Many of us use PowerShell Active Directory Module and have been stumbled upon this issue as this module does not have option to get indirect membership.
I have utilized Quest Active Directory module a lot and that has nice option to get nested group membership with -indirect parameter.
Get-QADGroupMember -Identity “Test Nested Group members” -Indirect
How to achieve the same behavior with inbuilt Active Directory module without relying on Third-party?
You can use Get-ADGroupMember -Identity “Test Nested Group” but it will not extract the members recursively.
I have written a function to extract the members recursively from any group that has nested groups.
Get-ADGroupMembersRecursive -Groups “Test Nested Group”
You can even extract different properties apart from default by using below example cmdlet
Get-ADGroupMembersRecursive -Groups “Test Nested Group” -Properties employeeid
You can also extract members from multiple groups recursively at the same time.
Get-ADGroupMembersRecursive -Groups “Test Nested Group1″ ,”Test Nested Group2”
I have updated this function in the new version of vsadmin module
Here is the function code:
Function Get-ADGroupMembersRecursive{
Param(
[Parameter(Mandatory = $true,ValueFromPipeline=$true)]
[ValidateNotNullOrEmpty()]
[String[]]$Groups,
[ValidateNotNullOrEmpty()]
[String[]]$Properties
)
Begin{
$Results = @()
[String[]]$defaultproperties = "distinguishedName","name","objectClass","objectGUID","SamAccountName","SID"
$Properties+=$defaultproperties
$Properties = $Properties | Sort-Object -Unique
}
Process{
ForEach($adobj in $Groups){
$getgroupdn = (Get-ADGroup -identity $adobj).DistinguishedName
$findallgroups = Get-ADGroup -identity $getgroupdn -Properties members| Select-Object -ExpandProperty members | get-adobject | Where-Object{$_.objectClass -eq "Group"} |Select DistinguishedName
$Results+=$getgroupdn
ForEach($Object in $findallgroups){
Get-ADGroupMembersRecursive $Object.DistinguishedName -Properties $Properties
}
}
}
End{
$Results = $Results | Select-Object -Unique
$collgroupmembers=@()
foreach($item in $Results){
$arrgroupmembers =@()
$arrgroupmembers = Get-ADGroup -id $item -Properties members | Select-Object -ExpandProperty members |get-adobject | Where-Object{$_.objectClass -eq "user"} | Get-ADUser -properties $Properties | Select-Object $Properties
$collgroupmembers+=$arrgroupmembers
}
$collgroupmembers
}
} #Get-ADGroupMembersRecursive
Thanks for reading and utilizing it..
Tech Wizard
Tech Wizard 
Pingback: PowerShell System Admin Module | Tech Wizard
Pingback: Check If AD User Is Member Of Group | Tech Wizard
Can you please add group name into the result. If we are retrieving recursively then we want know member’s group also.
I may add in next version if many people want it..
Pingback: Get AD Group Members Recursively V2 | Tech Wizard