0 votes

Hello,

I have 3 groups in my AD environment and want to show all the users that belong to each group. For example -

Group 1 Group 2 Group 3

The existing report in the Adaxes console called "Members of Selected Groups" will return all the users that belong to these 3 groups but it doesnt separate them out by group. For example if I were to run that report on the portal it would just return a single list of users -

User A User B User C User D etc.

What I want it to do is return a list of all the users who belong to those 3 groups but broken out by each group. For example -

Group 1

  • User A
  • User B

Group 2 -User C

Group 3 -User B -Usser D

etc.

Is there a way to create a report like this?

Thank you in advance!

by (2.1k points)
0

Hello,

Yes, it is possible. Do we understand correctly, that each list should contain all members of a group no matter if they are members of the other selected groups? Any additional details regarding the desired report will be much appreciated.

0

Hello,

Yes that's correct.

Each list of users for each group should be independent from the other groups. So even if 'USER A' is in 3 groups scoped out in the report we want 'USER A' to show up 3 times (Once in each group)

Hopefully this helps! Let me know if I can provide any additional clarifying info.

Thanks!

0

Hello,

Thank you for the confirmation. Please, specify whether the report should only include direct members of the selected groups or all of them (including members of the nested groups). Also, should the report only include users that are members of the groups or also objects of other types (e.g. computers)?

0

Hello,

The report should include all members of the group (including indirect users)

The only member objects we care about in this case are Users.

1 Answer

+1 vote
by (189k points)
selected by
Best answer

Hello,

Thank you for the provided details. To create the report:

  1. Launch Adaxes Administration Console.
  2. In the Console Tree, right-click your service node.
  3. In the context menu, navigate to New and click Report. image.png
  4. Enter a report name.
  5. Select Script and click Next. image.png
  6. On the Scope page, click New.
  7. Select Specific Objects and click Next twice. image.png
  8. Click Configure. image.png
  9. In the Display only objects that match the following LDAP filter field, enter the following filter: (objectCategory=group)
  10. Make sure that the Allow multiple selection option is enabled and click OK. image.png
  11. Click Finish.
  12. Click Next twice.
  13. In the Report-specific columns section, click Add. image.png
  14. Enter a column name (e.g. Group).
  15. Select Active Directory object and click Next. image.png
  16. Select Template.
  17. In the field below, enter a default value (e.g. empty). The value will never be present in the report and is only required to create the custom column. image.png
  18. Click Finish.
  19. Select Group By and then select the custom column from the drop-down list. image.png
  20. Click Next.
  21. Paste the below script into the corresponding field. In the script, the $groupColumnID variable specifies the identifier of the custom column that will contain groups. To get the identifier:
    • On the Columns step, right-click the custom column.
    • In the context menu, navigate to Copy and click Column ID.
    • The column identifier will be copied to clipboard.
$groupTypes = "(&(objectCategory=group)(|(!(groupType:1.2.840.113556.1.4.803:=2147483648))(groupType:1.2.840.113556.1.4.803:=2147483648)))"
$memberTypes = "(sAMAccountType=805306368)"
$membersPropertyName = "adm-DirectMembersGuid"

# Custom column identifiers
$groupColumnID = "{f5714376-4936-49c6-a663-bb56ba8a4243}"

# IDs of primary groups to exclude from the report
$primaryGroupIDs = @{ 513="Domain Users"; 515="Domain Computers"; 516="Domain Controllers"; 521="RODCs" }

# Search filter
$filter = "(|" + $groupTypes + ")"
$Context.DirectorySearcher.AppendFilter($filter)
$filterMembers = "(|" + $memberTypes + ")"

# Add properties necessary to generate the report
$propertiesForMembers = $Context.DirectorySearcher.GetPropertiesToLoad()
$propertiesForGroups = @("objectClass", "objectGuid", "distinguishedName", "primaryGroupToken")
$Context.DirectorySearcher.SetPropertiesToLoad($propertiesForGroups)

# Create a hash table to map member GUIDs to search results
$guidComparer = $Context.CreatePropertyValueComparer("objectGuid")
$memberGuidToSearchResult = New-Object System.Collections.Hashtable @($guidComparer)

# Generate report
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current

        # Exclude well-known primary groups
        $primaryGroupID = $searchResult.GetPropertyByName("primaryGroupToken").Values[0]
        if ($primaryGroupIDs.Contains($primaryGroupID))
        {
            continue
        }

