0

In DSQUERY when finding AD objects, I want to find a DL (distribution list) or AD security group, and find all it's users (even in sub groups) and then filter out the sub groups. I have this so far

dsquery group -samid YourGroupName | dsget group -members -expand

from here https://michlstechblog.info/blog/windows-get-all-groups-a-user-is-memberof-by-dsquerydsget-recursive/

but it includes the sub groups. Is there a way I can filter it so that only the users remain? This dsquery does something like that, but I don't know how to tie it in with the above query.

 | dsquery * -filter "(&(objectcategory=person)(objectclass=user))"

Thanks

EDIT:

Lets say I have a group YourGroupName, which has subgroups YourGroupNameA, YourGroupNameB. Then those subgroups have some users User1 (YourGroupNameA group), User2 (YourGroupNameB group), User3 (YourGroupNameB group).

The first query above gets me

YourGroupNameA
YourGroupNameB
User1
User2
User2

However I want to get it like this

User1
User2
User2
omega
  • 40,311
  • 81
  • 251
  • 474
  • _Observation: Is there a particular reason that you've taken all of the information from another site, then asked a question to us instead of the author of that information? At the bottom of the page you linked, there's a Leave a Reply form, surely that would have been your first port of call!_ – Compo May 25 '20 at 14:41
  • I did anyways, but don't think they will reply considering there is no other posts.. – omega May 25 '20 at 14:46
  • _Surely your question should have appeared on the page as a comment! hence my observation_. Can you please edit your question to include an eample of the output you're currently getting, and an example of how you'd like it once its' filtered according to your requirements? Thank you. – Compo May 25 '20 at 15:04
  • ok I added an example – omega May 25 '20 at 15:08
  • omaga, that's not a very useful edit, how are we supposed to filter those made up strings, you've given us absolutely no definitive information on which to filter them outside of `DSQuery`. If the question remains like it is, you're asking how to use a specific command/utility, not how to use a [[tag:batch-file]], for instance. Questions about software are really best suited to Super User, not StackOverflow. – Compo May 25 '20 at 15:13
  • Isn't there a way to do it using objectclass or object category? Posting the details of the users and groups is a bit confidential in my case. I was hoping there would be some code that can filter on the object type (i.e. user vs group). There is a way using dsquery shown above, I just don't know how to tie it in with the first part. – omega May 25 '20 at 15:16
  • Maybe if I can get the intersection of the 2 dsquery? – omega May 25 '20 at 15:17
  • I understand that, you cannot be expected to post sensitive information like that omega, but I'm sure that you could make minor modifications to what you've got, whilst maintaining privacy, but not completely destroying the character set, format, syntax, patterns etc. At the moment all you're effectively doing is hoping that people with a similar environment to yours and the same tools available, can use the same commands to get a similar output. Changing the output would increase your chances of getting assistance from others too. – Compo May 25 '20 at 15:24
  • Is using PowerShell an option? In PowerShell, there are better options than dsquery. And if PowerShell is an option, can you install [RSAT](https://www.microsoft.com/en-ca/download/details.aspx?id=45520) on the computer you're running this on (so you can just use [`Get-ADGroupMember`](https://learn.microsoft.com/en-us/powershell/module/addsadministration/get-adgroupmember))? Or does it have to work without installing anything? Either way, can you describe what your input will be (just the group name, or will you have the distinguished name to start)? And what is your desired output? – Gabriel Luci May 25 '20 at 15:58
  • I have powershell and I believe I can install Rsat. – omega May 25 '20 at 16:01
  • My input is the group name which could be a security group or distribution list. Output should be just the users (expand recursively and then filter out subgroups). – omega May 25 '20 at 16:02

1 Answers1

1

If you install RSAT, you can use the AD PowerShell cmdlets. To get the names of each member, recusively, you can use Get-ADGroupMember with its -Recursive parameter:

Get-ADGroupMember YourGroupName -Recursive | Select Name

That will not include the names of the nested groups.

To search by the group name rather than sAMAccountName, you can use Get-ADGroup and pipe it into Get-ADGroupMember:

Get-ADGroup -Filter "Name -eq 'YourGroupName'" |
    Get-ADGroupMember -Recursive |
    Select -Expand Name

If you prefer to use LDAP filters (which is what it gets converted to in the background anyway), you can use the -LDAPFilter parameter:

Get-ADGroup -LDAPFilter "(name=YourGroupName)" |
    Get-ADGroupMember -Recursive |
    Select -Expand Name

If you need to search by the display name (what gets shown in Outlook, for example), then you can replace name with displayName. They're often the same value, but they can be different.

To present it as a JSON string, use ConvertTo-Json:

Get-ADGroup -Filter "Name -eq 'YourGroupName'" |
    Get-ADGroupMember -Recursive |
    Select -Expand Name |
    ConvertTo-Json
Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • @omega Yes. DLs are still just groups in AD. – Gabriel Luci May 25 '20 at 16:54
  • For DLs, it works on SamAccountName, how can I get it to filter on name? – omega May 25 '20 at 17:15
  • Thanks. Is there a way to format it as an array of JSON object? – omega May 25 '20 at 17:33
  • Just pipe it into [`ConvertTo-Json`](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/convertto-json). But you will likely want to add the `-Expand` to `Select` so it presents the data as an array of strings rather than an array of objects. (I updated my answer to use `-Expand`) – Gabriel Luci May 25 '20 at 17:51
  • Whats the difference between array of strings vs array of objects? – omega May 25 '20 at 17:55
  • Try to pipe it into `ConvertTo-Json` with and without the `-Expand` and you'll see. – Gabriel Luci May 25 '20 at 17:57