Find Nested Groups & Members in Active Directory with PowerShell. Do you need to find nested groups and members in Active Directory using PowerShell? This article is your hands-on guide.
But first, what is a nested group, and why do we need to explain how to use PowerShell to find their members? We answer this question in the first section of this article.
After that, we explain the nested group structure used in demonstrating how nested groups work. This section also highlights the challenge of using PowerShell to find nested groups and members in Active Directory.
There are also 2 hands-on sections illustrating how to use Windows PowerShell to find nested groups and members. First, the article describes how to perform this task in an on-prem AD.
Secondly, we explore the script for Azure Active Directory.
So, whether you need to find nested groups and members in on-prem or Azure AD, you find this article helpful.
What is a Nested Active Directory Group?
A nested AD group is a group that has other groups as members. For example, if an AD group, GroupA has GroupB and GroupC as members, groups GroupB and GroupC are nested group members.
They are called “nested” because they create a “chain”. In the real world, GroupB and GroupC have their members.
Additionally, the top-level group, GroupA also has direct user members.
In PowerShell, we use the Get-ADGroupMember command to return group members for an on-prem Active Directory. The problem is that running this command on the top-level group, for example, GroupA, returns the users (and groups) that are direct members.
Unfortunately, the command returns the nested groups, in this example GroupB and GroupC. However, it does not return the members of the nested groups, and this is the problem that this article intends to solve.
Before we proceed from this section, I like to mention that the PowerShell cmdlet for returning Azure AD group membership is Get-AzureADGroupMember.
Overview of the On-prem and Azure AD Group Structure for this Article
I have a “Writers OU” Organizational Unit with three groups – Writers, Senor Writers, and Junior Writers.
Furthermore, the Senor Writers and Junior Writers groups are members of the Writers OU.
Similarly, the “Writers” OU has two users that are members – John Doe and Peter Johnson.
The screenshot below shows the members of the “Writers” group.
Further down the chain, the Senor Writers group has 2 members (users) – Victor Ashiedu and Anthony Raj. On the other hand, the Junior Writers group has two members (users) – Carol Olutu and Peter Bo.
This group and user membership creates a nice nested group arrangement that allows us to demonstrate how to use PowerShell to find Nested groups and Members in Active Directory.
Specifically, at the first level we have the Writer’s group with the following members:
1. Senor Writers (group)
2. Junior Writers (group)
3. John Doe (user)
4. Peter Johnson (user)
On the second level of the nested group, we have the following membership
Members of the “Senor Writers” group:
1. Victor Ashiedu (user)
2. Anthony Raj (user)
Members of the “Junior Writers” group:
1. Carol Olutu (user)
2. Peter Bo (user)
Find Nested Groups and Members in Active Directory using PowerShell: The Problem
To highlight the problem with reporting nested group memberships, let’s run the script below:
get-adgroup -SearchBase "OU=Writers OU,DC=corp,DC=itechguides,DC=com" -Filter {objectClass -eq "group"} | `
ForEach-Object {
$groupSamAccountName = $_.SamAccountName
Get-ADGroupMember -Identity $groupSamAccountName
}
To ensure that the get-adgroup returned only groups, and not users in the OU defined by the SearchBase parameter, I used the Filter parameter to specify groups. Then, I piped the result to the Get-ADGroupMember.
As expected, the script returns the users who are direct members of the “Writers” group. Additionally, it returns the nested groups – “Senior Writers” and “Junior Writers.”
However, the script does not list the members of the nested groups.
In the remaining parts of this article, we are exploring how to modify the above script to include members of the nested Active Directory members. Moreover, we also explain how to perform the task in Azure AD.
Important note:
My on-prem AD synchs to Azure using Azure AD Connect. So, the on-prem AD groups described above are replicated in my Azure AD.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Use Powershell to Find Nested Groups and Members in on-prem Active Directory
Find Nested Groups in on-prem Active Directory with PowerShell
Our script in the previous section returned all members – users and groups in the top-level group. However, in some scenarios, admins may want to use PowerShell to return nested groups of a group.
The good news is that our script already performs this task. Specifically, the get-adgroup portion – before pipping to the ForEach-Object – returns nested groups.
Here is the script with the second part removed:
get-adgroup -SearchBase "OU=Writers OU,DC=corp,DC=itechguides,DC=com" -Filter *
The Get-ADGroup command returns the AD groups in the AD container specified in the SearchBase parameter. The Filter parameter is required, so I specified the asterisks (*) wildcard to return all groups.
The result displays all groups in the “Writers OU” container, including the Writers OU. However, this is not our end result.
What we want to achieve is to find the nested groups in the “Writers” group.
To achieve this, I explain the steps using the numbering below:
1. Modify the Filter parameter to return the “Writers” group. Then, save the result in the $writersgroupname variable.
$writersgroupname = get-adgroup -SearchBase "OU=Writers OU,DC=corp,DC=itechguides,DC=com" -Filter {Name -eq "Writers"}
2. After that, use the name of the group saved in the variable as the identity parameter in the Get-ADGroupMember command. However, to return only the nested group members (and exclude direct users), pipe the result of the Get-ADGroupMember command to a Where-Object and filter by objectClass.
