Powershell – fetch AD groups and members in it

active-directorypowershell

I found a script to fetch AD groups and its members in it. I was working fine but all a sudden it stopped working and gives an error.

List All Groups and Their Members with PowerShell on Win2008r2

$Groups = Get-ADGroup -Properties * -Filter * -SearchBase "OU=Groups,DC=corp,DC=ourcompany,DC=Com" 
Foreach($G In $Groups)
{
    Write-Host $G.Name
    Write-Host "-------------"
    $G.Members
}

Error

Get-ADGroup : The supplied distinguishedName must belong to one of the following partition(s): 'DC=AIA,DC=BIZ , CN=Configuration,DC=AIA,DC=BIZ , CN=Schema,CN=Configuration,DC=AIA,DC=BIZ , DC=ForestDnsZon
es,DC=AIA,DC=BIZ , DC=DomainDnsZones,DC=AIA,DC=BIZ'.
At C:\Users\zai_shanda\Desktop\adgroup.ps1:1 char:22
+ $Groups = Get-ADGroup <<<<  -Properties * -Filter * -SearchBase "AIA.BIZ/AIA/New Zealand/ZAI/Groups/General" 
    + CategoryInfo          : InvalidArgument: (:) [Get-ADGroup], ArgumentException
    + FullyQualifiedErrorId : The supplied distinguishedName must belong to one of the following partition(s): 'DC=AIA,DC=BIZ , CN=Configuration,DC=AIA,DC=BIZ , CN=Schema,CN=Configuration,DC=AIA,DC=BIZ  
   , DC=ForestDnsZones,DC=AIA,DC=BIZ , DC=DomainDnsZones,DC=AIA,DC=BIZ'.,Microsoft.ActiveDirectory.Management.Commands.GetADGroup

can you please help what is wrong?

Best Answer

Seeing the error you are not using a distuingished name for the searchbase command, you need to replace "AIA.BIZ/AIA/New Zealand/ZAI/Groups/General" With a distinguishedname path. So something like "DC=AIA,DC=BIZ,OU=AIA,OU=New Zealand,OU=ZAI,OU=Groups,OU=General"

Please do note that my DistinguishedName might be wrong and you should check yourself by finding the OU you are basing your searchbase of and copy it directly to make sure you dont get any errors.

Related Solutions

Way to view the members of an Active Directory group if you aren’t a domain admin and can’t log into to a domain controller

Absolutely. From a computer that's a member of the domain, open a command-prompt and run a:

NET GROUP "group name" /DOMAIN

Unless your administrators have changed the stock permissions on the group object you will be able to view the membership that way.

You can use AD Users and Computers even if you're not an administrator, but this, at least, can be done w/o installing anything.

How to find out what AD groups I’m a member of

Try running gpresult /R for RSoP summary or gpresult /V for verbose output from the command line as an administrator on the computer. It should output something like this:

C:\Windows\system32>gpresult /V

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 2/10/2010 at 10:27:41 AM


RSOP data for OQMSupport01\- on OQMSUPPORT01 : Logging Mode
------------------------------------------------------------

OS Configuration:            Standalone Workstation
OS Version:                  6.1.7600
Site Name:                   N/A
Roaming Profile:             N/A
Local Profile:               C:\Users\-
Connected over a slow link?: No


COMPUTER SETTINGS
------------------

    Last time Group Policy was applied: 2/10/2010 at 10:16:09 AM
    Group Policy was applied from:      N/A
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        OQMSUPPORT01
    Domain Type:                        <Local Computer>

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        System Mandatory Level
        Everyone
        Debugger Users
        IIS_WPG
        SQLServer2005MSSQLUser$OQMSUPPORT01$ACT7
        SQLServerMSSQLServerADHelperUser$OQMSUPPORT01
        BUILTIN\Users
        NT AUTHORITY\SERVICE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        BDESVC
        BITS
        CertPropSvc
        EapHost
        hkmsvc
        IKEEXT
        iphlpsvc
        LanmanServer
        MMCSS
        MSiSCSI
        RasAuto
        RasMan
        RemoteAccess
        Schedule
        SCPolicySvc
        SENS
        SessionEnv
        SharedAccess
        ShellHWDetection
        wercplsupport
        Winmgmt
        wuauserv
        LOCAL
        BUILTIN\Administrators

USER SETTINGS
--------------

    Last time Group Policy was applied: 2/10/2010 at 10:00:51 AM
    Group Policy was applied from:      N/A
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        OQMSupport01
    Domain Type:                        <Local Computer>

    The user is a part of the following security groups
    ---------------------------------------------------
        None
        Everyone
        Debugger Users
        HomeUsers
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        NTLM Authentication
        High Mandatory Level

    The user has the following security privileges
    ----------------------------------------------

        Bypass traverse checking
        Manage auditing and security log
        Back up files and directories
        Restore files and directories
        Change the system time
        Shut down the system
        Force shutdown from a remote system
        Take ownership of files or other objects
        Debug programs
        Modify firmware environment values
        Profile system performance
        Profile single process
        Increase scheduling priority
        Load and unload device drivers
        Create a pagefile
        Adjust memory quotas for a process
        Remove computer from docking station
        Perform volume maintenance tasks
        Impersonate a client after authentication
        Create global objects
        Change the time zone
        Create symbolic links
        Increase a process working set

Or if you are logged in to a Windows Server OS with the ActiveDirectory PowerShell Module (or Client OS with the Remote Server Administration Tools) try the Get-ADPrincipalGroupMembership cmdlet:

C:\Users\username\Documents> Get-ADPrincipalGroupMembership username | Select name

name
----
Domain Users
All
Announcements
employees_US
remotes
ceo-report
all-engineering
not-sales
Global-NotSales

Best Answer

Related Solutions

Way to view the members of an Active Directory group if you aren’t a domain admin and can’t log into to a domain controller

How to find out what AD groups I’m a member of

Related Topic