In this guide, I’ll show you how to find nested group membership with PowerShell and the AD Pro Toolkit.
Nested Groups are Active Directory groups that are members of another group. For example, I have two groups, IT_Folders and IT_Local. The IT_Folders group can be a member of the IT_Local group. Below are some options on how to search Active Directory for nested groups.
Get Nested Group Membership using PowerShell
In this example, I’ll use the Get-ADGroupMember command to check a single group for members that are a group.
Step 1. Open PowerShell as Administrator.
Step 2. Copy and paste the command below. Change the group name to the group you want to check.
Get-ADGroupMember -Identity it_printers | where-object {$_.objectClass -eq 'group'}
Option #2 AD Group Management Tool
In this example, I’ll use the AD Group Management Tool to scan all domain groups for nested groups.
Click on Group Reports -> Nested Groups and click Run. This will display all nested groups in your domain.
The AD Pro Toolkit includes over 200 built in reports.
Get Nested Group Membership for All Domain Groups
Instead of checking each group one at a time for nested groups, it would be much easier to run a command to check all groups. You can use the Get-ADGroup cmdlet and run a simple filter to find nested groups.
Get-ADGroup -filter * -Properties MemberOf | Where-Object {$_.MemberOf -ne $null} | Select-Object Name,MemberOf
You can see this will display all nested groups in the domain. For example, the group “Account_Local” has a member that is a group called “Accounting_Folders”.
Get Nested Groups Using the AD Group Management Tool
The group membership report tool is an easy to use GUI tool I created to simplify finding nested groups and group membership. This tool can display the parent group, subgroups, and members of the subgroup. It also displays several user attributes like email, department, address, phone, city, state, and much more.
Download Free Trial of the group membership report tool.
Example 1. Get All Nested Active Directory Groups
Click on the nested groups report and click run.
In the screenshot above you can see I have 16 nested groups in my Active Directory. For example, Nest_group2 is a member of Nest_group1. You can expand the parent group to see its members.
Now you will have a list of all groups that are members of other groups.
To export the nest groups to a CSV file click the export button.
Example 2. Nested Group Tree View Report
To get a hierarchy view of all nested groups run the nested groups tree view report.
In the example above, Nest_group1 has three group members. Some of those groups also have group members and so on. This can be very dangerous and provide users with unwanted permissions and access. This is difficult to find using PowerShell scripts and requires lots of manual steps. The AD Group Management Tool makes this very easy with just a click of the mouse. Loop detection will be added soon.
View AD Group Membership
To check the membership of all or specific groups click on group reports > general > group members report.
By default this report will run on the entire domain, to limit the scope click on browse or search.
For each member its displays you can select to include several user/group attributes.
Username, Name, ObjectClass, Group, Group Type, Scope, Description, First Name, Last Name, Office, Telephone, Street Address, PO Box, City, State, Zip, Email, Title, Department, Company, Manager, Proxy Addresses, Initial, Display, and Homepage.
If you have questions please post them below in the comment section.
Conclusion
In this guide, I showed you how to find nested groups in Active Directory using PowerShell and the AD group management tool. Nested groups in AD can lead to unintended access permissions by inheriting rights from a parent group. Nested groups can be challenging to audit and report as groups can be nested in multiple groups and those groups can also be nested in other groups. It becomes complex and challenging for administrators. It can also be challenging to write a PowerShell script that finds all groups that are a member or a member of. The GUI group management tool makes reporting on nested groups very easy.
Related: Export Group Members to CSV
In Example 4, if I wanted to limit this to security groups only, and have the output show how many users are in the nested group is there a way to do this?