Windows "net group /domain" output filter

Well, the good news is that there is rarely only one way to do things in PowerShell. Here's part of a larger script I have on hand for some group related things where I don't always have the AD module available (such as on servers that other teams own):

$Identity = 'test' $LDAP = "dc="+$env:USERDNSDOMAIN.Replace('.',',dc=') $Filter = "(&(sAMAccountName=$Identity)(objectClass=group))" $Searcher = [adsisearcher]$Filter $Searcher.SearchRoot = "LDAP://$LDAP" 'Member','Description','groupType' | %{$Searcher.PropertiesToLoad.Add($_)|Out-Null} $Results=$Searcher.FindAll() $GroupTypeDef = @{ 1='System' 2='Global' 4='Domain Local' 8='Universal' 16='APP_BASIC' 32='APP_QUERY' -2147483648='Security' } If($Results.Count -gt 0){ $Group = New-Object PSObject @{ 'DistinguishedName'=[string]$Results.Properties.Item('adspath') -replace "LDAP\:\/\/" 'Scope'=$GroupTypeDef.Keys|?{$_ -band ($($Results.properties.item('GroupType')))}|%{$GroupTypeDef.get_item($_)} 'Description'=[string]$Results.Properties.Item('description') 'Members'=[string[]]$Results.Properties.Item('member')|% -Begin {$Searcher.PropertiesToLoad.Clear();$Searcher.PropertiesToLoad.Add('objectClass')|Out-Null} {$Searcher.Filter = "(distinguishedName=$_)";[PSCustomObject][ordered]@{'MemberType'=$Searcher.FindAll().Properties.Item('objectClass').ToUpper()[-1];'DistinguishedName'=$_}} } $Group|Select DistinguishedName,Scope,Description $Group.Members|FT -AutoSize } Else{"Unable to find group '$Group' in '$env:USERDNSDOMAIN'.`nPlease check that you can access that domain from your current domain, and that the group exists."} 

Here's one way to get the direct members of an AD group without using the AD cmdlets:

param( [Parameter(Mandatory)] $GroupName ) $ADS_ESCAPEDMODE_ON = 2 $ADS_SETTYPE_DN = 4 $ADS_FORMAT_X500 = 5 function Invoke-Method { param( [__ComObject] $object, [String] $method, $parameters ) $output = $object.GetType().InvokeMember($method,"InvokeMethod",$null,$object,$parameters) if ( $output ) { $output } } function Set-Property { param( [__ComObject] $object, [String] $property, $parameters ) [Void] $object.GetType().InvokeMember($property,"SetProperty",$null,$object,$parameters) } $Pathname = New-Object -ComObject "Pathname" Set-Property $Pathname "EscapedMode" $ADS_ESCAPEDMODE_ON $Searcher = [ADSISearcher] "(&(objectClass=group)(name=$GroupName))" $Searcher.PropertiesToLoad.AddRange(@("distinguishedName")) $SearchResult = $searcher.FindOne() if ( $SearchResult ) { $GroupDN = $searchResult.Properties["distinguishedname"][0] Invoke-Method $Pathname "Set" @($GroupDN,$ADS_SETTYPE_DN) $Path = Invoke-Method $Pathname "Retrieve" $ADS_FORMAT_X500 $Group = [ADSI] $path foreach ( $MemberDN in $Group.member ) { Invoke-Method $Pathname "Set" @($MemberDN,$ADS_SETTYPE_DN) $Path = Invoke-Method $Pathname "Retrieve" $ADS_FORMAT_X500 $Member = [ADSI] $Path "" | Select-Object ` @{ Name="group_name" Expression={$Group.name[0]} }, @{ Name="member_objectClass" Expression={$member.ObjectClass[$Member.ObjectClass.Count - 1]} }, @{ Name="member_sAMAccountName"; Expression={$Member.sAMAccountName[0]} } } } else { throw "Group not found" } 

This version uses the Pathname COM object to handle name escaping and outputs the the object class and sAMAccountName for each member of the group.