Get nested group membership - function

This function will recursively enumerate members of a given group along with nesting level and parent group information. If there is a circular membership, it will be displayed in Comment column.It accepts input from pipeline and works well with get-adgroup.

4.4 Star
44,751 times
Add to favorites
Active Directory
E-mail Twitter Digg Facebook
  • Change Get-ADGroupMember to:
    1 Posts | Last post March 02, 2020
    • Change Get-ADGroupMember to:  Get-ADGroup $GroupName |Select-Object -ExpandProperty Member | Get-ADObject -Properties * | where {$_.ObjectClass -eq "group" -or $_.ObjectClass -eq "user"}... Ran into size limits using Get-AdGroupMember in your script... this is a good alternative... Thanks, Bill
  • Absolutely amazing
    1 Posts | Last post February 28, 2020
    • I'm trying to add the propertietitle to the columns and I'm not sure what i'm missing.
      At Line 93 I added                     $table.title = $nestedadmember.title
      and pretty much anywhere else that I saw other properties I added title.
      Any ideas?
  • How do I properly run the script
    1 Posts | Last post January 16, 2020
    • Hello Piotr, 
      I am new to Powershell so forgive me here.
      I am copying the entire script and putting it into my PowerShell ISE window and simply executing the script but it will not run. 
      Can you help me to understand what I'm doing wrong?
      Should I be omitting certain parts of the script? 
      As far as the "function" should I be entering a function into the body of the script? 
      I'm confused. 
      Sorry about all of this. 
  • the output is not showing multiple nesting groups
    1 Posts | Last post January 08, 2020
    • Tons and Tons of thanks. I just ran the script was able to find the nested groups and members which is just 1 level inside the parent AD group.
      However i was just trying to tweak this script to result multiple nested groups too in the sheet. Any inputs?
  • Modification\Suggestion
    2 Posts | Last post July 19, 2019
    • Recently had the need to query a different domain, so I added $Server to the parameters, and all of the subsequent ActiveDirectory cmdlet references. In the parameters for the function, I set the default value up to be the domain the user is currently logged into:
      [string]$Server = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().name
      Dig the function - use it all the time!
    • Can you go into more detail about how you did this? We have multiple domains and I'm trying to get this to work. What do you mean by "and all of the subsequent ActiveDirectory cmdlet references"? Can you give some examples of how this would work with multiple domains? I'd appreciate it.
  • How can I find users who are in multiple subgroups?
    1 Posts | Last post April 26, 2019
    • I'm using this script and it's excellent, except I have users who are members of multiple subgroups in a group I need to pull the membership tree for, e.g.:
      Group A
       - User A
       - Group B
        - User B
       - Group C
        - User B
      I need to see that user B is in both Group B and Group C, and currently it seems that it only adds a user to the output the first time they're found. Please advise.
  • Modify script not to list members
    1 Posts | Last post April 19, 2019
    • Hello, excellent script.  Is there a way just to list just group names and nested levels.  We don't need to list the group members in each group.  Thanks.
  • the assignment expression is not valid.
    1 Posts | Last post August 29, 2018
    • Why? (no modifications, ran script as is)
      At line:29 char:18
      + [int] $nesting = -1,
      +                  ~~
      The assignment expression is not valid. The input to an assignment operator must be an object that is able to accept assignments, such as a variable or a property.
          + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
          + FullyQualifiedErrorId : InvalidLeftHandSide
  • I am unable to user "-server" switch with get-ADnestedgroupmembers
    2 Posts | Last post February 13, 2018
    • Hi,
      This is a great tool.
      But I am having multi domains in my environment. I cannot use this with -server switch
      PS H:\> Get-ADNestedGroupMembers "View-Only Organization Management" -server ''
      Get-ADNestedGroupMembers : A parameter cannot be found that matches parameter name 'server'.
      At line:1 char:62
      + Get-ADNestedGroupMembers "View-Only Organization Management" -server 'Test1.yest.COM ...
      +                                                              ~~~~~~~
          + CategoryInfo          : InvalidArgument: (:) [Get-ADNestedGroupMembers], ParameterBindingException
          + FullyQualifiedErrorId : NamedParameterNotFound,Get-ADNestedGroupMembers
    • Yat
      Same problem for me : how to use it in multi domain environment ?
  • Getting additional properties
    2 Posts | Last post November 10, 2017
    • Hi Piotr, great script!
      Just one question, how do i add extra properties to the results?
      I need to get the Office and Department ppoperties.
    • I found out.
      Line 96: Had to add Office and Department.
      Plus had to add the variables (from line 100:)
                              $nestedADMember = get-aduser $nestedmember -properties enabled,department,office,surname
      $table = new-object psobject -property $props 
      $table.enabled = $nestedadmember.enabled 
      $ = $
      $table.department = $nestedadmember.department
      And in the select statements later:
                              $table | select type,name,SamAccountName,parentgroup,enabled,nesting,Office,Department,comment
1 - 10 of 44 Items