PowerShell: GUI Active Directory Group Membership Reporting Tool for Auditors and Security Teams

Security and auditing efforts often increase the workload of your network administrators. The frequent requests to look up information can interrupt the admin’s own workflow. The auditor’s and security team member’s requests are legitimately required. However, those groups are often unable to retrieve the data themselves due to a lack of access to, or knowledge of, the administrative management toolsets.

One of the requests I get most often is to provide a report showing the membership of various active directory groups. Generally, any account in an AD domain has enough permission to view the membership of groups, although administrators can adjust who can see the roster. Teaching your auditors and security department to use the Active Directory Users and Computers console is not out of the question, but it lacks good reporting facilities.

When I get tickets requesting the data I lean on PowerShell to create the reports. One afternoon I thought that if I could make a script simple enough to operate, I could turn it over to the people making the requests. They could get the information they needed without waiting on my availability. Below is the script I came up with. It uses PowerShell’s Grid View to show a list of all the groups for the person to select from and then exports a report with the most commonly requested information.

Import-Module ActiveDirectory
$groups = Get-ADGroup -Filter * -Searchbase "OU=Groups,OU=NCRA,DC=ccx,DC=carecentrix,DC=com"|
    Select-Object @{n="Group"; e={$_.Name}}, DistinguishedName |Sort-Object "Group"|
    Out-GridView -Title "Select a Group, then click OK"  -PassThru
$accounts = Foreach ($group in $groups) {Get-ADGroupMember -Identity $group.DistinguishedName -Recursive}
$report = Foreach ($account in $accounts) {Get-ADUser -Identity $account -Properties *|
    Select-Object DisplayName, SamAccountName, EmailAddress, EmployeeID, TelephoneNumber, Created, Department, City}
$report|Export-Csv -LiteralPath $env:userprofile\documents\groupmemebers.csv -notypeinformation
Invoke-Item $env:userprofile\documents\groupmemebers.csv

Copy the code and paste it into Notepad, save the file as Get-GroupMembers.ps1. Right click on the file you saved and choose the option Run with PowerShell.

The Grid View will display all of the groups in the Active Directory forest. Use the search mechanism, or scroll through the groups and select the one you want to create a report for. Use CTRL + Click to select more than one group for your report. Then click the Ok button in the bottom right corner.

A report showing the Name, Logon Account, Email Address, Employee ID, Telephone Number, Created, Department, and City for each of the members of the group or groups you selected will be saved in your documents folder and opened on your screen.

To run this script you will need to have the Remote Server Administration Tools for Active Directory installed on the system you are running it from. The RSAT tools install the required Active Directory PowerShell module. You could also run the script from a domain controller.

1 Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s