While working with nested groups, it's often impossible to quickly tell what's going on. Who is a member of which group, how many members there are? The bigger the AD, the higher probability of being lost. Also, telling someone that there are 300 group members doesn't have the same impact as showing it to them on a diagram, right? So le's see what Show-ADGroupMember can do, shall we?
By default, when given a group name, it will show one top tab with the group name, and three-second level tabs. Table with summary (basically a copy of what you saw with Get-WinADGroupMember). A basic diagram that doesn't care for nesting where it cares for connections between members. If there are duplicates, those should be displayed only once; however, their relationships will multiply. The third diagram is a hierarchical diagram that shows nested levels and how they are connected. Each graph can be saved to disk with right-click as an image. You may need a bigger monitor to fit it all, or you can zoom-in or zoom-out as required, but more extensive diagrams will be problematic.
Show-WinADGroupMember (alias: Show-ADGroupMember) can take multiple groups at the same time. What it does it creates a new top-level tab for each group given, and the rest stays the same.
Show-ADGroupMember -GroupName 'Domain Admins', 'Enterprise Admins', 'Administrators', 'Account Operators', 'Backup Operators' -FilePath $PSScriptRoot\Reports\GroupMembership.html
All groups without members are skipped. This means you can query multiple groups at the same time and get pretty diagrams for easy viewing. Unfortunately, there's one drawback to this – it works fine for small groups, but when you deal with a domain of 80000 users in size, things get complicated. When you try to display ten groups, each having 400 nested members, which means there are at least 8000 objects across 20 diagrams to be drawn, and that makes it a bit unusable. If you are going to work with large groups, I suggest doing it, one group at a time, or use additional switches HideUsers, HideComputers, HideAppliesTo. What those switches do is hide respective objects from the diagram, one or both, leaving only Groups and their connections.
Show-ADGroupMember -GroupName 'Domain Admins', 'Enterprise Admins', 'Administrators', 'Account Operators', 'Backup Operators' -FilePath $PSScriptRoot\Reports\GroupMembership.html -HideUsers
After we removed users, the diagrams are more readable, and we still get additional details on how it's all connected and how many members there are. You need to pick your battles. But that's not all.
The command has two more parameters, called Summary and SummaryOnly. In the case of Summary, it displays all tabs as before, and it adds a Summary tab on which all groups you requested are matched on one diagram. This gets you an interesting view of the interconnectivity of groups you asked for.
Show-WinADGroupMember -GroupName 'Test-Group', 'Domain Admins','Enterprise Admins', 'Administrators' -FilePath $PSScriptRoot\Reports\GroupMembership.html -Summary -HideUsers
Similarly, SummaryOnly does the same thing, but it skips individual reports for groups. Again, I want to reiterate that depending on groups you're investigating and it's member count, you may need to pick what you want to request and what you want to see at the same time. It's a bit try, see and adjust. It may work well or it may stutter a bit or not open at all. I would like your feedback so make sure to open issues with problems/feature requests on GitHub. I made an effort for the diagrams/tables to have proper data, but I do make mistakes so maybe I missed something.
