Last week we have a client who wanted to audit their file shares. They had set up their permissions NTFS permissions properly by putting USERS into GROUPS and then assigning those groups to RESOURCES (i.e. the shares). That meant all we had to do was export a list of all of the users in their in each of their groups that was used applied to sharing.
We decided to enhance our awesome script to include:
Yes, we have changed the output in the interest of privacy, so please ignore the fact that some dates are in the year 3000.
Here is the problem. Many of those groups contained other groups, so we needed to have our script also expand and list the nested groups… and this what this does:
Here is the script but you need to change the OU information in the $OU = "OU=Drive Maps, OU=Security Groups, DC=areen, DC=ca" line to match your OU.
Remember that the OU path is in reverse order. So in this case the path is AREEN.CA > SECURITY GROUPS > DRIVE MAPS. If your path was AREEN.CA > SECURITY GROUPS > DRIVE MAPS > NEW YORK > TSQUARE. The OU entry would be $OU = “OU=TSQUARE, OU=NEW YORK, OU=Drive Maps, OU=Security Groups, DC=areen, DC=ca”
# Which OU
$OU = "OU=Drive Maps, OU=Security Groups, DC=areen, DC=ca"
# Import the AD module
Import-Module ActiveDirectory
# Retrieve all groups in the OU
$groups = Get-ADGroup -Filter * -SearchBase $OU
# Initialize an array to store results
$results = @()
foreach ($group in $groups) {
# Get group members
$members = Get-ADGroupMember -Identity $group.DistinguishedName
foreach ($member in $members) {
if ($member.objectClass -eq "user") {
# Get user details
$user = Get-ADUser -Identity $member -Properties GivenName, Surname, Enabled, WhenCreated, LastLogonDate
# Format the dates to only include the date part
$createdDate = $user.WhenCreated.ToString("yyyy-MM-dd")
$lastLogonDate = if ($user.LastLogonDate) { $user.LastLogonDate.ToString("yyyy-MM-dd") } else { "N/A" }
# Add user details to results array
$results += [PSCustomObject]@{
GroupName = $group.Name
GroupDescription = $group.Description
FirstName = $user.GivenName
LastName = $user.Surname
MemberOf = "User"
AccountDisabled = -not $user.Enabled
CreatedDate = $createdDate
LastLogonDate = $lastLogonDate
}
}
elseif ($member.objectClass -eq "group") {
# Get nested group members
$nestedMembers = Get-ADGroupMember -Identity $member.DistinguishedName
foreach ($nestedMember in $nestedMembers) {
if ($nestedMember.objectClass -eq "user") {
# Get user details from nested group
$nestedUser = Get-ADUser -Identity $nestedMember -Properties GivenName, Surname, Enabled, WhenCreated, LastLogonDate
# Format the dates to only include the date part
$nestedCreatedDate = $nestedUser.WhenCreated.ToString("yyyy-MM-dd")
$nestedLastLogonDate = if ($nestedUser.LastLogonDate) { $nestedUser.LastLogonDate.ToString("yyyy-MM-dd") } else { "N/A" }
# Add nested user details to results array
$results += [PSCustomObject]@{
GroupName = $group.Name
GroupDescription = $group.Description
FirstName = $nestedUser.GivenName
LastName = $nestedUser.Surname
MemberOf = "Nested in " + $member.Name
AccountDisabled = -not $nestedUser.Enabled
CreatedDate = $nestedCreatedDate
LastLogonDate = $nestedLastLogonDate
}
}
}
}
}
}
# Export to CSV
$results | Export-Csv -Path "C:\temp\folder-access.csv" -NoTypeInformation -Encoding UTF8
Write-Host "The results have been exported to C:\temp\folder-access.csv"
This website uses cookies.