A while back, I had restructured my AD groups to match the AGUDLP (Accounts go into Global Groups go into Universal Groups go into DomainLocal Groups where they are applied as Permission) best practice. 

Now, I’m working to align my domain groups with the permissions structure in other applications, so I can create some scripts to automate people changing roles, gaining new responsibilities, and other functions.

I used the Show-NetMap script from Doug Finke, which uses a Microsoft Research project called NetMap, to map out the nested groups in my Active Directory. 

I’d love any feedback or suggestions for using this script.

  1. # Author: Steven Murawski http://www.mindofroot.com

  2. # This script requires the Show-NetMap script from Doug Finke and the NetMap files

  3. # These can be found at http://dougfinke.com/blog/?p=465

  4. #

  5. # Also required are the Quest AD Cmdlets.

  6. #requires -pssnapin Quest.ActiveRoles.ADManagement

  7. param([string]$SearchRoot= ‘yourdomain.local/usersOU’)

  8. Function New-SourceTarget ($s,$t) {

  9.         New-Object PSObject |

  10.                 Add-Member -pass noteproperty source $s |

  11.                 Add-Member -pass noteproperty target $t

  12. }

  13. $groups = Get-QADGroup -GroupType Security -SearchRoot $SearchRoot

  14. [string[]]$GroupNames = $groups | foreach {$_.name}

  15. $sources = @()

  16. foreach ($group in $groups)

  17. {

  18.         $name = $group.name

  19.         foreach ($member in $group.members)

  20.         {

  21.                 $SubGroupName = $member -replace ‘^CN=(.+?),OU=.*’, ‘$1’

  22.                 if ($GroupNames -contains $SubGroupName)

  23.                 {

  24.                         $sources += New-SourceTarget $SubGroupName $name

  25.                 }

  26.         }


  28. }

  29. . c:\scripts\powershell\Show-NetMap

  30. $sources | Show-NetMap

downloadThis Script brought to you by PoshCode


  1. 1
    November 19th, 2008 at 10:24 am

    I’ve got the script to run w/out errors, but all I get is an empty white box when the gui pops up.

    Any suggestions? I’d like to see what this looks like..


  2. 2
    November 19th, 2008 at 10:35 am

    Well, I backed off to the parent OU of the one I was trying to run, and it works now, but it doesn’t show me all of the child OU’s. I’m not an AD guru, so maybe I’m expecting something else.

  3. 3
    November 19th, 2008 at 1:58 pm

    Ok.. Jason challenged me.. I’m going to expand this to map an Active Directory..

  4. 4
    David Moravec
    November 20th, 2008 at 4:16 am

    Hi Steve,
    it’s awesome. I love this script 🙂 Thanks for that.


Leave a Comment

You must be logged in to post a comment.