Powershell - Export CSV of Group Memberships for your AD



  • The below script will export a CVS list of Group Memberships

    # This script will export all users of the specified domain, and their group memberships to a CSV file. The usefulness of this tool is expressed when
    # setting up new hire employees or reviewing domain membership permissions.
    
    # It's not advisable to store the user credentials required to run this script as they can be decrypted. This script is not designed to save these credentials but could be modified to do so.
    
    # Use of this script implies that you understand what it does, and will do to with regards to your Active Directory installation members and group memberships.
    # As designed there are no changes made to your installation, the script simply generates a report of members, and their group memberships. 
    # Any changes to this script are the responsibility of the person/organization which made said changes. 
    
    # We cannot be held responsible for your misuse or misunderstanding of this script as it was designed.
    #
    #
    #
    
    #
    # Imports Active Directory information 
    Import-Module Activedirectory
    $credentials = Get-Credential
    # Prompts for user credentials default user is “   ”, enter an administrator account in the form of “domain-name\administrator-account”
    Get-ADUser -Credential $credentials -Filter * -Properties DisplayName,EmailAddress,memberof,DistinguishedName,Enabled | %  {
      New-Object PSObject -Property @{
    	UserName = $_.DisplayName
    	EmailAddress = $_.EmailAddress
    	DistinguishedName = $_.DistinguishedName
    	Enabled = $_.Enabled
    # Deliminates the document for easy copy and paste using ";" as the delimiter. Incredibly useful for Copy & Paste of group memberships to new hire employees.
    	Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -join ";"
    	}
    # The export path is variable change to desired location on domain controller or end user computer. 
    } | Select UserName,EmailAddress,@{l='OU';e={$_.DistinguishedName.split(',')[1].split('=')[1]}},Groups,Enabled | Export-Csv  $ENV:UserProfile\Documents\User-Permissions.csv –NTI


  • I've updated this script so it now sorts by User Name. Per request from SW.

    # This script will export all users of the specified domain, and their group memberships to a CSV file. The usefulness of this tool is expressed when
    # setting up new hire employees or reviewing domain membership permissions.
    
    # It's not advisable to store the user credentials required to run this script as they can be decrypted. This script is not designed to save these credentials but could be modified to do so.
    
    # Use of this script implies that you understand what it does, and will do to with regards to your Active Directory installation members and group memberships.
    # As designed there are no changes made to your installation, the script simply generates a report of members, and their group memberships. 
    # Any changes to this script are the responsibility of the person/organization which made said changes. 
    
    # We cannot be held responsible for your misuse or misunderstanding of this script as it was designed.
    #
    #
    #
    
    #
    # Imports Active Directory information 
    Import-Module Activedirectory
    $credentials = Get-Credential
    # Prompts for user credentials default user is “   ”, enter an administrator account in the form of “domain-name\administrator-account”
    Get-ADUser -Credential $credentials  -Filter * -Properties DisplayName,EmailAddress,memberof,DistinguishedName,Enabled |  %  {
      New-Object PSObject -Property  @{
    	UserName = $_.DisplayName 
    	EmailAddress = $_.EmailAddress
    	DistinguishedName = $_.DistinguishedName
    	Enabled = $_.Enabled
    # Deliminates the document for easy copy and paste using ";" as the delimiter. Incredibly useful for Copy & Paste of group memberships to new hire employees.
    	Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -join ";"
    	}
    # The export path is variable change to desired location on domain controller or end user computer. 
    } | Select UserName,EmailAddress,@{l='OU';e={$_.DistinguishedName.split(',')[1].split('=')[1]}},Groups,Enabled | Sort-Object Username | Export-Csv $ENV:UserProfile\Documents\User-Permissions.csv –NTI


  • great script, can this be manipulated to export folder permissions on a directory level but only expand on users and not groups in AD?

    I need a script which will only give who has what permission on a folder i.e. S:\DEPT\FOLDER1 ... FOLDER2...FOLDER3. I need the permissions each person has on each folder.

    these are the scripts I have, I need them to merge together, if you could help me I would be very grateful.

    This expands all groups like your script.bolded text

    Import-Module ActiveDirectory

    $Groups = (Get-AdGroup -filter * | Where {$_.name -like "**"} | select name -expandproperty name)

    $Table = @()

    $Record = [ordered]@{
    "Group Name" = ""
    "Name" = ""
    "Username" = ""
    }

    Foreach ($Group in $Groups)
    {

    $Arrayofmembers = Get-ADGroupMember -identity $Group | select name,samaccountname

    foreach ($Member in $Arrayofmembers)
    {
    $Record."Group Name" = $Group
    $Record."Name" = $Member.name
    $Record."UserName" = $Member.samaccountname
    $objRecord = New-Object PSObject -property $Record
    $Table += $objrecord

    }

    }

    $Table | export-csv "C:\temp\SecurityGroups.csv" -NoTypeInformation

    bolded text AND this show folder level permissions but not excluding groups, which is what I need. no groups only users

    $exclude = @(
    'CREATOR OWNER'
    'NT AUTHORITY\SYSTEM'
    'BUILTIN\Administrators'
    'HTBPLC\Domain Admins'

    )

    $RootPath = "S:\Groups\DEPARTMENTS"

    $folders = [array](Get-Item -Path $RootPath)
    $folders += Get-ChildItem -Path $RootPath -Recurse -Directory

    $acls = foreach ($Folder in $Folders){
    get-acl $Folder.fullname |
    Select-Object -ExpandProperty Access |
    Where-Object {
    -not $.IsInherited -and
    $exclude -notcontains $
    .IdentityReference
    } |
    Select-Object -Property *,@{
    'Name' = 'Folder'
    'Expression' = {
    $Folder.FullName
    }}
    }

    $acls | Export-Csv -NoTypeInformation -Path C:\NTFS\DEPARTMENTS1.csv



  • With your script, have you tried using Get-ADUser rather that Get-ADGroupMember?



  • I would need to incorporate the top script into the bottom script. Get-ADGroupMember is part of the script which only expands the groups, which works fine, need that to be added into the 2nd script which only outputs groups and other users, rather then all users.