Last week a fellow Dutch IT Pro named Kees Baggerman mentioned something about the ability to use PowerShell to report all members of the Domain Admins in an Active Directory.
So just for the fun of it I started to script… but instead of reporting for the members of a specific group I’ve written a function you can use to get the users from ANY group you specify… I hope you find it useful!
<#
.Synopsis
Get all (nested) members of an Active Directory Group.
.DESCRIPTION
Get all (nested) members of an Active Directory Group.
.EXAMPLE
Get-ADNestedGroupMembers "Domain Admins"
.EXAMPLE
Get-ADNestedGroupMembers "Domain Admins" | Select-Object DistinguishedName
#>
function Get-ADNestedGroupMembers {
[cmdletbinding()]
param ( [String] $Group )
Import-Module ActiveDirectory
$Members = Get-ADGroupMember -Identity $Group
$members | % {
if($_.ObjectClass -eq "group") {
Get-ADNestedGroupMembers -Group $_.distinguishedName
} else {
return $_
}
}
}
And based on the comment below from Robert Martin, here’s a more elegant version:
<#
.Synopsis
Get all (nested) members of an Active Directory Group.
.DESCRIPTION
Get all (nested) members of an Active Directory Group.
.EXAMPLE
Get-ADNestedGroupMembers "Domain Admins"
.EXAMPLE
Get-ADNestedGroupMembers "Domain Admins" | Select-Object DistinguishedName
#>
function Get-ADNestedGroupMembers {
[cmdletbinding()]
param ( [String] $Group )
Import-Module ActiveDirectory
$Members = Get-ADGroupMember -Identity $Group -Recursive
$members
}
