Powershell script to return all Groups for a list of users from an import file

Question

This script is a little backwards in respect that it will need to return all groups that a user is a member of. I got the script to work but it is only returning the groups for the 1st user in the import file and duplicating the same groups for each additional user.

An example of what the input would be:

"NetworkID","DisplayName"
"jasonid",Jason
anotherid
"mikeid","Mens, Mike"

I'm relatively new to powershell (Version 2 with AD Module) so any help would be appreciated. Here is the script that I created:

$out = @()

Import-Csv "$env:userprofile\Desktop\ADUsers.txt" | SELECT NetworkID | ForEach { 
$NetworkIDs = $_

ForEach ($NetworkID in $NetworkIDs) 
    {

    ForEach ($group in $groups) 
        {
            $obj = New-Object -TypeName PSObject

            $obj | Add-Member -MemberType NoteProperty -Name UserName -Value $NetworkIDs.NetworkID
            $obj | Add-Member -MemberType NoteProperty -Name GroupName -Value $group.name

            $out += $obj
        }
    }
}

$out | Format-table -AutoSize
$out | Export-Csv -path $env:userprofile\Desktop\ADUsers.csv –NoTypeInformation 

An example of the output would be:

"UserName","GroupName"
"jasonid","Domain Group 1"
"jasonid","Domain Group 2"
"jasonid","Domain Group 3"
"anotherid","Domain Group 1"
"anotherid","Domain Group 2"
"anotherid","Domain Group 3"
"mikeid","Domain Group 1"
"mikeid","Domain Group 2"
"mikeid","Domain Group 3"

I'm 100% confident that "jasonid" is a member of all 3 groups, "anotherid" isn't a member of "Domain Group 1", and "mikeid" isn't a member of "Domain Group 3".

Answer 1

That looks fairly over complicated with so many nested ForEach loops. Let's try and simplify it...

This will load the ActiveDirectory module so we can look up the users in AD. Then it makes the empty array just like you did. Then when it loads up the CSV it selects and expands the NetworkID property and passes that down the pipe. The reason I did this is so that while in the pipe we can just address the string directly instead of an object with the NetworkID property (no $_.NetworkID needed, just $_).

Then I pull the user's info from AD, and run a ForEach on the user's MemberOf property, adding an entry for each group just like you did. I formed the New-Object a little differently so the properties are all there to start instead of making an object, then adding a property to it, then adding another property to it. It reads very similarly, but is simpler.

Import-Module ActiveDirectory -ea sc
$out = @()

Import-Csv "$env:userprofile\Desktop\ADUsers.txt" | SELECT -Expand NetworkID | ForEach { 
    $User = Get-ADUser $_ -Prop MemberOf
    ForEach ($group in $User.MemberOf) {
        $obj = New-Object -TypeName PSObject -Property @{
            UserName = $User.samAccountName
            GroupName = $group  -replace "(CN=)(.+?)(,OU=.*)", "`$2"
        }
        $out += $obj
    }
}

$out | Format-table -AutoSize
$out | Export-Csv -path $env:userprofile\Desktop\ADUsers.csv –NoTypeInformation 

So, like most any AD Group related thing I respond to we have the caveat here... This does not deal with nested groups. If you want to dive into nested groups then things start getting more complicated, and we are best off creating a function to do that. As an example of nested groups you can look at the GetNestedUsers function in the last block of script in my answer to this question.