ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Powershell - Export CSV of Group Memberships for your AD

    Developer Discussion
    2
    5
    2.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DustinB3403D
      DustinB3403
      last edited by DustinB3403

      The below script will export a CVS list of Group Memberships

      # This script will export all users of the specified domain, and their group memberships to a CSV file. The usefulness of this tool is expressed when
# setting up new hire employees or reviewing domain membership permissions.

# It's not advisable to store the user credentials required to run this script as they can be decrypted. This script is not designed to save these credentials but could be modified to do so.

# Use of this script implies that you understand what it does, and will do to with regards to your Active Directory installation members and group memberships.
# As designed there are no changes made to your installation, the script simply generates a report of members, and their group memberships. 
# Any changes to this script are the responsibility of the person/organization which made said changes. 

# We cannot be held responsible for your misuse or misunderstanding of this script as it was designed.
#
#
#

#
# Imports Active Directory information 
Import-Module Activedirectory
$credentials = Get-Credential
# Prompts for user credentials default user is “   ”, enter an administrator account in the form of “domain-name\administrator-account”
Get-ADUser -Credential $credentials -Filter * -Properties DisplayName,EmailAddress,memberof,DistinguishedName,Enabled | %  {
  New-Object PSObject -Property @{
	UserName = $_.DisplayName
	EmailAddress = $_.EmailAddress
	DistinguishedName = $_.DistinguishedName
	Enabled = $_.Enabled
# Deliminates the document for easy copy and paste using ";" as the delimiter. Incredibly useful for Copy & Paste of group memberships to new hire employees.
	Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -join ";"
	}
# The export path is variable change to desired location on domain controller or end user computer. 
} | Select UserName,EmailAddress,@{l='OU';e={$_.DistinguishedName.split(',')[1].split('=')[1]}},Groups,Enabled | Export-Csv  $ENV:UserProfile\Documents\User-Permissions.csv –NTI
      1 Reply Last reply Reply Quote 1
      • DustinB3403D
        DustinB3403
        last edited by

        I've updated this script so it now sorts by User Name. Per request from SW.

        # This script will export all users of the specified domain, and their group memberships to a CSV file. The usefulness of this tool is expressed when
# setting up new hire employees or reviewing domain membership permissions.

# It's not advisable to store the user credentials required to run this script as they can be decrypted. This script is not designed to save these credentials but could be modified to do so.

# Use of this script implies that you understand what it does, and will do to with regards to your Active Directory installation members and group memberships.
# As designed there are no changes made to your installation, the script simply generates a report of members, and their group memberships. 
# Any changes to this script are the responsibility of the person/organization which made said changes. 

# We cannot be held responsible for your misuse or misunderstanding of this script as it was designed.
#
#
#

#
# Imports Active Directory information 
Import-Module Activedirectory
$credentials = Get-Credential
# Prompts for user credentials default user is “   ”, enter an administrator account in the form of “domain-name\administrator-account”
Get-ADUser -Credential $credentials  -Filter * -Properties DisplayName,EmailAddress,memberof,DistinguishedName,Enabled |  %  {
  New-Object PSObject -Property  @{
	UserName = $_.DisplayName 
	EmailAddress = $_.EmailAddress
	DistinguishedName = $_.DistinguishedName
	Enabled = $_.Enabled
# Deliminates the document for easy copy and paste using ";" as the delimiter. Incredibly useful for Copy & Paste of group memberships to new hire employees.
	Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -join ";"
	}
# The export path is variable change to desired location on domain controller or end user computer. 
} | Select UserName,EmailAddress,@{l='OU';e={$_.DistinguishedName.split(',')[1].split('=')[1]}},Groups,Enabled | Sort-Object Username | Export-Csv $ENV:UserProfile\Documents\User-Permissions.csv –NTI
        1 Reply Last reply Reply Quote 0
        • P
          pally
          last edited by

          great script, can this be manipulated to export folder permissions on a directory level but only expand on users and not groups in AD?

          I need a script which will only give who has what permission on a folder i.e. S:\DEPT\FOLDER1 ... FOLDER2...FOLDER3. I need the permissions each person has on each folder.

          these are the scripts I have, I need them to merge together, if you could help me I would be very grateful.

          This expands all groups like your script.bolded text

          Import-Module ActiveDirectory

          $Groups = (Get-AdGroup -filter * | Where {$_.name -like "**"} | select name -expandproperty name)

          $Table = @()

          $Record = [ordered]@{
          "Group Name" = ""
          "Name" = ""
          "Username" = ""
          }

          Foreach ($Group in $Groups)
          {

          $Arrayofmembers = Get-ADGroupMember -identity $Group | select name,samaccountname

          foreach ($Member in $Arrayofmembers)
          {
          $Record."Group Name" = $Group
          $Record."Name" = $Member.name
          $Record."UserName" = $Member.samaccountname
          $objRecord = New-Object PSObject -property $Record
          $Table += $objrecord

          }

          }

          $Table | export-csv "C:\temp\SecurityGroups.csv" -NoTypeInformation

          bolded text AND this show folder level permissions but not excluding groups, which is what I need. no groups only users

          $exclude = @(
          'CREATOR OWNER'
          'NT AUTHORITY\SYSTEM'
          'BUILTIN\Administrators'
          'HTBPLC\Domain Admins'

          )

          $RootPath = "S:\Groups\DEPARTMENTS"

          $folders = [array](Get-Item -Path $RootPath)
          $folders += Get-ChildItem -Path $RootPath -Recurse -Directory

          $acls = foreach ($Folder in $Folders){
          get-acl $Folder.fullname |
          Select-Object -ExpandProperty Access |
          Where-Object {
          -not $.IsInherited -and
          $exclude -notcontains $          .IdentityReference
          } |
          Select-Object -Property *,@{
          'Name' = 'Folder'
          'Expression' = {
          $Folder.FullName
          }}
          }

          $acls | Export-Csv -NoTypeInformation -Path C:\NTFS\DEPARTMENTS1.csv

          1 Reply Last reply Reply Quote 0
          • DustinB3403D
            DustinB3403
            last edited by

            With your script, have you tried using Get-ADUser rather that Get-ADGroupMember?

            1 Reply Last reply Reply Quote 1
            • P
              pally
              last edited by

              I would need to incorporate the top script into the bottom script. Get-ADGroupMember is part of the script which only expands the groups, which works fine, need that to be added into the 2nd script which only outputs groups and other users, rather then all users.

              1 Reply Last reply Reply Quote 0
              • 1 / 1
              • First post
                Last post