AD Group Membership Visualisation



I’m amazed that I haven’t previously had a need for something like this, but I was looking for some way to visualise AD group memberships, specifically to take into account fairly deeply nested groups. After a fair bit of searching, a lot of dead-ends and some products that seriously over-sold themselves, I came across this little beauty:

https://gallery.technet.microsoft.com/scriptcenter/Graph-Nested-AD-Security-eaa01644

It’s a Powershell module which extracts group memberships for a User, Group or OU (well, everything in that OU anyway) and creates a Graphviz file that gives a functional, if not very pretty, visualisation of the group membership hierarchy. The output looks something like this:

Draw-ADSecurityGroupNesting
Sample output

Extremely handy if you’re trying to get a better idea of how your group nesting shakes out or where you may have circular memberships or redundant groups.

4 Replies to “AD Group Membership Visualisation”

  1. Hi Adam,

    Thank’s lot for your post ! I recently updated the script: still “quick-and-dirty” code but few useful enhancements anyway.

  2. Hi all,
    I love your sharing about this tool. Recently I need to draw the nested AD groups in our work environment and our team is thinking about using this solution. However, I encountered some issues when installing it. I have everything downloaded and installed, changed the environment variables as mentioned in the instructions, but still have two following issues needed to be resolved

    1. Graphviz: Graphviz is installed but can’t find/ run dot.exe and unflatten.exe which are programs mentioned in the instructions.

    2. Powershell: The Powershell module Draw-ADSecurityGroupNesting is put into the designated folder and can’t be found. However, it can’t be loaded. Here is the link for the execution policies mentioned in the Error Message:
    https://msdn.microsoft.com/powershell/reference/5.1/Microsoft.PowerShell.Core/about/about_Execution_Policies\
    (I haven’t seen this before. Do you know what these mean?)

    Your feedback and suggestions are really appreciated. Thank you very much in advance.

    1. 1. I believe dot.exe is in the /bin/ folder but I tend to use gvedit.exe as a quick way to view the output of the module without having to go through the hassle of converting to another format.

      2. Most likely either you need to unblock the module files because they’re still tagged as being from the internet zone (file propeties->Unblock) or you need to change your execution policy from the default Unsigned to RemoteSigned (Set-ExecutionPolicy Remotesigned).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.