Powershell offers a number of Active Directory (AD for short) commandlets to make an AD admin’s life a little easier. For example, if you need to get a list of members from an AD group, you can use something like:
Get-ADGroupMember -Identity 'Enterprise Admins' -Recursive
The problem is that this doesn’t work everywhere. The ActiveDirectory module is not a “normal” one you can install with Install-Module; instead, you need to install a Windows feature, either from Control Panel or by using the Add-WindowsCapability commandlet.
But you don’t have to use this module. You can use something that’s available everywhere, the adsiSearcher type accelerator.
So here are a couple of scripts I came up with (credits where they’re due). The first searches through all groups, finds all the ones that match a string and lists all their members.
#
# Source: DotJim blog (https://dandraka.com)
# Jim Andrakakis, January 2024
#
# ===== Parameters =====
param(
[string]$searchString = 'accounting'
)
# ======================
Clear-Host
$ErrorActionPreference='Stop'
# === Get all groups ===
$objSearcher=[adsisearcher]'(&(objectCategory=group))'
$objSearcher.PageSize = 20000 # may need to adjust, though should be enough for most cases
# specify properties to include
$colProplist = "name"
foreach ($i in $colPropList) { $objSearcher.PropertiesToLoad.Add($i) | out-null }
$colResults = $objSearcher.FindAll()
foreach ($objResult in $colResults)
{
#group name
$group = $objResult
$groupname = ($objResult.Properties).name
if (-not ($groupname[0].ToLower().Contains($searchString.ToLower()))) {
continue
}
Write-Host "Members of $groupname [$($group.Path)]"
$Group = [ADSI]$group.Path
$Group.Member | ForEach-Object {
$Searcher = [adsisearcher]"(distinguishedname=$_)"
$member = $searcher.FindOne()
$userName = $member.Properties.samaccountname
$name = $member.Properties.displayname
Write-Host "`t[$userName]`t$name"
}
}
The second displays all details of all users whose name matches a substring.
#
# Source: DotJim blog (https://dandraka.com)
# Jim Andrakakis, January 2024
#
# ===== Parameters =====
param(
[string]$searchString = 'Papadomanolakis'
)
# ======================
Clear-Host
$ErrorActionPreference='Stop'
# === Get all groups ===
$objSearcher=[adsisearcher]"(&(objectClass=user)(displayname=*$($searchString)*))"
$objSearcher.PageSize = 20000 # may need to adjust, though should be enough for most cases
#$objSearcher.FindOne().Properties.Keys
$objSearcher.FindAll() | % { $_.Properties }
And the third one is a brilliant one-liner by Jos Lieben that lists all groups of a user.
$userName = $env:USERNAME # change if different user needed
([ADSISEARCHER]"(member:1.2.840.113556.1.4.1941:=$(([ADSISEARCHER]"samaccountname=$userName").FindOne().Properties.distinguishedname))").FindAll().Properties.distinguishedname -replace '^CN=([^,]+).+$','$1'
Hope that helps. Enjoy! 😊
I love it how you muster the mental strength to work with PowerShell as a programming language essentially. I have never put myself into that mode.