Getting a Bird’s Eye View of Your Group Memberships with PowerShell
Site migrations suck! And right now, I am stuck in the middle of one. This week, I was tasked with migrating applications and settings for 1,000 computers. Because our applications and settings are controlled through Group Policy (and scoped with security groups), we have a lot of groups that need to be matched and migrated.
Wanting to get a bird’s eye view of my group layout, I put together this script. It is still very much a work in progress but I hope it will help you in your own Active Directory/Group Policy cleanups or migrations.
Grabbing Our Data
This script starts by prompting you for a computer name. It will then use the Quest AD Cmdlets and find the OU that this machine is a member of. Next, it will grab every computer that is in that same OU.
Clear-Variable Groups -ErrorAction SilentlyContinue $SearchComputers = read-host "What is the computer name?" $Computers = Get-QADComputer *$SearchComputers* | Select-Object ParentContainer $Computers = Get-QADComputer -SearchRoot $Computers.ParentContainer | Sort-Object Name $SearchComputers = Get-QADComputer *$SearchComputers* | Select-Object ParentContainer $SearchComputers = $SearchComputers.ParentContainer
To make searching easier, we will then use two foreach loops. The first loop will list out the direct groups that our computer is a member of along with our computer name.
foreach ($Computer in $Computers){ $Groups= Get-QADMemberOf $Computer write-host $Computer -BackgroundColor Yellow -ForegroundColor Black $Groups | Sort-Object -Unique Name write-host "" } foreach ($Computer in $Computers){ $Groups += Get-QADMemberOf $Computer } $Groups = $Groups | Select-Object -Unique $Groups = $Groups | where Name -NE "Domain Computers" $Groups = $Groups | Sort-Object Name
Your output at this point will look something like this:
Time to Fly Higher
The screenshot above is certainly useful as it keeps you from having to look at the Member Of tab of many computers. It still doesn’t give us the big picture though. To achieve that view, we will use one more loop.
Clear-Variable GroupCount -ErrorAction SilentlyContinue foreach ($Group in $Groups){ $Count= (Get-QADGroupMember $Group | where ParentContainer -like "*$SearchComputers*" | Sort-Object name).count $GroupCount += @("$Group"+": "+"$Count") } $OUCount = (Get-QADComputer -SearchRoot $SearchComputers).Count Write-host "There are " -NoNewline Write-host "$OUCount" -ForegroundColor Red -NoNewline Write-host " computers in $SearchComputers" -NoNewline Write-Host"" $GroupCount
In the lines above, you will notice two things. First, we use += with our $GroupCount variable. += after a variable appends data instead of replacing data. This allows the $GroupCount variable to store a lot of information for us during the foreach loop. Second, we start this script section with Clear-Variable. This is needed so that you can run this script multiple times within the same PowerShell session.
Our final output will list our current working OU and the count for all of our groups that were listed above:
This output is incredibly useful! We can quickly see unique groups, OU wide groups, and misconfigurations. This OU contains 30 computers yet our BHS RM 68 group only contains 29 members. Looking into that group, we can see that someone forgot to put N30 (which was a newer computer) into the BHS RM 68 group.
If you use this script (or make improvements to it), let me know in the comments below! Hopefully, this will help make your day a bit easier.
Thanks Joseph Moody !!!
Now it works
Not a problem at all! Let me know if this script helps you!
Are you running an ad-blocker? If so, you might want to exclude this site. For some odd reason, chrome + adblocker will show you comments but not the main post.
Hi,
It seems very interesting
How can we access to the post ?
Whatever thanks for sharing