Report Showing Group Membership in Multiple AD Groups - But broken out by group?

Hello,

I have 3 groups in my AD environment and want to show all the users that belong to each group. For example -

Group 1 Group 2 Group 3

The existing report in the Adaxes console called "Members of Selected Groups" will return all the users that belong to these 3 groups but it doesnt separate them out by group. For example if I were to run that report on the portal it would just return a single list of users -

User A User B User C User D etc.

What I want it to do is return a list of all the users who belong to those 3 groups but broken out by each group. For example -

Group 1

  • User A
  • User B

Group 2 -User C

Group 3 -User B -Usser D

etc.

Is there a way to create a report like this?

Thank you in advance!

by (480 points)
by (307k points)
0

Hello,

Yes, it is possible. Do we understand correctly, that each list should contain all members of a group no matter if they are members of the other selected groups? Any additional details regarding the desired report will be much appreciated.

by (480 points)
0

Hello,

Yes that's correct.

Each list of users for each group should be independent from the other groups. So even if 'USER A' is in 3 groups scoped out in the report we want 'USER A' to show up 3 times (Once in each group)

Hopefully this helps! Let me know if I can provide any additional clarifying info.

Thanks!

by (307k points)
0

Hello,

Thank you for the confirmation. Please, specify whether the report should only include direct members of the selected groups or all of them (including members of the nested groups). Also, should the report only include users that are members of the groups or also objects of other types (e.g. computers)?

by (480 points)
0

Hello,

The report should include all members of the group (including indirect users)

The only member objects we care about in this case are Users.

1 Answer

by (307k points)
Best answer
+1 vote

Hello,

Thank you for the provided details. To create the report:

  1. Launch Adaxes Administration Console.
  2. In the Console Tree, right-click your service node.
  3. In the context menu, navigate to New and click Report. image.png
  4. Enter a report name.
  5. Select Script and click Next. image.png
  6. On the Scope page, click New.
  7. Select Specific Objects and click Next twice. image.png
  8. Click Configure. image.png
  9. In the Display only objects that match the following LDAP filter field, enter the following filter: (objectCategory=group)
  10. Make sure that the Allow multiple selection option is enabled and click OK. image.png
  11. Click Finish.
  12. Click Next twice.
  13. In the Report-specific columns section, click Add. image.png
  14. Enter a column name (e.g. Group).
  15. Select Active Directory object and click Next. image.png
  16. Select Template.
  17. In the field below, enter a default value (e.g. empty). The value will never be present in the report and is only required to create the custom column. image.png
  18. Click Finish.
  19. Select Group By and then select the custom column from the drop-down list. image.png
  20. Click Next.
  21. Paste the below script into the corresponding field. In the script, the $groupColumnID variable specifies the identifier of the custom column that will contain groups. To get the identifier:
    • On the Columns step, right-click the custom column.
    • In the context menu, navigate to Copy and click Column ID.
    • The column identifier will be copied to clipboard.
$groupTypes = "(&(objectCategory=group)(|(!(groupType:1.2.840.113556.1.4.803:=2147483648))(groupType:1.2.840.113556.1.4.803:=2147483648)))"
$memberTypes = "(sAMAccountType=805306368)"
$membersPropertyName = "adm-DirectMembersGuid"

# Custom column identifiers
$groupColumnID = "{f5714376-4936-49c6-a663-bb56ba8a4243}"

# IDs of primary groups to exclude from the report
$primaryGroupIDs = @{ 513="Domain Users"; 515="Domain Computers"; 516="Domain Controllers"; 521="RODCs" }

# Search filter
$filter = "(|" + $groupTypes + ")"
$Context.DirectorySearcher.AppendFilter($filter)
$filterMembers = "(|" + $memberTypes + ")"

# Add properties necessary to generate the report
$propertiesForMembers = $Context.DirectorySearcher.GetPropertiesToLoad()
$propertiesForGroups = @("objectClass", "objectGuid", "distinguishedName", "primaryGroupToken")
$Context.DirectorySearcher.SetPropertiesToLoad($propertiesForGroups)

# Create a hash table to map member GUIDs to search results
$guidComparer = $Context.CreatePropertyValueComparer("objectGuid")
$memberGuidToSearchResult = New-Object System.Collections.Hashtable @($guidComparer)

# Generate report
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current

        # Exclude well-known primary groups
        $primaryGroupID = $searchResult.GetPropertyByName("primaryGroupToken").Values[0]
        if ($primaryGroupIDs.Contains($primaryGroupID))
        {
            continue
        }

        $groupDN = $searchResult.GetPropertyByName("distinguishedName").Values[0]

