Skip to main content

This powershell script creates a function called send-report: e.g.,

$ACL_GROUPS = "DC=ad,DC=unc,DC=edu"
$ACL_FITLER = "(name=SOP_*)"
$SUBJECT = "Access Report"
$INSTRUCTIONS = "<p>Please review and reply with any changes.</p>"

send-report -ou $ACL_GROUPS -filter $ACL_FILTER -to $MYEMAIL -subject $SUBJECT -message $INSTRUCTIONS

Would send an HTML email to $MYEMAIL with $INSTRUCTIONS followed by a list in the format

  1. Description
    • User Display Name
    • Group Display Name
      • User Display Name

In other words, for each group matching $ACL_FILTER in $ACL_GROUPS search base, create an ordered list of the group description fields and recursively list all of the user and group display names who are members of the group.  The $ACL_FILTER should match a dedicated security group used as an access control entry.

#Email from where you want report to come
#Your SMTP server
$SMTP = ""

function send-report {
    param( [string]$ou, [string]$filter, [string]$to, [string]$subject, [string]$message)
    $report = $message + "<ol>"
    foreach ($group in get-adgroup -ldapfilter $filter -SearchBase $ou -SearchScope Subtree -properties ("Members", "Description") | sort name){
        $members = get-groupList -list '' -members $group.Members
        $report += "<li>" + $group.Description + "</li>"
        $report += "<ul>" + $members + "</ul>"
    $report += "</ol>"
    send-mailmessage -to $to -subject $subject -Body $report -from $REPORT_FROM -smtpserver $SMTP -BodyAsHtml

function get-groupList{
    param( [string]$list, [string[]] $members )
    foreach ($m in $members) {
        $o = get-adobject -identity $m
        $list += "<li>" + $o.Name + "</li>"
        if ($o.objectClass -eq 'group'){
            $g = get-adgroup -identity $m -properties members
            $moreMembers = get-groupList -list '' -members $g.Members
            $list += "<ul>" + $moreMembers + "</ul>"
    return $list
Comments are closed.