Recursively Listing Security Group Members with PowerShell, Version 2
October 4, 2009 9 Comments
In this post, I described the use of PowerShell for the purpose of generating a report of all members of a particular group, including nested groups. The script utilized ADSI calls to the WinNT:// provider to recursively retrieve both local and domain group members. However, it was brought to my attention that the WinNT:// provider cannot access group objects located in non-default OU’s, but only the default Users container. In order to access group objects located in OU’s, the ADSI queries have to be targeted to the LDAP:// provider. This posed a bit of a challenge in correcting due to the fact that LDAP:// can’t access local group members so both the WinNT:// and LDAP:// providers had to be selectively utilized.
An updated version of this script can be downloaded here. This version utilizes the same command line syntax: powershell.exe c:\scripts\listusers.ps1 “Domain_or_Server_Name\Group_Name” 5. The first parameter can be a domain name or server name followed by a backslash and the group name. If the group name contains spaces, this parameter must be wrapped in quotes. The second parameter is the recursion depth, how many levels of nested groups the script will traverse and report on. The script outputs group membership details to the command window as well as a text file (located in the same directory as the script) named with the group name.
The inner workings of this script became more complicated in this version, largely because I wanted the script to automatically select which provider to use in the ADSI calls. The functional overview of the script is as follows: