In this post, I will explain how to generate a report for Active Directory users and each group a user is a member of. So if UserA is a member of five groups, the report shows all these groups and exports the result as CSV.
Prerequisites
You need Windows PowerShell 5.1 or PowerShell 7. Also, ensure the Active Directory PowerShell module is installed on the computer to run the code.
The Code
The code below goes through all Active Directory users, and for each user, it uses the Get-ADPrincipalGroupMembership to query the list of groups the user is a member of.
The results are stored in a PSCustomObject which is dynamically extended to fit all the groups related to the user.
<#
.SYNOPSIS
Report On-Preim AD Users and which Groups they are joined to
.DESCRIPTION
This script show a report of each AD User and the groups this user is member of
.LINK
Specify a URI to a help page, this will show when Get-Help -Online is used.
.EXAMPLE
Create a report and save it to C:\MyADUserReport.csv
.\GRoupReporter.ps1 -FileToSave C:\MyADUserReport.csv
Just Show the result on the screen or return it to another script.
.\GRoupReporter.ps1
#>
Param(
[Parameter(Mandatory=$False)]
[ValidateNotNull()]
[string]$FileToSave
)
[System.Collections.ArrayList]$fullReport=@()
$AllUsers=Get-ADUser -Filter 'Enabled -eq $true' -Properties Name,givenName,userPrincipalName -SearchBase 'OU=Information Technology Dept,OU=Financial and Support Services Sector,OU=Abu Dhabi,OU=Employees,OU=Abu Dhabi Chamber,DC=adcci,DC=gov,DC=ae'
$CSVheaderNumber=0
$CSVIndex=0
foreach ($singleuser in $AllUsers)
{
$Report=[PSCustomObject]@{
Name = $singleuser.Name
givenName=$singleuser.GivenName
userPrincipalName=$singleuser.userPrincipalName
}
write-host "Processing User: $($singleuser.SamAccountName)" -ForegroundColor Green
$AllGroups=Get-ADPrincipalGroupMembership $singleuser.SamAccountName
if ($AllGroups.name.Count -gt $CSVheaderNumber){ $CsvHeaderNumber=$AllGroups.Count;$CSVIndex=$fullReport.Count}
if ($AllGroups.name.count -eq 1){
$Report | Add-Member -NotePropertyName "Group0" -NotePropertyValue $AllGroups.name
}
Else{
for ($i = 0; $i -lt $AllGroups.name.count; $i++)
{
$GroupName=Get-ADGroup -Identity $AllGroups[$i].SamAccountName
$Report | Add-Member -NotePropertyName "Group$i" -NotePropertyValue $GroupName.name
}
}
$fullReport.Add($Report) | Out-Null
}
if ($PSBoundParameters.ContainsKey('FileToSave')){
$fullReport[$CSVIndex] | Export-Csv -Path $PSBoundParameters['FileToSave'] -NoTypeInformation
$fullReport[0..($CSVIndex -1)+($CSVIndex +1)..$fullReport.count] | Export-Csv -Path $PSBoundParameters['FileToSave'] -NoTypeInformation -Append -Force
}
Else{Return $fullReport}The result looks like
Name : My User Name
givenName : MyUserName
userPrincipalName : Myusername@domain.com
Group0 : Domain Users
Group1 : General Employees
Group2 : Another Group NameYou can also use the -FileToSave to save the result as a CSV file.
Nice script but note that the uidNumber is not going to be populated in the majority of AD Domains. You’ll need to edit the `Get-ADUser -Filter` if that’s the case for you and optionally PSCustomObject. Also, you’ll need to remove `-Server aud-dc-n2` from the `Get-ADPrincipalGroupMembership` cmdlet.
HI,
Thanks for your comment, and I totally agree with you, I did some rewrite for the script to fit all other organization 🙂
Things should be fine now.
Let me know if you find any other issue, will be happy to help 🙂