Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

SQLTechnet

Vinoth is currently a Senior SQL Server DBA and 10 years of experience as SQL Server DBA. Started my career as a DBA in SQL 6.5/7 has worked in all subsequent SQL Server version. Vinoth has worked in some of the largest SQL server environments in the world in various domains ranging from Finance, Retail, Manufacturing, Consulting, Web etc. Vinoth has Engineering Degree in Computer Science and has certified in MCITP - Database Adminstrator in 2008/2005, MCDBA and ITIL Foundation V3.

Find Members of AD Group - PowerShell Script

This is one of the powershell script I have been using quite regularly from the day I developed. Most of SQL Server logins have AD groups as logins and for any security issues we would need to back track the user and group he is associated with, this script will recursively loop all sub group of the specified AD group and list all the sub group and its members too. Hope its useful.


# Script to Find AD Group Members
# Created by - Vinoth N Manoharan
# Version 1.1
# Date - 05/10/2011
# Script Help :-
#---------------
# Please Enter $usr variable some valid AD Group you want to Search
$usr = "AD Group Name"
function Findusers($objparam)
{
foreach($ent in $objparam)
{
$objuser1 = New-Object System.DirectoryServices.DirectoryEntry("LDAP://"+$ent)
#$objuser1
$usrtype = $objuser1.sAMAccountType
#$usrtype
#if %sAMAccountType% EQU 268435456 set desc=SAM_GROUP_OBJECT
#if %sAMAccountType% EQU 268435457 set desc=SAM_NON_SECURITY_GROUP_OBJECT
#if %sAMAccountType% EQU 536870912 set desc=SAM_ALIAS_OBJECT
#if %sAMAccountType% EQU 536870913 set desc=SAM_NON_SECURITY_ALIAS_OBJECT
#if %sAMAccountType% EQU 805306368 set desc=SAM_NORMAL_USER_ACCOUNT
#if %sAMAccountType% EQU 805306369 set desc=SAM_MACHINE_ACCOUNT
#if %sAMAccountType% EQU 805306370 set desc=SAM_TRUST_ACCOUNT
#if %sAMAccountType% EQU 1073741824 set desc=SAM_APP_BASIC_GROUP
#if %sAMAccountType% EQU 1073741825 set desc=SAM_APP_QUERY_GROUP
#if %sAMAccountType% EQU 2147483647 set desc=SAM_ACCOUNT_TYPE_MAX
if($usrtype -eq 268435456 -or $usrtype -eq 268435457)
{
"`n`t" + $objuser1.name + "`n"
$objmem_inner = $objuser1.member
#$ent.member
Findusers($objmem_inner)
}
else
{
"`t`t"+$objuser1.cn+" -- "+$objuser1.Displayname
}
}
}
Clear-Host
#$usr = ""
$str = $usr + ":-"
$str
Echo "---------------------------------------------"
$objItem = @()
$strFilter = "(&(objectCategory=Group)(name=$usr))"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
#$objDomain |Get-Member
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
#$objSearcher | Get-Member
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"
#$colProplist = "name"
#foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}
$colResults = $objSearcher.FindAll()
#$colResults|Get-Member
foreach ($objResult in $colResults)
{
$objItem = $objResult.GetDirectoryEntry()
#$objItem
#$objItem.sAMAccountName
$objmem = $objItem.member
#$objmem
Findusers($objmem)
}

Comments

Leave a comment on the original post [www.sqltechnet.com, opens in a new window]

Loading comments...