Un-nesting AD groups and getting roles

Hello everyone,

New here and hoping for help from the experts on this forum. I want to un-nest groups in AD and then find the AD roles and entitlements for these un-nested groups.

Thank you

Welcome to the forum. :wave:t4:

What kind of help do you need? Please notice: we do not deliver ready to use code or solutions on request. But we love to help you with your code.

If you haven’t any code yet you might search for examples and try to solve your problem yourself first. If you get stuck in this process you’re welcome to post your code here along with the errors if there are some and an explanation what’s not working as expected.

Thanks …Below was the script I was running and kept get an error on the filter * level, I tried Import-Module -Name ActiveDirectory but that did not work either. Is my script flawed?

get-adgroup -filter * | sort name | ?{$_.Name -imatch “Marketing Sales Analyst”} | Get-AdGroupMember -Recursive |Select distinguishedName,SamAccountName,objectClass

First of all - when you post code or error messages please format it as code using the preformatted text button ( </> ).
Thanks in advance.

Second - when you get errors you should post this errors along with your code. Errors are important as they usually tell you what’s wrong.

Third - please do not use aliasses and format your code nicely as it makes your code easier to read and to understand - not just for others. :wink:

@Dazi are you receiving an error, or just nothing returned? I ran your code as you have it above (changing just the group name), and get the response I would expect:

Get-ADGroup -Filter * |
    Sort Name |
        ? {$_.Name -imatch "It Client Admin All"} |
            Get-ADGroupMember -Recursive | select DistinguishedName, SamAccountName, ObjectClass

Yes, there are ways to improve the code, and we can go through them once we get you over the hurdle you’re facing, but we were all on Day 1 once, so don’t take the chastisement too harshly :slight_smile:


I’m curious - did you improve the code or did you just formatted it a little nicer? If it’s the latter one how should that help Derek to get him over the hurdle?

And regardless of that - don’t you think as well that it would be more helpful not to use aliasses or abbreviations especially for beginners?


As I stated, the code I provided is the same as Derek’s, with the exception of changing the group name. This shows him (again as stated above) that the code as he has it works in a different environment. That followed up with the question over whether he is seeing a specific error or simply no return at all, I think, go a long way toward helping him overcome his hurdle - much moreso than a simple “Did ya Google it?”

I agree that the forum should not be a place where people expect to put in an order and someone barfs up complete code for them. At the same time, however, everyone was once on Day 1, and that is something I try to remember. There is a vast difference between those who are unwilling to put in effort, and those that are brand new and are showing time invested (as Derek does here). For those showing effort, while suggestions like “search Google”, “Use the formatting button”, and “don’t use aliases” have their place, when that is ALL they receive without a modicum of willingness to assist, I doubt it makes them happy they decided to ask a question here. That is especially the case for new users, for whom these responses seem to be rote.

As to the use of aliasses [sic], I don’t believe there is a hard and fast best practice rule out there (if I am mistaken, by all means please correct me with a link); the closest I have seen is a couple of MS Dev Blogs that discuss when and where to use them. So there are definitely times when you should NOT use them, and I think our OP will learn that as he progresses with the language. I simply believe that an answer of “don’t use aliases”, when the OP has a specific issue, isn’t much help. I am willing to bet all of us, when just learning, favored functionality over readability; as our skills grew we picked up those other items. I just wouldn’t personally call a halt to assisting someone because their formatting was not to my preference.

I think you and I simply have different styles of helping, and I believe there is something of a language barrier as well. I am sure Derek will take the bits and pieces from both of us that he finds valuable, and apply them to his issue. Hopefully I answered your questions; I’ll stop the word-walls now so as not to muddy the OP’s thread any further. If you consider anything I have said incorrect, please don’t hesitate to message me, happy to debate :slight_smile:

Thank you, everyone, as you correctly pointed out @jlogan3o13 I am new, both to this forum and to Powershell, so trying to learn the rules, the code and get help where I fall flat on my face, and so I apologize to everybody if my approach is wrong. I lut it down to ignorance which is still no excuse.

I went away to do a bit more work and came up with the following, however, my output did not give me the DistinguishedName (The CN=) Happy is someone can let me know what I need to add to this code to get me over the line

$Group=Get-ADGroup -Filter |?{$_.Name -imatch "DAGR"} |select Name,objectclass

Foreach($grp in $group){

$Nested_Group_Detail= Get-ADGroupMember -Identity $grp.Name |?{$_.Objectclass -eq ‘group’}
$Nested_Group_Detail |Select Name,Objectclass,DistinguishedName |Format-Table

as Jeremiah already wrote your code actually works. What do you get when you run your code?

$GroupList = 
Get-ADGroup -Filter * | 
Where-Object -Property 'Name' -Match -Value 'dagr' 

Foreach ($Group in $GroupList) {
    Get-ADGroupMember -Identity $Group.sAMAccountName | 
    Where-Object -Property 'Objectclass' -EQ -Value 'group' |
    Select-Object -Property Name, Objectclass, DistinguishedName 

Could you please format your code as code here in the forum?
Thanks in advance

oh thanks! I just tried again and it worked…I had a typo! thank you!

But I never said that!? :thinking:

It might not be official from MSFT but actually there is a document according to best practices and style:

And I don’t know that many but in all books I know there is at least once the recommendation to avoid aliasses at least in scripts and all good teachers and tutors will mention it at least once as well.
I think it would help especially beginners to write their code as verbose and descriptive as possible.

I would have liked a little more verbose explanation but anyway … :smirk:

I’d recommend to use VSCode to write your code. It helps avoiding a lot of mistakes and some typos.

noted Olaf. Thanks.
I still have my stabilisers on in this game. still learning so yeah thanks

Glad you were able to work it out @Dazi :slight_smile: