I just inherited a process in place that combined 2 PowerShell scripts:
- Get list of AD User properties.
- Get list of User group memberships
I have added the group membership property to User script, but it dumps all the group memberships in one line, the beauty of this group script they are using is it dumps each group and user to each line so the PM can quickly scan the memberships quickly in one column. This feature I can't get to work in the User report, so I have to manually do both and combine in the Excel sheet for AD Auditing purposes.
I've wracked my brain on this and I am fully aware of the original sin of asking forum members to write scripts, but I feel like this should be so simple. I will continue trying to figure this one out but maybe someone out there has this already written. The main feature is the line by line user group membership column.
SCRIPT 1 - GetADUser list report
# Split path
$Path = Split-Path -Parent "C:\scripts\AD\*.*"
# Create variable for the date stamp in log file
$LogDate = Get-Date -f yyyyMMddhhmm
# Define CSV and log file location variables
# They have to be on the same location as the script
$Csvfile = $Path + "\AllADUsers_$logDate.csv"
# Import Active Directory module
Import-Module ActiveDirectory
# Set distinguishedName as searchbase, you can use one OU or multiple OUs
# Or use the root domain like DC=elon,DC=local
$DNs = @(
"DC=musk,DC=com"
)
# Create empty array
$AllADUsers = @()
# Loop through every DN
foreach ($DN in $DNs) {
$Users = Get-ADUser -SearchBase $DN -Filter * -Properties *
# Add users to array
$AllADUsers += $Users
}
# Create list
$AllADUsers | Sort-Object Name | Select-Object `
@{Label = "Display name"; Expression = { $_.DisplayName } },
@{Label = "User logon name"; Expression = { $_.SamAccountName } },
@{Label = "Group Name"; Expression = { $_.MemberOf } },
@{Label = "E-mail"; Expression = { $_.Mail } },
@{Label = "Password Last Set"; Expression = { $_.passwordlastset } },
@{Label = "Password never expires"; Expression = { $_.Passwordneverexpires } },
@{Label = "Account status"; Expression = { if (($_.Enabled -eq 'TRUE') ) { 'Enabled' } Else { 'Disabled' } } },
@{Label = "Last logon date"; Expression = { $_.lastlogondate } }|
# Export report to CSV file
Export-Csv -Encoding UTF8 -Path $Csvfile -NoTypeInformation #-Delimiter ";"
Script 2 - Get-ADGroups
$ExportLocation = "c:\scripts\ad\ADAxport.csv"
# Get a list of all Active Directory groups
$ADGroupNames = Get-ADGroup -filter * | sort Name | select Name, SamAccountName
$ExportData = @()
# Set the current index to 1 (Used for a progress bar)
$currentIndex = 1
# Loop through all groups
foreach($GroupName in $ADGroupNames) {
# Show a nice progress bar
Write-Progress -Id 0 -Activity "Building report from Active Directory" -Status "$currentIndex of $($ADGroupNames.Count)" -PercentComplete (($currentIndex / $ADGroupNames.Count) * 100)
# Get all membership of a given group and select only the users
$GroupMembership = Get-ADGroupMember -Identity $GroupName.SamAccountName -Recursive | Where {$_.objectClass -eq "user"} | select distinguishedName
# Retrieve all of the active users from the list, selecting only the name
$GroupMembershipUsers = $GroupMembership | ForEach-Object {Get-ADUser -Identity $_.distinguishedName -Properties Enabled} | select Name
# For each member add a new object to the ExportData array
foreach($User in $GroupMembershipUsers) {
$ExportData += [PSCustomObject]@{
User = $User.Name
Group = $GroupName.Name
}
}
# Increment the index
$currentIndex++;
}
# Reset the progress bar
Write-Progress -Id 0 -Activity " " -Status " " -Completed
$ExportData | Export-Csv -Path $ExportLocation -NoTypeInformation