        # Get GUIDs of the group members
        $group = $Context.BindToObjectBySearchResult($searchResult)
        try
        {
            $memberGuids = $group.GetEx($membersPropertyName)
        }
        catch  [System.Runtime.InteropServices.COMException]
        {
            if ($_.Exception.ErrorCode -eq 0x8000500D) # E_ADS_PROPERTY_NOT_FOUND
            {
                # The group doesn't have any members
                $columnValues = @{ $groupColumnID = $groupDN; }
                if ($NULL -eq $styleNoMembers)
                {
                    $styleNoMembers = $Context.Items.CreateItemStyle("#3d3d3d", $NULL,
                        "ADM_LISTITEMFONTSTYLE_REGULAR")
                }
                $Context.Items.Add(-1, "<No members>", "Information", $columnValues, $styleNoMembers)
                continue
            }
            else
            {
                throw $_.Exception
            }
        }

        # Add group members to the report

        $guidsToSearch = $NULL
        # Add already found objects
        foreach ($memberGuid in $memberGuids)
        {
            if (-not $memberGuidToSearchResult.Contains($memberGuid))
            {
                if ($NULL -eq $guidsToSearch)
                {
                    $guidsToSearch = New-Object System.Collections.ArrayList
                }
                $guidsToSearch.Add($memberGuid)
            }
            else
            {
                $memberSearchResult = $memberGuidToSearchResult[@(,$memberGuid)][0]
                $clonedSearchResult = $memberSearchResult.Clone($False)
                $columnValues = @{ $groupColumnID = $groupDN; }
                $Context.Items.Add($clonedSearchResult, $columnValues, $NULL)
            }
        }

        if ($NULL -eq $guidsToSearch)
        {
            continue
        }

        # Search for members
        $memberSearcher = $Context.CreateGuidBasedSearcher($guidsToSearch)
        $memberSearcher.SetPropertiesToLoad($propertiesForMembers)
        $memberSearcher.AppendFilter($filterMembers)
        try
        {
            $memberSearchIterator = $memberSearcher.ExecuteSearch()
            while ($Context.MoveNext($memberSearchIterator))
            {
                $memberSearchResult = $memberSearchIterator.Current

                # Remember the search result
                $memberGuid = $memberSearchResult.GetPropertyByName("objectGuid").Values[0]
                $memberGuidToSearchResult[$memberGuid] = $memberSearchResult.Clone($False)

                # Add the object to the report
                $columnValues = @{ $groupColumnID = $groupDN; }
                $Context.Items.Add($memberSearchResult, $columnValues, $NULL)
            }
        }
        finally
        {
            if ($memberSearchIterator) { $memberSearchIterator.Dispose() }
        }
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}
  1. Click Next and finish creating the report.
by (480 points)
0

Thank you! This worked perfectly!

by (0 points)
0

I created this report but it doesn't seem to pull indirect members (nested groups) How can I update it so that either the groups inside the group is listed or indirect members are shown.

by (307k points)
0

Hello,

To achieve the desired, set the variables in the script as below. Pay attention that the script only works in Adaxes 2021.1 and older. It will not work in Adaxes 2023 and later.

$groupTypes = "(&(objectCategory=group)(|(!(groupType:1.2.840.113556.1.4.803:=2147483648))(groupType:1.2.840.113556.1.4.803:=2147483648)))"
$memberTypes = "(objectCategory=group)(sAMAccountType=805306368)"
$membersPropertyName = "adm-MembersGuid"

Related questions

Deleting an AD group is not being detected as a change of membership in its parent groups.

I created a group Business Rule that triggers "After adding or removing a member from a group". On its Activity Scope I added a test group, and set it for "The group ... does not trigger. What should I do to make the BR detect this (admittedly rare) case?

asked Mar 16, 2023 by alex.vanderwoude (60 points)
0 votes
1 answer
Report of all enabled users in selected group or multiple groups.

I need to create a report of all enabled users in selected group or multiple groups. I am aware of the report named "Members of selected groups", but I don't know how to filter only enabled users. Is there a way to achieve this?

asked May 28, 2024 by gsoc.ssm (90 points)
0 votes
1 answer
How to generate a report of group members of multiple selected groups

I am trying to make a custom report that is basically the "Members of Groups" default report but instead of selecting Directory Objects, I want to select groups. The Members of ... will not work in Adaxes 2023 and later. I am running 2023.2 -- Suggestions?

asked Aug 13, 2024 by AvenuesRecovery (70 points)
0 votes
1 answer
Users Membership in Groups Report

I recently updated to Adaxes 2023.2 from 2021.x. We have a weekly email that goes out documenting users membership in groups and it is helpful for a historical look at ... entry doesn't contain the property 'primaryGroupToken'." Stack trace: at , : line 34

asked May 29, 2023 by jbadry (450 points)
0 votes
1 answer
Custom report to show requests for subset of AD groups in environment?

I'd like to create a a custom report to show any approval requests (Approved, Pending, and Rejected) for membership in certain AD groups within our domain. These groups grant users ... " (Just In Time) in the name of the group. Is something like this possible?

asked Mar 30, 2020 by sirslimjim (480 points)
0 votes
1 answer