Find Circular Nested Groups

PowerShell script to find any instances of Circular Nested Groups in the domain.

4.8 Star
5,034 times
Add to favorites
Active Directory
E-mail Twitter Digg Facebook
Sign in to ask a question

  • Can you prevent it?
    2 Posts | Last post October 06, 2017
    • How do you prevent this problem in AD? 
      Is there a way (e.g. GPO) to prevent groups becoming circular dependent?
    • There is no way (I am aware of) to prevent circular nested groups. When a group is made a member of another group, no process runs that can check for this.
  • Great script but I cant export it to a csv for some reason?
    2 Posts | Last post January 16, 2017
    • This script does just what I need but when I try to pipe it to a csv I just get a 0kb file?
      circularnestedgroups.ps1 | export-csv -NoTypeInformation E:\circnest.csv
    • The script is not outputing an object so you cannot pipe it to anything.  while functional, it was written narrow scoped just to output the information to the user's screen, using Write-Host.  Nothing in Write-Host is piped through, it is only visible to the user.  you could change the Write-Host parts to Write-Output to be able to pipe to Out-File.  Export-Csv will still not work in what I said because there is no object and no properties to serve as headings.
  • Can we get the intermeidiate Nested group present in between the group members?
    1 Posts | Last post December 22, 2014
    • This script run and give the output as circular group name and count. I would like to know here is, in how many ways some group is circular,for e.g. group A is circular in 2 ways as follows: A->B->C->A & A->X->Y->Z->A. So my intention is to find all the intermediate groups that are present, in this example my intention is to find the output file with the output of A->B->C & A->X->Y->Z
  • Limits?
    3 Posts | Last post January 20, 2014
    • Hi there,
      first of all: great idea to share this script.
      But on my AD it always states "Number of circular nested groups found = 0" even though I know by sure there are some circular nested ones.
      Maybe there is some limit letting the script cancel? I have more than 1000 groups...
      Best regards, Jochen
    • If a limit were exceeded I would expect an error, but the script completes if you get the final message about the number of circular nested groups found. You can check that the script is looking at all groups by adding the following at the end, to display the number of groups (and verify the hash table didn't exceed some limit):
      "Number of groups: " + $Script:GroupMembers.Count
      Note that if everyone's "primary" group is "Domain Users", then circular nesting involving that group may not be found.
    • A well-hidden behaviour of AD limits LDAP queries to returning only 1500 values from a multi-value attribute. I think this may be configurable in the LDAP policy, but if you're stuck with this limit as I am then you have to use iterative ranged queries to get all members in large groups - I found an example that used ADO and the "<attribute>;range:xx-yy" syntax.
  • Limit script to specific OU
    2 Posts | Last post September 20, 2012
    • Is there a way to have the script search only within a specific OU rather than the entire AD?
    • To modify the base of the query from the entire domain to a specified OU, change this section of the code:
      # Search entire domain.
      $Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
      $Root = $Domain.GetDirectoryEntry()
      $Searcher = [System.DirectoryServices.DirectorySearcher]$Root
      to this:
      # Search a specified OU.
      $Root = "LDAP://ou=West,dc=MyDomain,dc=com"
      $Searcher = New-Object System.DirectoryServices.DirectorySearcher
      $Searcher.SearchRoot = $Root
      where the value assigned to $Root is the ADsPath of the OU.