Active Directory - list full subgroup dependency of a given group and omit subgroups without any user

Question

I have to list full subgroup dependency of specific group - filter -> only subgroups which contain at least 1 user.

I have tried this approach:

dsquery group -samid <specific_group> | dsget group -members -expand  | dsquery * -filter "(&(objectclass=group))"

Do you have access to the PowerShell ActiveDirectory Module? — Santiago Squarzon, Dec 06 '22 at 15:38
What about groups that may have a member other than a user? i.e. a gMSA account or that's not a possibility? — Santiago Squarzon, Dec 06 '22 at 16:21

score 0 · Answer 1 · answered Dec 06 '22 at 15:25

This is an adapted version of my answer here to omit groups without any user object.

Unfortunately, using Get-ADGroupMember together with switch -Recursive will not return members that are groups.
As the docs state:

If the Recursive parameter is specified, the cmdlet gets all members in the hierarchy of the group that do not contain child objects.

To get an array of nested group objects within a certain parent group, you will need a recursive function like below:

function Get-NestedADGroup {
    Param (
        [Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 0)]
        [ValidateNotNullOrEmpty()]
        [Alias ('Identity')]
        [string]$Group,
        # the other parameters are optional
        [string]$Server      = $null,
        [string]$SearchBase  = $null,
        [ValidateSet('Base', 'OneLevel', 'Subtree')]
        [string]$SearchScope = 'Subtree'
    )

    $params = @{
        Identity    = $Group
        SearchScope = $SearchScope
        Properties  = 'Members'
        ErrorAction = 'SilentlyContinue'
    }  
    if (![string]::IsNullOrWhiteSpace($Server))     { $params['Server'] = $Server }
    if (![string]::IsNullOrWhiteSpace($SearchBase)) { $params['SearchBase'] = $SearchBase }

    $adGroup = Get-ADGroup @params
    if ($adGroup) {
        if (-not $script:groupsHash.ContainsKey($Group)) {
            # output this group object only if it has at least one user object
            if (@($adGroup.Members | Where-Object {$_.objectClass -eq 'user'}).Count -gt 0) {
                $adGroup
            }
            # avoid circular group references
            $script:groupsHash[$Group] = $true
            # and recurse to get the nested groups
            foreach ($group in ($adGroup.Members | Where-Object {$_.objectClass -eq 'group'})) {
                Get-NestedADGroup -Group $group.DistinguishedName -Server $Server -SearchBase $SearchBase
            }
        }
    }
    else {
        Write-Warning "Group '$($Group)' could not be found.."
    }
}

# create a Hashtable to avoid circular nested groups
$groupsHash = @{}

# call the function
$result = Get-NestedADGroup -Group 'SpecificGroup'

# output just the names if you like
$result.Name

# save to CSV
$result | Export-Csv -Path 'X:\Somewhere\SubgroupsWithAtLeastOneUser.csv' -NoTypeInformation

Could you please describe me how and where could i include it? — Doublementi, Dec 06 '22 at 15:48
@Doublementi Include into what? This is simple the whole code, you only have to change `'SpecificGroup'` into the name or preferrably the DistinguishedName of the parent group to work on in line `$result = Get-NestedADGroup -Group 'SpecificGroup'` — Theo, Dec 06 '22 at 18:59
I've got error: 'WARNING: Group '' could not be found..', Do the DC: DC should be specified, or it doesn't matter? — Doublementi, Dec 07 '22 at 13:41
@Doublementi No, just use the correct name of the group. If in doubt, open ADUC, search for the group, klick properties and copy the DistinghuishedName of the group. Then use that when calling the function — Theo, Dec 07 '22 at 14:45

Santiago Squarzon · Answer 2 · 2022-12-06T17:09:42.027

0

Here is an easy alternative leveraging Active Directory filtering capabilities. See inline comments to understand the logic.

Do note, this answer requires the ActiveDirectory Module available.

# Get the DN of the parent group (this is the initial group)
$parent = (Get-ADGroup parentGroup).distinguishedName
$param = @{
    LDAPFilter = "(memberof:1.2.840.113556.1.4.1941:=$parent)"
    Properties = "member"
}
# Find, recursively, all child groups Members Of this parent group
# and filter
Get-ADGroup @param | Where-Object {
    # For each member of this child group,
    # check if this member is an object of the Class `user`,
    # if it is, we already can break the pipeline and return
    # this child group, since we already know it has
    # at least 1 user member
    $_.member | Get-ADObject | Where-Object ObjectClass -EQ user |
        Select-Object -First 1
}

edited Dec 06 '22 at 17:09

answered Dec 06 '22 at 16:48

Santiago Squarzon

41,465
5
14
37

I need to list full subgroup dependency - if subgroup which not have users, has groups, then go inside each group and check if users are there, if yes, save the name, next, if in saved group are still subgroups beyond the users, go inside all of them, and check it each time, deeper and deeper, till reach the core of this group dependency. – Doublementi Dec 07 '22 at 14:39
@Doublementi not the premise of your question – Santiago Squarzon Dec 07 '22 at 14:53

Active Directory - list full subgroup dependency of a given group and omit subgroups without any user

2 Answers2