Get-ADGroupMembers with User account Enabled status

16,170

Don't make things more complicated than they need to be. Use Select-Object to select name and object class from the group members, and inject group name and enabled status via calculated properties.

Get-ADGroup -Filter * | Where-Object {
  $_.Name -like 'FS01*' -or
  $_.Name -like 'ABC*'
} | ForEach-Object {
  $groupname = $_.Name
  Get-ADGroupMember -Identity $_ |
    Select-Object @{n='GroupName';e={$groupname}}, Name, ObjectClass,
                  @{n='Enabled';e={if ($_.ObjectClass -eq 'user') {
                    Get-ADUser $_ | Select-Object -Expand Enabled
                  } else {
                    'NA/Group'
                  }}}
} | Export-Csv 'C:\path\to\output.csv' -NoType

16,170

Author by

Admin

Updated on June 26, 2022

Comments

Admin almost 2 years

I'm trying to return a CSV of all security groups in my domain and all members including their account status (enabled or disabled) but can't seem to work out how to get join from ADGroupMember to ADUser. Was trying to test for value of $Member.ObjectClass and if "user" then run Get-ADUser but this doesn't seem to work - all ADGroupMember object classes appear as user if I do that. If possible would like to do it in one query. I've taken an example from the web and tried to modify it without success.

I'm looking for results in a table/csv formatted like this:

GroupName    Name        ObjectClass     Enabled
GroupA       John Smith  User            True 
GroupB       Jane Brown  User            False 
GroupB       GroupN      Group           NA/Group

$Table = @()

$Record = [ordered]@{
    "GroupName" = ""
    "Name" = ""
    "ObjectClass" = ""
    "Enabled" = ""
}

$Groups = Get-AdGroup -Filter * |
          Where {$_.Name -like "FS01*" -or $_.Name -like "ABC*"} |
          Select Name -ExpandProperty Name
foreach ($Group in $Groups) {
    $ArrayMembers = Get-ADGroupMember -Identity $Group |
                    Select Name, ObjectClass #, SamAccountName

    foreach ($Member in $ArrayMembers) {
        $Record."Enabled" = Get-ADGroupMember -Identity $Group |
                            Get-ADUser |
                            Select Enabled 
        $Record."GroupName" = $Group
        $Record."Name" = $Member.Name
        $Record."ObjectClass" = $Member.ObjectClass

        $objRecord = New-Object PSObject -Property $Record
        $Table += $objRecord
    }
}
$Table # | Export-Csv $filename -NoTypeInformation

Admin about 7 years

Thanks Ansgar! Your example works brilliantly. Your example seems more complicated to me because I've not seen the "Select-Object @{n='GroupName';e={$groupname}}" (the n= and e=) before but I'm absolutely not a PS expert (obviously). I will do some reading about how it works. There is one brace too many on the end before the last pipe though for anyone watching at home.
Ansgar Wiechers about 7 years

@Scott n is short for Name, e is short for Expression. For further explanation please see the link in my answer.