SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

Find Members of AD Group - PowerShell Script

This is one of the powershell script I have been using quite regularly from the day I developed. Most of SQL Server logins have AD groups as logins and for any security issues we would need to back track the user and group he is associated with, this script will recursively loop all sub group of the specified AD group and list all the sub group and its members too. Hope its useful.

# Script to Find AD Group Members
# Created by - Vinoth N Manoharan
# Version 1.1
# Date - 05/10/2011
# Script Help :-
# Please Enter $usr variable some valid AD Group you want to Search
$usr = "AD Group Name"
function Findusers($objparam)
foreach($ent in $objparam)
$objuser1 = New-Object System.DirectoryServices.DirectoryEntry("LDAP://"+$ent)
$usrtype = $objuser1.sAMAccountType
#if %sAMAccountType% EQU 268435456 set desc=SAM_GROUP_OBJECT
#if %sAMAccountType% EQU 268435457 set desc=SAM_NON_SECURITY_GROUP_OBJECT
#if %sAMAccountType% EQU 536870912 set desc=SAM_ALIAS_OBJECT
#if %sAMAccountType% EQU 536870913 set desc=SAM_NON_SECURITY_ALIAS_OBJECT
#if %sAMAccountType% EQU 805306368 set desc=SAM_NORMAL_USER_ACCOUNT
#if %sAMAccountType% EQU 805306369 set desc=SAM_MACHINE_ACCOUNT
#if %sAMAccountType% EQU 805306370 set desc=SAM_TRUST_ACCOUNT
#if %sAMAccountType% EQU 1073741824 set desc=SAM_APP_BASIC_GROUP
#if %sAMAccountType% EQU 1073741825 set desc=SAM_APP_QUERY_GROUP
#if %sAMAccountType% EQU 2147483647 set desc=SAM_ACCOUNT_TYPE_MAX
if($usrtype -eq 268435456 -or $usrtype -eq 268435457)
"`n`t" + $objuser1.name + "`n"
$objmem_inner = $objuser1.member
"`t`t"+$objuser1.cn+" -- "+$objuser1.Displayname
#$usr = ""
$str = $usr + ":-"
Echo "---------------------------------------------"
$objItem = @()
$strFilter = "(&(objectCategory=Group)(name=$usr))"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
#$objDomain |Get-Member
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
#$objSearcher | Get-Member
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"
#$colProplist = "name"
#foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}
$colResults = $objSearcher.FindAll()
foreach ($objResult in $colResults)
$objItem = $objResult.GetDirectoryEntry()
$objmem = $objItem.member


Vinoth is currently a Senior SQL Server DBA and 10 years of experience as SQL Server DBA. Started my career as a DBA in SQL 6.5/7 has worked in all subsequent SQL Server version. Vinoth has worked in some of the largest SQL server environments in the world in various domains ranging from Finance, Retail, Manufacturing, Consulting, Web etc. Vinoth has Engineering Degree in Computer Science and has certified in MCITP - Database Adminstrator in 2008/2005, MCDBA and ITIL Foundation V3.


Leave a comment on the original post [www.sqltechnet.com, opens in a new window]

Loading comments...