Report Showing Group Membership in Multiple AD Groups - But broken out by group?

Question

Hello,

I have 3 groups in my AD environment and want to show all the users that belong to each group. For example -

Group 1 Group 2 Group 3

The existing report in the Adaxes console called "Members of Selected Groups" will return all the users that belong to these 3 groups but it doesnt separate them out by group. For example if I were to run that report on the portal it would just return a single list of users -

User A User B User C User D etc.

What I want it to do is return a list of all the users who belong to those 3 groups but broken out by each group. For example -

Group 1

• User A
• User B

Group 2 -User C

Group 3 -User B -Usser D

etc.

Is there a way to create a report like this?

Thank you in advance!

Comments

Hello,

Yes, it is possible. Do we understand correctly, that each list should contain all members of a group no matter if they are members of the other selected groups? Any additional details regarding the desired report will be much appreciated.

---

Hello,

Yes that's correct.

Each list of users for each group should be independent from the other groups. So even if 'USER A' is in 3 groups scoped out in the report we want 'USER A' to show up 3 times (Once in each group)

Hopefully this helps! Let me know if I can provide any additional clarifying info.

Thanks!

---

Hello,

Thank you for the confirmation. Please, specify whether the report should only include direct members of the selected groups or all of them (including members of the nested groups). Also, should the report only include users that are members of the groups or also objects of other types (e.g. computers)?

---

Hello,

The report should include all members of the group (including indirect users)

The only member objects we care about in this case are Users.

Answer 1

Hello,

Thank you for the provided details. To create the report:

1. Launch Adaxes Administration Console.
2. In the Console Tree, right-click your service node.
3. In the context menu, navigate to New and click Report.
4. Enter a report name.
5. Select Script and click Next.
6. On the Scope page, click New.
7. Select Specific Objects and click Next twice.
8. Click Configure.
9. In the Display only objects that match the following LDAP filter field, enter the following filter: (objectCategory=group)
10. Make sure that the Allow multiple selection option is enabled and click OK.
11. Click Finish.
12. Click Next twice.
13. In the Report-specific columns section, click Add.
14. Enter a column name (e.g. Group).
15. Select Active Directory object and click Next.
16. Select Template.
17. In the field below, enter a default value (e.g. empty). The value will never be present in the report and is only required to create the custom column.
18. Click Finish.
19. Select Group By and then select the custom column from the drop-down list.
20. Click Next.
21. Paste the below script into the corresponding field. In the script, the $groupColumnID variable specifies the identifier of the custom column that will contain groups. To get the identifier:
    • On the Columns step, right-click the custom column.
    • In the context menu, navigate to Copy and click Column ID.
    • The column identifier will be copied to clipboard.

$groupTypes = "(&(objectCategory=group)(|(!(groupType:1.2.840.113556.1.4.803:=2147483648))(groupType:1.2.840.113556.1.4.803:=2147483648)))"
$memberTypes = "(sAMAccountType=805306368)"
$membersPropertyName = "adm-DirectMembersGuid"

# Custom column identifiers
$groupColumnID = "{f5714376-4936-49c6-a663-bb56ba8a4243}"

# IDs of primary groups to exclude from the report
$primaryGroupIDs = @{ 513="Domain Users"; 515="Domain Computers"; 516="Domain Controllers"; 521="RODCs" }

# Search filter
$filter = "(|" + $groupTypes + ")"
$Context.DirectorySearcher.AppendFilter($filter)
$filterMembers = "(|" + $memberTypes + ")"

# Add properties necessary to generate the report
$propertiesForMembers = $Context.DirectorySearcher.GetPropertiesToLoad()
$propertiesForGroups = @("objectClass", "objectGuid", "distinguishedName", "primaryGroupToken")
$Context.DirectorySearcher.SetPropertiesToLoad($propertiesForGroups)

# Create a hash table to map member GUIDs to search results
$guidComparer = $Context.CreatePropertyValueComparer("objectGuid")
$memberGuidToSearchResult = New-Object System.Collections.Hashtable @($guidComparer)

# Generate report
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current

        # Exclude well-known primary groups
        $primaryGroupID = $searchResult.GetPropertyByName("primaryGroupToken").Values[0]
        if ($primaryGroupIDs.Contains($primaryGroupID))
        {
            continue
        }

        $groupDN = $searchResult.GetPropertyByName("distinguishedName").Values[0]

        # Get GUIDs of the group members
        $group = $Context.BindToObjectBySearchResult($searchResult)
        try
        {
            $memberGuids = $group.GetEx($membersPropertyName)
        }
        catch  [System.Runtime.InteropServices.COMException]
        {
            if ($_.Exception.ErrorCode -eq 0x8000500D) # E_ADS_PROPERTY_NOT_FOUND
            {
                # The group doesn't have any members
                $columnValues = @{ $groupColumnID = $groupDN; }
                if ($NULL -eq $styleNoMembers)
                {
                    $styleNoMembers = $Context.Items.CreateItemStyle("#3d3d3d", $NULL,
                        "ADM_LISTITEMFONTSTYLE_REGULAR")
                }
                $Context.Items.Add(-1, "<No members>", "Information", $columnValues, $styleNoMembers)
                continue
            }
            else
            {
                throw $_.Exception
            }
        }

        # Add group members to the report

        $guidsToSearch = $NULL
        # Add already found objects
        foreach ($memberGuid in $memberGuids)
        {
            if (-not $memberGuidToSearchResult.Contains($memberGuid))
            {
                if ($NULL -eq $guidsToSearch)
                {
                    $guidsToSearch = New-Object System.Collections.ArrayList
                }
                $guidsToSearch.Add($memberGuid)
            }
            else
            {
                $memberSearchResult = $memberGuidToSearchResult[@(,$memberGuid)][0]
                $clonedSearchResult = $memberSearchResult.Clone($False)
                $columnValues = @{ $groupColumnID = $groupDN; }
                $Context.Items.Add($clonedSearchResult, $columnValues, $NULL)
            }
        }

        if ($NULL -eq $guidsToSearch)
        {
            continue
        }

        # Search for members
        $memberSearcher = $Context.CreateGuidBasedSearcher($guidsToSearch)
        $memberSearcher.SetPropertiesToLoad($propertiesForMembers)
        $memberSearcher.AppendFilter($filterMembers)
        try
        {
            $memberSearchIterator = $memberSearcher.ExecuteSearch()
            while ($Context.MoveNext($memberSearchIterator))
            {
                $memberSearchResult = $memberSearchIterator.Current

                # Remember the search result
                $memberGuid = $memberSearchResult.GetPropertyByName("objectGuid").Values[0]
                $memberGuidToSearchResult[$memberGuid] = $memberSearchResult.Clone($False)

                # Add the object to the report
                $columnValues = @{ $groupColumnID = $groupDN; }
                $Context.Items.Add($memberSearchResult, $columnValues, $NULL)
            }
        }
        finally
        {
            if ($memberSearchIterator) { $memberSearchIterator.Dispose() }
        }
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}

21. Click Next and finish creating the report.

Comments

Thank you! This worked perfectly!

---

I created this report but it doesn't seem to pull indirect members (nested groups) How can I update it so that either the groups inside the group is listed or indirect members are shown.

---

Hello,

To achieve the desired, set the variables in the script as below. Pay attention that the script only works in Adaxes 2021.1 and older. It will not work in Adaxes 2023 and later.

$groupTypes = "(&(objectCategory=group)(|(!(groupType:1.2.840.113556.1.4.803:=2147483648))(groupType:1.2.840.113556.1.4.803:=2147483648)))"
$memberTypes = "(objectCategory=group)(sAMAccountType=805306368)"
$membersPropertyName = "adm-MembersGuid"