Hello,
I’m not very familiar with powershell and would need some (urgent) help: I need a script that exports the domain users and domain admins to a single csv file. So that in the first column the domain users are mentioned and in the second column “yes” or “no” if they are in the group “domain admins”.
Thank you very much for your help!
Why not just get a list of the domain admins instead of touching every AD account?
Get-ADGroupMember -Identity "Domain Admins"
I need a csv with 2 columns for an audit, it really needs to be that way 
thank you for your help!
Get-ADGroupMember -Identity "Domain Users" | Select Name | Export-csv -Path C:\Output\DomainUsers-GroupMembers.csv -NoTypeInformation Get-ADGroupMember -Identity "Domain Admins" | Select Name | Export-csv -Path C:\Output\DomainAdmins-GroupMembers.csv -NoTypeInformation
Use these to export the information from AD to CSV and then just use Excel to get what you want.
Okay, thank you. But now I have two separate lists and I only need one with both columns combined (maybe this isn’t a powershell demand no more)
$da = (Get-ADGroupMember ‘domain admins’).samaccountname;get-aduser -filter * | %{[pscustomobject]@{sam=$.samaccountname;isDA=[bool]($.samaccountname -in $da)}}
Dan,
as I said: I’m totally unfamiliar with powershell. When I enter your suggestion, it returns the error “you must provide a value expression on the right-hand side of the ‘-’ operator” (at char 154)
Furthermore, I think this doesn’t give me an export to csv, right? To do this, do I just need to add another “| export-csv path c:.…”?
thx again!
practice, practice, practice 
remove the selection after you’re comfortable with the output.
$da = (Get-ADGroupMember 'domain admins').samaccountname
get-aduser -filter * | %{[pscustomobject]@{sam=$_.samaccountname;isDA=[bool]($_.samaccountname -in $da)}} | select -First 10 | export-csv dainfo.csv
I will Dan
currently still the same error
You must provide a value expression on the right-hand side of the ‘-’ operator.
At C:\PowershellScripts\ExportDomainAdmins.ps1:3 char:97
, ParseException$da = (Get-ADGroupMember 'domain admins').samaccountname;$da.count;$users = get-aduser -filter * |select -First 10;$users.count
this looks good, script doesn’t return errors.
unfortunately the output is not correct: it gives me a single line “#TYPE System.Int32”
I don’t know where my text went in the last post. I wanted you to run that and tell me the output. There should be two numbers returned. Are there current members of the DA group?
yes, there are about 20 users in the group “Domain Admins”
type $da press enter, do you get output?
type on of the samaccountnames in the da group in the quotes here, what does it give you?
(‘samaccountname’ -in $da)
typing $da in powershell doesn’t return any output
when I enter a samaccountname as you suggested I receive the same error as before:
You must provide a value expression on the right-hand side of the ‘-’ operator.
ar:14
, ParseExceptionso powershell is telling you that you do not have anything in the $da variable.
what does this get you? (Get-ADGroupMember ‘domain admins’).samaccountname
Unless you have a rather small directory the Domain Users group is HUGE! In some cases way to big for the AD Module. If I understand correctly the AD Module cmdlet will error out after it pulls 5000 objects and return nothing after that.
http://technet.microsoft.com/en-us/library/dd391908(WS.10).aspx
Search the page for: MaxGroupOrMemberEntries
Apparently you can set it higher with that.
Also, these are not cmdlet parameters, the article mentions:
These configuration parameters are stored in the Microsoft.ActiveDirectory.WebServices.exe.config file, under %WINDIR%\ADWS directory.
Here’s how I would do it.
Get-ADUser -filter * -Properties Memberof | select Name,@{Label="DA";Expression={If($_.MemberOf -join "" -match "CN=Domain Admins,"){"Yes"}Else{"No"}}}
Curtis,
your script is working perfect, thanks! (thanks to the others too of course)
Jan