A reader sent in a question asking how to enumerate groups that have spaces in them and this lead me to realize I didn’t follow the specifications for valid distinguished names as well as I thought I had. If you take a look at RFC 2253 and the Microsoft page that defines security group names, you will see what the allowed characters are for these names. At this point the validation is a lot better, but it still isn’t perfect.
If you encounter a situation where you need to enumerate members of a group that my validation does not allow, you can scroll down to line 271 in the script and change the $rx variable to “.+” to make it simple which will allow you to pass any characters. If you pass invalid characters you will get some funny errors happening, but it should work. You may have to use quotes around the name if you are looking to use spaces or other allowed special characters.
Taking another look at the code, I also found a small bug that was causing the display of notes associated with a group to print out an error about null strings. This should be fixed now. If anyone notices any other problems, feel free to comment and let me know and I will try to fix it or add in the change as soon as possible. I’ll be posting another update soon that goes the other direction of this script, one that enumerates group membership for a specific user.
Thanks again to Darren from Brisbane(?), Australia for pointing this out.
Here is the updated script download link: Download enumerate_groups.ps1
Note: Script updated on 2009/07/17 to fix two bugs. Read more here: http://www.tinyint.com/index.php/2009/07/17/enumerate-distribution-groups-script-updated/
In my organization, we make use of many different groups to separate departments and sub-groups of each department, and many groups build off of this. We also make use of Dynamic Distribution Groups to make things a bit easier on the admin side of things. When tasked with cleaning up these distribution groups and making them easier to manage, it was a bit difficult determining who was supposed to receive mail for what group.
This is because the Get-DistributionGroupMember cmdlet doesn’t have a parameter like –expand which will give you all of the child groups and their members as well. If you have a group called “Engineering” which then has 4 child groups for each department and then each of those groups has each individual mailbox, when you perform “Get-DistributionGroupMember -Identity Engineering”, you will only see the four child groups, not each member of those as well. This became a big issue because of how much we rely on sub-groups in our organization, and after a lot of investigation it turned out there was no way to do this built in directly to any cmdlet, so I wrote a script that would do this for me. If you need to recursively enumerate distribution group members you are unfortunately out of luck with built in cmdlets.
There are a number of scripts out there that serve a similar purpose as the one I have created, but most do not handle mail contacts or dynamic distribution groups, so I figured if I am going to have to add functionality, I might as well write it myself from the ground up. So now, if you are ever in need of getting child members of a distribution group you can use this script to help you out.
One nice feature here is if you specify “-showTree” as a parameter, it will display a treeview of all the groups. Without -showtree it will just grab all child members and display them in a flat view. The script is pretty long because I included help text that displays if you run the script without any parameters, and for that reason I am just posting it as a download link. Hope this helps a few people out there who went through the same trouble I did finding out that there is no built in way to do this!
Download Link: Download enumerate_groups.ps1