Powershell list all dynamic groups with its membership rules?

Hi All. is there a powershell cmdlet or a script  that lets me list all dynamic groups together with the Membership rules? 

Parents
  • Listing Dynamic Groups is simple enough:

    Get-QADGroup -Dynamic $true -proxy

    However, the membership rules are not stored anywhere on a Dynamic Group in a friendly, human-readable format.

    You will find them on the computed Active Roles Virtual Attribute edsaDGConditionsList and you will also find them on the native Active Directory attribute accountNameHistory

    You could retrieve either of these attributes using something like this:

    (Get-QADGroup -Dynamic $true -proxy -IncludedProperties edsaDGConditionsList).edsaDGConditionsList

    The rules are organized in an XML blob and are tagged according to the rule type.

    0x1 entries are for "Include by Query"

    0x2 entries are for "Exclude by Query"

    0x3 entries are for "Include Explicitly"

    0x4 entries are for "Exclude Explicitly"

    0x5 entries are for "Include Group Members"

    0x6 entries are for "Exclude Group Members"

    Queries are stored as LDAP filters. Explicit references are stored as native objectGUID's.

Reply
  • Listing Dynamic Groups is simple enough:

    Get-QADGroup -Dynamic $true -proxy

    However, the membership rules are not stored anywhere on a Dynamic Group in a friendly, human-readable format.

    You will find them on the computed Active Roles Virtual Attribute edsaDGConditionsList and you will also find them on the native Active Directory attribute accountNameHistory

    You could retrieve either of these attributes using something like this:

    (Get-QADGroup -Dynamic $true -proxy -IncludedProperties edsaDGConditionsList).edsaDGConditionsList

    The rules are organized in an XML blob and are tagged according to the rule type.

    0x1 entries are for "Include by Query"

    0x2 entries are for "Exclude by Query"

    0x3 entries are for "Include Explicitly"

    0x4 entries are for "Exclude Explicitly"

    0x5 entries are for "Include Group Members"

    0x6 entries are for "Exclude Group Members"

    Queries are stored as LDAP filters. Explicit references are stored as native objectGUID's.

Children
  • thanks, will give that shoot. the reason for my question is that, we are using some AD attributes to determine what dynamic groups a user should be member of. but im a bit unsure if there is a group for all the values in that AD attribute. therefor wanted to search for dynamic groups that had those AD attribute defined in the membership rules

  • I wrote the below when looking for something similar to what you're looking for. You should validate it for your environment to make sure it meets your requirements.

    I've made use of the PSWriteColor module from PSGallery, written by Przemyslaw Klys. This makes outputting colourful text to screen easier. Just incase you don't want to use this module, I've commented out the install and import methods, as well as commenting out everyline calling "Write-Colour", just uncomment these as appropriate to enable on screen output

    # Install from Powershell Gallery https://www.powershellgallery.com/packages/PSWriteColor
    # Install-Module -Name PSWriteColor
    
    #Import-Module PSWriteColor
    
    Function Get-Type
    {
        Param
        (
            [string]$TypeCode=$null
        )
    
        Switch($TypeCode)
        {
            "0x1"{Return "Include by query"}
            "0x2"{Return "Exclude by query"}
            "0x3"{Return "Include explicitly"}
            "0x4"{Return "Exclude explicitly"}
            "0x5"{Return "Include group members"}
            "0x6"{Return "Exclude group members"}
            default{Return "Unknown"}
        }
    
    }
    
    Clear-Host
    
    $OutFile = "Dynamic Groups.csv"
    
    $DyanmicGroups = Get-QADGroup -Dynamic $true -proxy -IncludedProperties edsaDGConditionsList -searchRoot "OU=AD2,DC=Brodieman,DC=Uk"
    $DynamicGroups = $DyanmicGroups | Sort-Object Name
    
    $GroupCount = 0
    
    If($DynamicGroups.count -eq 0)
    {
        #Write-Colour -text "No dynamic groups were found" -Color Yellow
        return
    }
    
    "GroupNumber|GroupName|GroupDN|GroupType|GroupScope|RuleNumber|RAW Rule|RuleType|RuleTarget|RuleFilter" | Out-File -FilePath $OutFile
    
    
    ForEach($DynamicGroup in $DyanmicGroups)
    {
        $GroupCount = $GroupCount + 1
    
        #Write-Colour -Text "Dynamic Group: ","$GroupCount","/","$($DyanmicGroups.count)" -Color Yellow,White,Yellow,White -LinesBefore 1
    
        #Write-Colour -Text "`tGroup Name: ","$($DynamicGroup.Name)" -Color Yellow,White
        #Write-Colour -Text "`tGroup DN: ","$($DynamicGroup.DN)" -Color Yellow,White
        #Write-Colour -Text "`tGroup Type: ","$($DynamicGroup.GroupType)" -Color Yellow,White
        #Write-Colour -Text "`tGroup Scope: ","$($DynamicGroup.GroupScope)" -Color Yellow,White
    
        $MembershipRules = $DynamicGroup.edsaDGConditionsList.split("[]",[System.StringSplitOptions]::RemoveEmptyEntries)
        
        $Position = 0
    
        ForEach($MembershipRule in $MembershipRules)
        {
            $Position = $Position + 1
    
            #Write-Colour -Text "`t`tRule: ","$Position","/","$($MembershipRules.count)" -Color Yellow,White,Yellow,White -LinesBefore 1
    
            $MembershipRuleElements = @()
            $MembershipRuleElements = $MembershipRule.Split(";")
    
            $Type = Get-Type $MembershipRuleElements[0]
            #Write-Colour -Text "`t`t`tRAW: ","$MembershipRule " -Color Yellow,White
    
            #Write-Colour -Text "`t`t`tType: ","$Type " -Color Yellow,White
    
            $Object = Get-QADObject -identity $MembershipRuleElements[1] -UseGlobalCatalog
    
            If($object)
            {
                $Filter = ""
                If([int32]$MembershipRuleElements[0] -le 2)
                {
                    $ScopeType = "Target Group"
                    $Filter = $MembershipRuleElements[2]
                    #Write-Colour -Text "`t`t`tFilter: ","$($Filter)" -Color Yellow,White
                }
                ElseIf([int32]$MembershipRuleElements[0] -le 4)
    
                {
                    $ScopeType = "Explicit Member"
                }
                else
                {
                    $ScopeType = "Members of Group"
    
                }
            
                #Write-Colour -Text "`t`t`t$($ScopeType): ","$($Object.dn)" -Color Yellow,White
                 "`"$GroupCount`"|`"$($DynamicGroup.Name)`"|`"$($DynamicGroup.DN)|$($DynamicGroup.GroupType)|$($DynamicGroup.GroupScope)|$Position|`"$($MembershipRule)`"|`"$Type`"|`"$($Object.dn)`"|`"$Filter`"" | Out-File -FilePath $OutFile -NoClobber -Append
            }
            Else
            {
                #Write-Colour -Text "`t`t`t$($ScopeType): ","Invalid GUID. No object exists with the GUID $($MembershipRuleElements[1])" -color red,white
                "`"$GroupCount`"|`"$($DynamicGroup.Name)`"|`"$($DynamicGroup.DN)`"|`"$($DynamicGroup.GroupType)`"|`"$($DynamicGroup.GroupScope)`"|`"$Position`"|`"$($MembershipRule)`"|`"$Type`"|`"$($MembershipRuleElements[1]) does not exist`"|`"$Filter`"" | Out-File -FilePath $OutFile -NoClobber -Append
            }
        }
    }

    Hope this helps

  • thank you very much. ill give that i try and get back 

  • Thanks, Stu. This worked perfectly.