11

I'm trying to list everyone in a security group in an active directory without using CmdLets in PowerShell. The weird thing with my script is that it works if I list the entire directory but if I try and specify with an ldap query what I want to be listed it does not work. I know my ldap query is correct because I have used it in another similar vbs and it works. The commented lines are where i have tried to put in the query.

$strFilter = "(&(objectCategory=person)(objectClass=user))"
#$strFilter = "(&(objectCategory=person)(objectClass=user)(memberOf=CN=Common Name,OU=User Groups,...,DC=ad,DC=domain,DC=com))" #... is just left out part of query

#$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=Common Name,OU=User Groups,...,DC=ad,DC=domain,DC=com") #... is just left out part of query

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"

$colProplist = "name"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)
    {$objItem = $objResult.Properties; $objItem.name}
JPBlanc
  • 70,406
  • 17
  • 130
  • 175
yoyomommy
  • 127
  • 1
  • 1
  • 7
  • 2
    Why can't you use cmdlets? That's like saying "I want to program something in C# without using methods". – JNK Nov 08 '11 at 18:37
  • The ones people are suggesting i would have to install and i want this to run on any computer with just the script. – yoyomommy Nov 08 '11 at 18:52
  • CmdLets are available with active directory module in PowerShell 2.0. – JPBlanc Nov 08 '11 at 19:35
  • Sometimes security access controls and permissions restrict the ability to install/use non-default AD cmdlets, in that case this question is still quite relevant. – John Eisbrener Apr 07 '17 at 16:41

3 Answers3

9

Here is something working in an Active-Directory 2003 SP2 and 2008 R2. I use ADSI and Microsoft LDAP_MATCHING_RULE_IN_CHAIN. It Search recursively (but in one query) all the users from a group (be careful it return users from security and distributions group)

Clear-Host
$dn = New-Object System.DirectoryServices.DirectoryEntry ("LDAP://WM2008R2ENT:389/dc=dom,dc=fr","jpb@dom.fr","PWD")

# To find all the users member of groups "MonGrpPlusSec"  : 
# Set the base to the groups container DN; for example root DN (dc=societe,dc=fr)  
# Set the scope to subtree 
# Use the following filter : 
# (member:1.2.840.113556.1.4.1941:=CN=MonGrpPlusSec,OU=ForUser1,DC=dom,DC=fr) 

$dsLookFor = new-object System.DirectoryServices.DirectorySearcher($dn)
$dsLookFor.Filter = "(&(memberof:1.2.840.113556.1.4.1941:=CN=MonGrpPlusSec,OU=ForUser1,DC=dom,DC=fr)(objectCategory=user))"; 
$dsLookFor.SearchScope = "subtree"; 
$n = $dsLookFor.PropertiesToLoad.Add("cn"); 
$n = $dsLookFor.PropertiesToLoad.Add("distinguishedName");
$n = $dsLookFor.PropertiesToLoad.Add("sAMAccountName");

$lstUsr = $dsLookFor.findall()
foreach ($usrTmp in $lstUsr) 
{
  Write-Host $usrTmp.Properties["samaccountname"]
}
JPBlanc
  • 70,406
  • 17
  • 130
  • 175
  • for have a complete list of users,computers and groups use this line changed: $dsLookFor.Filter = "(&(memberof:1.2.840.113556.1.4.1941:=CN=sg01,OU=sg,DC=int,DC=io,DC=local)(objectCategory=*))"; – CB. Nov 08 '11 at 20:29
  • These both worked perfectly but this one had more functionality like what i was looking for so i chose this one. Thanks a ton for your help! – yoyomommy Nov 09 '11 at 18:01
8

This will get all members of the domain Administrators group, including nested members (requires .NET 3.5).

$Recurse = $true

Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
$group=[System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($ct,'Administrators')
$group.GetMembers($Recurse)
Shay Levy
  • 121,444
  • 32
  • 184
  • 206
  • These both worked perfectly but the 2nd one had more functionality like what i was looking for so i chose that one. Thanks a ton for your help! Sorry i could not give both of you credit... – yoyomommy Nov 09 '11 at 18:02
3

So long as you know the group name, you can run the following (ugly) quasi-one-liner:

## List Members in a Group
$groupname = 'GroupNameHere'
(New-Object System.DirectoryServices.DirectoryEntry((New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=Group)(name=$($groupname)))")).FindOne().GetDirectoryEntry().Path)).member | % { (New-Object System.DirectoryServices.DirectoryEntry("LDAP://"+$_)) } | Sort-Object sAMAccountName | SELECT @{name="User Name";expression={$_.Name}},@{name="User sAMAccountName";expression={$_.sAMAccountName}}

Also since you rarely do one without the other, I'm also going to include the way to list all groups for a user using the same basic approach:

## List Groups for a Username
$username = 'UsernameHere'
(New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$($username)))")).FindOne().GetDirectoryEntry().memberOf | % { (New-Object System.DirectoryServices.DirectoryEntry("LDAP://"+$_)) } | Sort-Object sAMAccountName | SELECT @{name="Group Name";expression={$_.Name}},@{name="Group sAMAccountName";expression={$_.sAMAccountName}}

Both of these query your current domain and do not require any domain qualification, nor do they require any modules or additional libraries be installed. I also find myself working in a pretty vanilla environment from time-to-time with minimal permissions where I need to search through AD, and I find these two commands help me with that quite a bit.

John Eisbrener
  • 642
  • 8
  • 17
  • how do i get the group description field using ADSI if a group name is provided?? – Enigma Aug 08 '20 at 17:24
  • @John Eisbrener - Thank you for this. I use accounts which can't install cmdlets and so this is exactly what I needed. – Yarner Aug 28 '20 at 11:23