PowerShell Get-AdGroup gets one or multiple active directory groups based on search criteria. Get-AdGroup gets information about the ad group name, description, adgroup managed by user, get ad group owner, members in the group, and many more.
The Get-AdGroup cmdlet uses the ManagedBy property to filter groups based on specified user and retrieve the adgroups managed by the user in the active directory.
In this article, I will explain how to get-adgroup managed by user and adgroup properties.
Active directory group has ManagedBy property that provides information ad groups managed by users or groups.
In the below SalesLeader ad group, Managed By tab in the AD group properties dialog displays the ad user name ( Tom Smith who managed this group)
Let’s find all ad groups managed by user with an example using Get-ADGroup cmdlet in PowerShell.
Get-AdGroup Managed by User
Let’s get adgroup managed by user using PowerShell Get-ADGroup cmdlet.
Get-ADGroup -LDAPFilter "(ManagedBy=$((Get-ADuser -Identity Toms).distinguishedname))"
In the above PowerShell script, Get-ADGroup cmdlet in the active directory uses the LDAPFilter parameter to find all groups managed by aduser Toms specified in the Get-AdUser Identity parameter.
The above commands get all ad groups managed by user Toms, the output of the above script is:
Find all groups managed by user in OU
In the above, we find all groups managed by the user in the entire active directory, however, in a large organization it has an active directory structure like domain, trees, forest, and ad objects are configured within it.
To find all groups managed by the user in specific OU ( organizational unit), run the below command
Get-ADGroup -LDAPFilter "(ManagedBy=$((Get-ADuser -Identity Toms).distinguishedname))" -SearchBase "OU=SALES,DC=SHELLPRO,DC=LOCAL"
In the above PowerShell script, Get-AdGroup uses the LDAPFilter parameter to find all ad groups managed by user specified by the Get-ADUser Identity parameter in OU specified by Get-ADGroup SearchBase parameter.
It retrieves all the groups managed by user and outputs as below
PS C:\Windows\system32> Get-ADGroup -LDAPFilter "(ManagedBy=$((Get-ADuser -Identity Toms).distinguishedname))" -SearchBase "OU=SALES,DC=SHELLPRO,DC=LOCAL"
DistinguishedName : CN=SALESLeader,OU=SALES,DC=SHELLPRO,DC=LOCAL
GroupCategory : Security
GroupScope : Global
Name : SALESLeader
ObjectClass : group
ObjectGUID : 5735e7da-2b27-44cb-a91d-96d648eaa8fc
SamAccountName : SALESLeader
SID : S-1-5-21-1326752099-4012446882-462961959-3105Conclusion
In the above article on get-adgroup managed by user, we learned how to find all groups managed by user in the active directory or specific OU using Get-ADGroup and Get-ADUser cmdlet in PowerShell.
Get-ADGroup cmdlet in the active directory gets ad group properties and Get-AdUser gets user properties. Using the Get-ADGroup LDAPFilter parameter, it finds all groups in the active directory. It uses the active directory Managedby attribute to get ad group owner and the group managed by the owner.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.