain
MyAdminGroup-Global               {user1,user2,user3,user4,user,... Global          subdomain

--Jarrett

# Function get-NestedMembers 
# List the members of a group including all nested members of subgroups 

# GLOBAL VARIABLES
$adgroups = @()
[array]$disabled_status = @("514", "546", "2", "66050")
[array]$roots = @()
$roots = "LDAP://dc=mydomain,dc=com"
$roots += "LDAP://dc=subdomain,dc=mydomain,dc=com"


# PRIVATE FUNCTIONS

###################################################
function get-NestedMembers ([array]$domaingroup) {  
###################################################
    foreach ($dgroup in $domaingroup) {
    if ($dgroup.objectclass -contains 'group') {
      ($dgroup | select @{Name="Group_Name"; Expression={$_.cn}},
                                     @{Name="Members"; Expression={foreach ($member in $_.member) {
                                                                      $admember = new-object DirectoryServices.DirectoryEntry("LDAP://$member");
                                                                          if ($admember.objectclass -contains "person") {
                                                                            if ($disabled_status -notcontains $admember.useraccountcontrol) {
                                                                                [string]$admember.cn
                                                                                remove-item variable:\admember
                                                                            }
                                                                          }
                                                                          else {[string]$admember.cn}
                                                                        }
                                                                      }},
                                        
                                     @{Name="Group_Type"; Expression={if (([string]$_.grouptype) -eq '-2147483640') {
                                                                        return "Universal"
                                                                      }
                                                                      if (([string]$_.grouptype) -eq '-2147483646') {
                                                                        return "Global"
                                                                        }
                                                                      }},
                                     @{Name="Domain"; Expression={
                                        $null = ([string]$_.distinguishedname) -match "DC=([^,]+)"; $matches[1]
                                        }})
      $dgroup.member | % {
        $adobject = new-object directoryservices.directoryentry("LDAP://$_")
        if ($adobject.objectclass -ne $null) {
          if ($adobject.objectclass -contains 'group') {
            get-nestedMembers $adobject
          }
        }
      }
    }
    }
}
################################
function get-adGroup ($group) {
################################
  [array]$roots = @()
  $roots = "LDAP://dc=msprod,dc=msp"
  $roots += "LDAP://dc=guest,dc=msprod,dc=msp"
  $category = "group"
  $dom = New-Object System.DirectoryServices.DirectoryEntry

  $dirSearcher = New-Object System.DirectoryServices.DirectorySearcher
  $dirSearcher.PageSize = 1000
  $dirSearcher.Filter = ("(objectCategory=$category)")
  foreach ($root in $roots)
    {
      $dirSearcher.SearchRoot = $root
      trap [System.Exception] {continue;}
      [array]$items += $dirSearcher.FindAll() | ?{$_.properties.name -like $group} 
    }
  foreach ($item in $items){
    [array]$results += new-object DirectoryServices.DirectoryEntry($item.path);
  }
  return $results
}
##############################
function get-adUser ($user) {
##############################
  $category = "Person"
  $dom = New-Object System.DirectoryServices.DirectoryEntry
  
  $dirSearcher = New-Object System.DirectoryServices.DirectorySearcher
  $dirSearcher.PageSize = 1000
  $dirSearcher.Filter = "(&(objectCategory=Person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
  foreach ($root in $roots)
    {
      $dirSearcher.SearchRoot = $root
      trap [System.Exception] {continue;}
      $results = $dirSearcher.FindAll() | ?{$_.properties.name -like "$user"} | sort-object properties.cn
    }

  foreach ($item in $results) {
    $object = $item.Properties
  }
  return $results.properties
}
#=========================================================

# MAIN
$name = get-adGroup $args
get-NestedMembers $name
Posted by Jarrett at 4:19 PM
Labels: ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Labels

General (30) Uncategorized (5) Microsoft (3) Windows (3) IIS 5.0 (2) Linux (2) Perl (2) Powershell (2) Big Sur (1) California (1) drawings (1) vacation (1)