        $groupDN = $searchResult.GetPropertyByName("distinguishedName").Values[0]

        # Get GUIDs of the group members
        $group = $Context.BindToObjectBySearchResult($searchResult)
        try
        {
            $memberGuids = $group.GetEx($membersPropertyName)
        }
        catch  [System.Runtime.InteropServices.COMException]
        {
            if ($_.Exception.ErrorCode -eq 0x8000500D) # E_ADS_PROPERTY_NOT_FOUND
            {
                # The group doesn't have any members
                $columnValues = @{ $groupColumnID = $groupDN; }
                if ($NULL -eq $styleNoMembers)
                {
                    $styleNoMembers = $Context.Items.CreateItemStyle("#3d3d3d", $NULL,
                        "ADM_LISTITEMFONTSTYLE_REGULAR")
                }
                $Context.Items.Add(-1, "<No members>", "Information", $columnValues, $styleNoMembers)
                continue
            }
            else
            {
                throw $_.Exception
            }
        }

        # Add group members to the report

        $guidsToSearch = $NULL
        # Add already found objects
        foreach ($memberGuid in $memberGuids)
        {
            if (-not $memberGuidToSearchResult.Contains($memberGuid))
            {
                if ($NULL -eq $guidsToSearch)
                {
                    $guidsToSearch = New-Object System.Collections.ArrayList
                }
                $guidsToSearch.Add($memberGuid)
            }
            else
            {
                $memberSearchResult = $memberGuidToSearchResult[@(,$memberGuid)][0]
                $clonedSearchResult = $memberSearchResult.Clone($False)
                $columnValues = @{ $groupColumnID = $groupDN; }
                $Context.Items.Add($clonedSearchResult, $columnValues, $NULL)
            }
        }

        if ($NULL -eq $guidsToSearch)
        {
            continue
        }

        # Search for members
        $memberSearcher = $Context.CreateGuidBasedSearcher($guidsToSearch)
        $memberSearcher.SetPropertiesToLoad($propertiesForMembers)
        $memberSearcher.AppendFilter($filterMembers)
        try
        {
            $memberSearchIterator = $memberSearcher.ExecuteSearch()
            while ($Context.MoveNext($memberSearchIterator))
            {
                $memberSearchResult = $memberSearchIterator.Current

                # Remember the search result
                $memberGuid = $memberSearchResult.GetPropertyByName("objectGuid").Values[0]
                $memberGuidToSearchResult[$memberGuid] = $memberSearchResult.Clone($False)

                # Add the object to the report
                $columnValues = @{ $groupColumnID = $groupDN; }
                $Context.Items.Add($memberSearchResult, $columnValues, $NULL)
            }
        }
        finally
        {
            if ($memberSearchIterator) { $memberSearchIterator.Dispose() }
        }
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}
  1. Click Next and finish creating the report.
0

Thank you! This worked perfectly!

Related questions

0 votes
1 answer

I'd like to create a a custom report to show any approval requests (Approved, Pending, and Rejected) for membership in certain AD groups within our domain. These groups grant users ... " (Just In Time) in the name of the group. Is something like this possible?

asked Mar 30 by sirslimjim (2.1k points)
0 votes
1 answer

Hey there, Our users manage their distrubution group members via Outlook. Using native AD tools, our service desk technicians are accustomed to having a checkbox underneath the 'Managed ... via Outlook to the new object (Group or User). Thanks in advance! Kirk

asked May 24, 2012 by Kirk (650 points)
0 votes
1 answer

Given a subset of user accounts within our domain, is it possible to run a report showing all groups they are member of within the domain? For example, given the following users ... able to generate a single report in a xlsx or csv format that groups by User.

asked May 21 by sirslimjim (2.1k points)
0 votes
1 answer

We found this script for updating group membership by department: http://www.adaxes.com/script-repository ... t-s403.htm However we would like it to be based off of jobCode instead. Also it is this is a department template, how would we create those?

asked Jan 18, 2017 by willy-wally (15.1k points)
0 votes
1 answer

If I have 2 Active Directory Security groups in my domain - Group A Group B Is it possible to create a report that shows only users who have membership in both groups? For ... Jane Doe is in Group A AND Group B she would be included in the resulting report.

asked May 11 by sirslimjim (2.1k points)
2,352 questions
2,107 answers
5,746 comments
132,653 users