0

I have a list with AD groups. I want to check if each of these groups is a MemberOf a parent group(s). If so, I want to list the parent group(s). As an example: Child group 1 has no parent group, so it does not have to list anything. Child group 2 has 2 parent groups (so is member of 2 groups), I want to list those 2 groups. And so on...

I started with a simple code:

get-adgroup -filter "CN -eq 'Child2'" -properties memberof | select memberof

The result I get is almost what I want:

memberof
{CN=Parent1,OU=ABC, CN=Parent2,OU=ABC}

So this works, allthough I prefer not to see the 'CN=' part and 'OU=' part, just the groupname(s).

Next step I tried below code:

Import-Csv -Path H:\Test\Input_ADGroup.csv | 
ForEach-Object {
    $Group = Get-ADGroup -filter "CN -eq '$($_.CN)'" -properties memberof 
    [PSCustomObject]@{
        SourceCN = $_.CN
        MemberOf = $Group.memberof
    }
} | Export-Csv -Path H:\Test\Output_ADGroup.csv -NoTypeInformation

When using the code above, it does not work correctly. It shows a list with the input groups (child groups) but the output groups (parent groups) is shown as: "Microsoft.ActiveDirectory.Management.ADPropertyValueCollection" Somehow it does not work when the output contains 2 or more (parent) groups.

Another option I tried was using the Get-ADPrincipalGroupMembership function, but this always give me an error: Get-ADPrincipalGroupMembership : The operation being requested was not performed because the user has not been authenticated

Anyone has some ideas how to help me getting the parent groups of each AD groups I have in a file?

Thanks in advance.

Maikel
  • 27
  • 8
  • First, try doing `Select-Object -ExpandProperty MemberOf`; next, try using `Get-ADGroup` on each value in MemberOf, and retrieving the `sAMAccountName`. – Jeff Zeitlin Aug 05 '19 at 13:15
  • i am not quite sure how to put this into my code :-S... I am not so experienced with Powershell yet. – Maikel Aug 05 '19 at 13:24
  • `$Group.memberof` -> `$Group |Select-Object -Expand memberof` – Mathias R. Jessen Aug 05 '19 at 13:49
  • `$Group.MemberOf` is a collection. You will need to turn that into a delimited string. `$Group.MemberOf -join ";"` is an example of doing that delimiting with a semi-colon. – AdminOfThings Aug 05 '19 at 14:17
  • `MemberOf = $Group.MemberOf -join ";"` almost works: The outcome gives me 2 columns - A: **ChildgroupA,"CN=Parentgroup1,OU=ABC** etc - B: **CN=Parentgroup2,OU=ABC** etc. Is there a way to remove the CN= and OU part? and is there a way to get ChildA and Parent1 to seperate? – Maikel Aug 06 '19 at 05:53

1 Answers1

0

Below code does the trick, although it requires some manual actions in Excel.

Import-Csv -Path H:\Powershell\Input_ADGroup.csv | 
ForEach-Object {
    $Group = Get-ADGroup -filter "CN -eq '$($_.CN)'" -properties memberof 
    [PSCustomObject]@{
        SourceCN = $_.CN
        MemberOf = $Group.MemberOf -join ";"
    }
} | Export-Csv -Path H:\Powershell\Output_ADGroup.csv -NoTypeInformation
H:\Powershell\Output_ADGroup.csv

In Column A it outputs the source AD group (Child) and the Parent group. If there are multiple Parent groups, it outputs to columns C, D, E etc. Also, the output (Parent groups) are shown as "CN=Parent1,OU=ABC..." So I used Find & Replace option in Excel to remove the CN/OU part. Also, because a lot of output can be horizontal (multiple columns) it requires some copy-paste. But I did get the output I needed… So thanks.

Maikel
  • 27
  • 8