See the command below.
Get-ADGroupMember -Identity $writersgroupname | Where-Object {$_.objectClass -eq "group"}
The command finds the nested groups in the Active Directory group. To help with comparing the result, I have included the “Writers” group membership in the second screenshot.
As shown in the second screenshot, the “Writers” group has 2 direct users, but they are not included in the PowerShell result. This is because – as I explained earlier – the Filter parameter was constructed to return only group members.
Find Nested Group Members in on-prem Active Directory
In the last example, we illustrated how to find nested groups. To Find the members of the nested groups, I follow these steps:
1. Firstly, I will run the get-adgroup command to return the top-level group (“Writers). Then, save the result in a variable.
$writersgroupname = get-adgroup -SearchBase "OU=Writers OU,DC=corp,DC=itechguides,DC=com" -Filter {Name -eq "Writers"}
2. The second step is to find the nested groups using the Get-ADGroupMember command and save the result in another variable.
$writersgroupmgroupmembers = Get-ADGroupMember -Identity $writersgroupname | Where-Object {$_.objectClass -eq "group"}
3. Finally, we use the ForEach statement to iterate through the nested groups saved in the variable from step 2. Then, in the command block of the ForEach loop, we save the name of each group in the $groupname variable.
After that, the Get-ADGroupMember uses the group name as the Identity parameter. The result displays all members of the nested groups.
Below the screenshot showing the PowerShell result, I have included a screenshot showing the members of the nested groups.
How to Use PowerShell to Find Nested Groups and Members in Azure AD
The difference between using PowerShell to find nested groups and members in on-prem and Azure Active Directory is in the cmdlets used. As shown in the last section, for the on-prem AD, we use two cmdlets – Get-ADGroup and Get-ADGroupMember.
However, for Azure Active Directory, we require two cmdlets from the AzureAD module – Get-AzureADGroup and Get-AzureADGroupMember.
To run these commands from your PC, you must first install the AzureAD module. However, I am running the commands from Azure Cloud Shell.
To use Azure Cloud Shell, open shell.azure.com – you are prompted to sign in with your Azure account. After signing in, run the Connect-AzureAD command.
Once you’ve completed these two pre-requisite steps, proceed with the following subsections.
Find Nested Groups in Azure Active Directory with PowerShell
Our first task is to find all nested group memberships for the “Writers” group. I use the numbered steps below to find the nested group members for the Azure AD “Writers” group.
1. Get the ObjectID of the “Writers” group.
Get-AzureADGroup -Filter "startswith(DisplayName, 'Writers')"
The command returns the ObjectId and DisplayName of the group.
2. Next step, use the ObjectId returned in the last command as the groupObjectId parameter in the Get-AzADGroupMember command.
By default, the Get-AzADGroupMembercommand returns both users and group members. However, since our interest at this stage is the nested groups, I piped the output to Where-Object and filtered by groupObjectId property.
Get-AzADGroupMember -groupObjectId 3795dc4a-76ce-4b3a-a8ac-72309185f520 | Where-Object {$_.OdataType -eq "#microsoft.graph.group"}
The result displays the nested groups, omitting the direct users that are members of the “Writers” group.
Find Nested Group Members in Azure Active Directory with PowerShell
The script in the last example displayed the nested groups in an Azure AD group. To return the members of the nested groups, follow these steps:
1. Save the results of the last command (containing the nested groups) in a variable.
$nestedgroups = Get-AzADGroupMember -groupObjectId 3795dc4a-76ce-4b3a-a8ac-72309185f520 | Where-Object {$_.OdataType -eq "#microsoft.graph.group"}
2. After that, use the ForEach statement to loop through the groups and display the members of the groups. Here is the updated PowerShell script.
$nestedgroups = Get-AzADGroupMember -groupObjectId 3795dc4a-76ce-4b3a-a8ac-72309185f520 | Where-Object {$_.OdataType -eq "#microsoft.graph.group"}
ForEach ($nestedgroup in $nestedgroups) { $groupObjectId = $nestedgroup.Id; Get-AzADGroupMember -groupObjectId $groupObjectId }
The script displays the members of the nested Azure AD groups.
Find Nested Groups & Members in Active Directory with PowerShell Conclusion
Nested groups are natural ways to organize permissions in on-prem and Azure Active Directory. However, reporting these groups are tricky as the Get-ADGroupMember (for on-prem AD) or Get-AzADGroupMember (for Azure AD) do not return members of nested groups by default.
Therefore, returning the members of nested groups requires some scripting skills, as illustrated in this article. The trick lies in first saving the nested groups in a variable.
After that, the ForEach statement is used to iterate the groups and return the members.
This article illustrated how to perform this task in an on-prem and Azure Active Directory.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
