Find nested Active Directory groups using PowerShell

Find nested Active Directory groups using PowerShell

Get AD Nested Group Membership with PowerShell

Active Directory supports the feature of nesting groups inside one another. For example, consider two groups: GroupHR and GroupFinance. GroupFinance can be a member of GroupHR. If I assign GroupHR write permissions to FolderPayroll, then the members of GroupFinance also have write access to FolderPayroll.

Administrators have utilized nested groups to assign users access in a dynamic fashion. However, auditing such nested groups using native tools can prove to be tricky. This is because, Microsoft doesn't natively support recursive group member search. This is where PowerShell scripts come into picture. 

The Get-ADGroupMember cmdlet can be used to return lists of group members. If administrators want to see the members of a group, use the following code: 
C:\> Get-ADGroupMember GroupName | select Name, objectclass
This returns the list of group members and any nested groups inside the queried group. The cmdlet also supports recursive lookups, which returns users from any nested groups within the group. The code for recursive search is as follows:
C:\> Get-ADGroupMember GroupName -recursive | select Name, objectclass
If you choose to have a CSV file that lists the member groups of every single group in your domain you can make use of the following PowerShell command:
  1. $Report = @()
  2. $GroupCollection = Get-ADGroup -Filter * | select Name, MemberOf, ObjectClass, SAMAccountName
  3. Foreach ($Group in $GroupCollection) {
  4. $MemberGroup = Get-ADGroupMember -Identity $Group.SAMAccountName | where {$_.ObjectClass -eq 'group'}
  5. $MemberGroups = ($MemberGroup.Name) -join "`r`n"
  6. if ($MemberGroups -ne "") {
  7. $Out = [PSCustomObject]@{
  8. 'Group Name' = $Group.Name
  9. 'Member Groups' = $MemberGroups
  10. }
  11. $Report += $Out
  12. }
  13. }
  14. $Report | Sort-Object 'Group Name' | Format-Table -AutoSize $Report | Sort-Object 'Group Name' | Export-Csv -Path 'C:\Group-MemberGroups-Report.csv' -NoTypeInformation
This will output a CSV fill with the queried data. Native Active Directory Users and Computers console might not support recursive search functionality, however, as demonstrated above, these limitation can be overcome by a short PowerShell cmdlet. 



    • Related Articles

    • Nested Groups in Active Directory

      You can make one group a member of another by using nesting of groups in Active Directory. Group Members can be Universal groups User accounts, computer accounts, global groups and other universal groups Global groups User accounts, computer accounts ...

    • PowerShell: Find and Delete Empty Groups in Active Directory

      Cleanup Empty AD Groups with PowerShell Administrators turn to groups to grant a set of users permissions and access rights to resources. However, once the work is done and the resources are no longer needed, the users are removed from the group, ...

    • How to find the list of domain administrators using Powershell

      In the realm of system administration, it is of utmost importance to have a clear understanding of who holds the keys to your kingdom. In Windows environments, domain administrators wield significant power and responsibility. This guide will walk you ...

    • How to enumerate Active Directory domains using PowerShell

      Active Directory (AD) is the backbone of many organizations, serving as a centralized system for managing users, computers, and resources. As a system administrator, being able to enumerate and query AD is a fundamental skill. In this comprehensive ...

    • How to list all groups in the domain using Powershell

      In the realm of Windows system administration, managing groups is a fundamental task. Whether you're assigning permissions, configuring group policies, or simply maintaining an organized directory structure, knowing how to list all groups in your ...