Technology Solutions for Everyday Folks
A cartoon/drawn group of random people

Count of AD Groups Ranked by Members

A week ago, someone on one of our more generalized Slack channels asked if anyone knew how to make AD Users and Computers (ADUC) filter mechanism rank output based on a group membership count. Now, I don't necessarily understand (or honestly, care) about the particular use case, but I knew the answer was going to be 'no, that can't be done by way of the GUI.' Which was the first part of my answer.

Enter Powershell

The second part of my answer, though, was that this can certainly be done with a little bit of Powershell. There was really no other chatter about the topic, other than a 'I might have to give that a look...' response, which I totally interpreted as a 'Damn, I don't know anything about not.'

I had a bit of time that afternoon while I monitored another project, which meant I wasn't going to get into any other projects anyway. And I knew I had about 80% of the necessary bits in other simple scripts I have needed for various AD group I did a little digging and crafting. After a few minutes and a couple of trials, I had crafted this:

$groups = Get-ADGroup -Filter 'Name -like "PATTERNGOESHERE*"' |
     Select-Object Name, SamAccountName;
"There are "+ $groups.Count +" matching groups.";
$groupDetails = ForEach ($grp in $groups) {
     New-Object PSObject -Property @{'Group Name'=$grp.Name;Count=
          (Get-ADGroupMember $grp.SamAccountName -Recursive).Count};
$groupDetails | Sort-Object -Property Count -Descending | 
     Select-Object 'Group Name', Count;

Now there is zero error handling or other checking (including that of the prerequisite AD module) going on in this—it's super functional and super specific for a particular use case. Ultimately it does four things:

  1. Obtains a list of the AD groups matching a certain pattern, including the SamAccountName (important);
  2. Spits out the number of matching groups as text;
  3. Creates a record set of results, each with two properties: Group Name and Count; and
  4. Sorts the list of results by Count (descending) and spits it out as text.

There are plenty of ways to make this better, prettier, more useful (especially if it were to be included as part of something larger), but it totally works and provides the necessary information.

Something I Learned

The original cut of this didn't include the SamAccountName property, and I discovered something interesting and unusual. For one of the groups I'd pattern matched, Past Me must have changed the display name to something slightly more friendly. That caused one iteration of the ForEach loop to fail. Changing this to use SamAccountName then matched all records, but the output of the script still reports the friendlier display name.

Share Away!

After that little brain break exercise, I shared the simple script with the individual who'd asked via DM. No questions asked, just mentioned it would be a good stepping stone/starting point for their particular needs. And it was during that exchange I discovered that I had indeed interpreted correctly—they'd never really used Powershell in that way before and were super thankful for the gesture. I received a wonderful thank you from them...and that was a good way to end that week.

Will I ever use this particular snippet? Probably not. But the act of helping did get me thinking about certain permutations of this script might come in helpful for some other simple analysis down the never know.

If you'd like to use it as a stubout, I created a gist to get you started!

Headline image via SWOOP Analytics