0 votes

Hello,

I have 3 groups in my AD environment and want to show all the users that belong to each group. For example -

Group 1 Group 2 Group 3

The existing report in the Adaxes console called "Members of Selected Groups" will return all the users that belong to these 3 groups but it doesnt separate them out by group. For example if I were to run that report on the portal it would just return a single list of users -

User A User B User C User D etc.

What I want it to do is return a list of all the users who belong to those 3 groups but broken out by each group. For example -

Group 1

  • User A
  • User B

Group 2 -User C

Group 3 -User B -Usser D

etc.

Is there a way to create a report like this?

Thank you in advance!

by (480 points)
0

Hello,

Yes, it is possible. Do we understand correctly, that each list should contain all members of a group no matter if they are members of the other selected groups? Any additional details regarding the desired report will be much appreciated.

0

Hello,

Yes that's correct.

Each list of users for each group should be independent from the other groups. So even if 'USER A' is in 3 groups scoped out in the report we want 'USER A' to show up 3 times (Once in each group)

Hopefully this helps! Let me know if I can provide any additional clarifying info.

Thanks!

0

Hello,

Thank you for the confirmation. Please, specify whether the report should only include direct members of the selected groups or all of them (including members of the nested groups). Also, should the report only include users that are members of the groups or also objects of other types (e.g. computers)?

0

Hello,

The report should include all members of the group (including indirect users)

The only member objects we care about in this case are Users.

1 Answer

+1 vote
by (287k points)
selected by
Best answer

Hello,

Thank you for the provided details. To create the report:

  1. Launch Adaxes Administration Console.
  2. In the Console Tree, right-click your service node.
  3. In the context menu, navigate to New and click Report. image.png
  4. Enter a report name.
  5. Select Script and click Next. image.png
  6. On the Scope page, click New.
  7. Select Specific Objects and click Next twice. image.png
  8. Click Configure. image.png
  9. In the Display only objects that match the following LDAP filter field, enter the following filter: (objectCategory=group)
  10. Make sure that the Allow multiple selection option is enabled and click OK. image.png
  11. Click Finish.
  12. Click Next twice.
  13. In the Report-specific columns section, click Add. image.png
  14. Enter a column name (e.g. Group).
  15. Select Active Directory object and click Next. image.png
  16. Select Template.
  17. In the field below, enter a default value (e.g. empty). The value will never be present in the report and is only required to create the custom column. image.png
  18. Click Finish.
  19. Select Group By and then select the custom column from the drop-down list. image.png
  20. Click Next.
  21. Paste the below script into the corresponding field. In the script, the $groupColumnID variable specifies the identifier of the custom column that will contain groups. To get the identifier:
    • On the Columns step, right-click the custom column.
    • In the context menu, navigate to Copy and click Column ID.
    • The column identifier will be copied to clipboard.
$groupTypes = "(&(objectCategory=group)(|(!(groupType:1.2.840.113556.1.4.803:=2147483648))(groupType:1.2.840.113556.1.4.803:=2147483648)))"
$memberTypes = "(sAMAccountType=805306368)"
$membersPropertyName = "adm-DirectMembersGuid"

# Custom column identifiers
$groupColumnID = "{f5714376-4936-49c6-a663-bb56ba8a4243}"

# IDs of primary groups to exclude from the report
$primaryGroupIDs = @{ 513="Domain Users"; 515="Domain Computers"; 516="Domain Controllers"; 521="RODCs" }

# Search filter
$filter = "(|" + $groupTypes + ")"
$Context.DirectorySearcher.AppendFilter($filter)
$filterMembers = "(|" + $memberTypes + ")"

# Add properties necessary to generate the report
$propertiesForMembers = $Context.DirectorySearcher.GetPropertiesToLoad()
$propertiesForGroups = @("objectClass", "objectGuid", "distinguishedName", "primaryGroupToken")
$Context.DirectorySearcher.SetPropertiesToLoad($propertiesForGroups)

# Create a hash table to map member GUIDs to search results
$guidComparer = $Context.CreatePropertyValueComparer("objectGuid")
$memberGuidToSearchResult = New-Object System.Collections.Hashtable @($guidComparer)

# Generate report
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current

        # Exclude well-known primary groups
        $primaryGroupID = $searchResult.GetPropertyByName("primaryGroupToken").Values[0]
        if ($primaryGroupIDs.Contains($primaryGroupID))
        {
            continue
        }

        $groupDN = $searchResult.GetPropertyByName("distinguishedName").Values[0]

        # Get GUIDs of the group members
        $group = $Context.BindToObjectBySearchResult($searchResult)
        try
        {
            $memberGuids = $group.GetEx($membersPropertyName)
        }
        catch  [System.Runtime.InteropServices.COMException]
        {
            if ($_.Exception.ErrorCode -eq 0x8000500D) # E_ADS_PROPERTY_NOT_FOUND
            {
                # The group doesn't have any members
                $columnValues = @{ $groupColumnID = $groupDN; }
                if ($NULL -eq $styleNoMembers)
                {
                    $styleNoMembers = $Context.Items.CreateItemStyle("#3d3d3d", $NULL,
                        "ADM_LISTITEMFONTSTYLE_REGULAR")
                }
                $Context.Items.Add(-1, "<No members>", "Information", $columnValues, $styleNoMembers)
                continue
            }
            else
            {
                throw $_.Exception
            }
        }

        # Add group members to the report

        $guidsToSearch = $NULL
        # Add already found objects
        foreach ($memberGuid in $memberGuids)
        {
            if (-not $memberGuidToSearchResult.Contains($memberGuid))
            {
                if ($NULL -eq $guidsToSearch)
                {
                    $guidsToSearch = New-Object System.Collections.ArrayList
                }
                $guidsToSearch.Add($memberGuid)
            }
            else
            {
                $memberSearchResult = $memberGuidToSearchResult[@(,$memberGuid)][0]
                $clonedSearchResult = $memberSearchResult.Clone($False)
                $columnValues = @{ $groupColumnID = $groupDN; }
                $Context.Items.Add($clonedSearchResult, $columnValues, $NULL)
            }
        }

        if ($NULL -eq $guidsToSearch)
        {
            continue
        }

        # Search for members
        $memberSearcher = $Context.CreateGuidBasedSearcher($guidsToSearch)
        $memberSearcher.SetPropertiesToLoad($propertiesForMembers)
        $memberSearcher.AppendFilter($filterMembers)
        try
        {
            $memberSearchIterator = $memberSearcher.ExecuteSearch()
            while ($Context.MoveNext($memberSearchIterator))
            {
                $memberSearchResult = $memberSearchIterator.Current

                # Remember the search result
                $memberGuid = $memberSearchResult.GetPropertyByName("objectGuid").Values[0]
                $memberGuidToSearchResult[$memberGuid] = $memberSearchResult.Clone($False)

                # Add the object to the report
                $columnValues = @{ $groupColumnID = $groupDN; }
                $Context.Items.Add($memberSearchResult, $columnValues, $NULL)
            }
        }
        finally
        {
            if ($memberSearchIterator) { $memberSearchIterator.Dispose() }
        }
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}
  1. Click Next and finish creating the report.
0

Thank you! This worked perfectly!

Report not showing members of selected groups
0

I created this report but it doesn't seem to pull indirect members (nested groups) How can I update it so that either the groups inside the group is listed or indirect members are shown.

0

Hello,

To achieve the desired, set the variables in the script as below. Pay attention that the script only works in Adaxes 2021.1 and older. It will not work in Adaxes 2023 and later.

$groupTypes = "(&(objectCategory=group)(|(!(groupType:1.2.840.113556.1.4.803:=2147483648))(groupType:1.2.840.113556.1.4.803:=2147483648)))"
$memberTypes = "(objectCategory=group)(sAMAccountType=805306368)"
$membersPropertyName = "adm-MembersGuid"

Related questions

0 votes
1 answer

I created a group Business Rule that triggers "After adding or removing a member from a group". On its Activity Scope I added a test group, and set it for "The group ... does not trigger. What should I do to make the BR detect this (admittedly rare) case?

asked Mar 16, 2023 by alex.vanderwoude (60 points)
0 votes
1 answer

I need to create a report of all enabled users in selected group or multiple groups. I am aware of the report named "Members of selected groups", but I don't know how to filter only enabled users. Is there a way to achieve this?

asked May 28 by gsoc.ssm (90 points)
0 votes
1 answer

I am trying to make a custom report that is basically the "Members of Groups" default report but instead of selecting Directory Objects, I want to select groups. The Members of ... will not work in Adaxes 2023 and later. I am running 2023.2 -- Suggestions?

asked Aug 13 by AvenuesRecovery (20 points)
0 votes
1 answer

I recently updated to Adaxes 2023.2 from 2021.x. We have a weekly email that goes out documenting users membership in groups and it is helpful for a historical look ... 'primaryGroupToken'." Stack trace: at &lt;ScriptBlock&gt;, &lt;No file&gt;: line 34

asked May 29, 2023 by jbadry (430 points)
0 votes
1 answer

I'd like to create a a custom report to show any approval requests (Approved, Pending, and Rejected) for membership in certain AD groups within our domain. These groups grant users ... " (Just In Time) in the name of the group. Is something like this possible?

asked Mar 30, 2020 by sirslimjim (480 points)
3,526 questions
3,217 answers
8,197 comments
547,625 users