How can I list all members from AD group showing enable and disabled users?
28,625
Solution 1
Did this way:
$groupname = "Domain Admins"
$users = Get-ADGroupMember -Identity $groupname | ? {$_.objectclass -eq "user"}
foreach ($activeusers in $users) { Get-ADUser -Identity $activeusers | ? {$_.enabled -eq $true} | select Name, SamAccountName, UserPrincipalName, Enabled }
If you want disabled just replace last cmdlet:
foreach ($activeusers in $users) { Get-ADUser -Identity $activeusers | ? {$_.enabled -eq $false} | select Name, SamAccountName, UserPrincipalName, Enabled }
Solution 2
using Marlon's answer above. if you want to output it as a list to text or CSV you can do this:
$groupname = "Domain Admins"
$users = Get-ADGroupMember -Identity $groupname | ? {$_.objectclass -eq "user"}
$result = @()
foreach ($activeusers in $users) { $result += (Get-ADUser -Identity $activeusers | ? {$_.enabled -eq $true} | select Name, SamAccountName, UserPrincipalName, Enabled) }
$result | Export-CSV -NoTypeInformation .\active_domain_admins.csv
you can switch the last line to this, if you just want output to a text file:
$result | Out-File .\active_domain_admins.txt
Related videos on Youtube
Author by
Marlon
Enthusiastic about Devops tools, infrastructure and multicloud.
Updated on September 18, 2022Comments
-
Marlon over 1 year
I'm trying get a list of all members from a AD Group showing active \ inactive users. The purpose is get all the members on the groups and list the ones with Admin privileges.
I did the following commands:
$GROUPNAME = "Domain Admins" Get-ADGroupMember -identity $GROUPNAME -Recursive | Select name, SamAccountName, objectclass | Sort-Object Name
Tried to combine with Get-ADUser -Filter {Enabled -eq $false} but I need the first cmdlet to output for me Users, so I can filter with Get-ADuser.
Tks in advance
-
Ravindra Bawane over 6 yearsWhat about pulling the output from Get-ADGroupMember to a variable $USERS and then running a ForEach loop that pulls them through Get-ADUser to check for Enabled? I'm playing with this now modifying a script that is similar-ish, but haven't worked out the kinks yet.
-
Marlon over 6 years@music2myear Seems that worked! Did the following:
$GROUPNAME = 'Domain Admins'
Get-ADGroupMember -identity $GROUPNAME -Recursive | Select name, SamAccountName, objectclass | Sort-Object Name
foreach ($USERS in $USERS) { Get-ADUser -Filter {Enabled -eq $false } | Select Name, Enabled, SamAccountName, UserPrincipalName }
-
Ravindra Bawane over 6 yearsSweet, write that up as the answer. I may have pointed you in the right direction, but you solved it.
-
Ravindra Bawane over 6 yearsThough, I'd personally leave off the Select and Sort-object off of the first line. Get-ADGroupMember is outputting objects which Get-ADUser should be able to handle just fine, and the Select command on the last line should be sufficient.
-
Marlon over 6 yearsDid some tests here but seems that statement:
Get-ADGroupMember -identity $GROUPNAME -Recursive
is not getting all the members from Domain Admins group or whatever group on the cmdlet. With last cmdlet filtering results just show disabled users at general on AD. -
Ravindra Bawane over 6 yearsIn the code you've posted it doesn't look as though you writing the contents of Domain Admins to a variable, and then you're just looping through every user account in the domain with Get-ADUser.
-
Marlon over 6 yearsIt seems that you doing the command
Get-ADGroupMember -identity $GROUPNAME
without recursive option shows the members. Just does not show a group inserted into the Domain Admins members. -
Marlon over 6 years@music2myear I tested these cmdlets and seems to be working now! Unfortunatelly I can't vote for my own reply, if you could do will be appreciate.
-
-
choudhury smrutiranjan parida over 5 yearsHow to add the export csv portion here?