<h1 align="center">PSADTree</h1> <div align="center"> <sub>Tree-like cmdlets for Active Directory principals!</sub> <br /><br />

</div>

PSADTree is a PowerShell module that brings tree-like visualization to Active Directory group structures — perfect for spotting nested membership and circular references at a glance.

This Module currently includes two cmdlets:

Get-ADTreeGroupMember for AD Group Members.
Get-ADTreePrincipalGroupMembership for AD Principal Group Membership.

Both cmdlets help with discovery of Circular Nested Groups.

Documentation

Check out the docs for information about how to use this Module.

Installation

Gallery

The module is available through the PowerShell Gallery:

Install-Module PSADTree -Scope CurrentUser

Source

git clone 'https://github.com/santisq/PSADTree.git'
Set-Location ./PSADTree
./build.ps1

Requirements

Windows operating system (uses Windows-specific Active Directory .NET APIs)
PowerShell 5.1 (Windows PowerShell) or PowerShell 7.4+
Read permissions on the Active Directory objects you want to query

Usage

These are some examples of what the cmdlets from this Module allow you to do. For more examples check out the docs.

Get the members of a group

PS ..\PSADTree> Get-ADTreeGroupMember TestGroup007

   Source: CN=TestGroup007,OU=Operations,DC=ChildDomain,DC=ParentDomain,DC=myDomain,DC=xyz

Domain                              ObjectClass Hierarchy
------                              ----------- ---------
ChildDomain                               group TestGroup007
ChildDomain          msDS-ManagedServiceAccount ├── testMSA$
ChildDomain                                user ├── TestUser013
ChildDomain                                user ├── TestUser010
ChildDomain                                user ├── TestUser007
ChildDomain                               group ├── TestGroup001
ChildDomain                                user │   ├── TestUser015
ChildDomain                                user │   ├── TestUser013
ChildDomain                                user │   ├── TestUser010
ChildDomain                                user │   ├── TestUser007
ChildDomain                                user │   ├── TestUser002
ChildDomain                               group │   ├── TestGroup005
ParentDomain                              group │   │   ├── TestGroup001
ParentDomain                              group │   │   └── TestGroup002
ChildDomain                               group │   ├── TestGroup006
ChildDomain                            computer │   │   ├── TestComputer0000004$
ChildDomain                            computer │   │   ├── TestComputer0000003$
ChildDomain                            computer │   │   ├── TestComputer0000002$
ChildDomain                            computer │   │   └── TestComputer0000001$
ChildDomain                               group │   └── TestGroup007 ↔ Circular Reference
ChildDomain                               group ├── TestGroup005 ↔ Processed Group
ChildDomain                               group └── TestGroup006 ↔ Processed Group

Control the grade of recursion with the `-Depth` parameter

The default value for -Depth is 3.

PS ..\PSADTree> Get-ADTreeGroupMember TestGroup007 -Depth 2

   Source: CN=TestGroup007,OU=Operations,DC=ChildDomain,DC=ParentDomain,DC=myDomain,DC=xyz

Domain                        ObjectClass Hierarchy
------                        ----------- ---------
ChildDomain                         group TestGroup007
ChildDomain    msDS-ManagedServiceAccount ├── testMSA$
ChildDomain                          user ├── TestUser013
ChildDomain                          user ├── TestUser010
ChildDomain                          user ├── TestUser007
ChildDomain                         group ├── TestGroup001
ChildDomain                          user │   ├── TestUser015
ChildDomain                          user │   ├── TestUser013
ChildDomain                          user │   ├── TestUser010
ChildDomain                          user │   ├── TestUser007
ChildDomain                          user │   ├── TestUser002
ChildDomain                         group │   ├── TestGroup005
ChildDomain                         group │   ├── TestGroup006
ChildDomain                         group │   └── TestGroup007 ↔ Circular Reference
ChildDomain                         group ├── TestGroup005 ↔ Processed Group
ChildDomain                         group └── TestGroup006 ↔ Processed Group

Retrieve and inspect additional properties

PS ..\PSADTree> $tree = Get-ADTreeGroupMember TestGroup001 -Properties *
PS ..\PSADTree> $user = $tree | Where-Object ObjectClass -EQ user | Select-Object -First 1
PS ..\PSADTree> $user.AdditionalProperties

Key                        Value
---                        -----
objectClass                {top, person, organizationalPerson, user}
cn                         John Doe
sn                         Doe
c                          US
l                          Elizabethtown
st                         NC
title                      Accounting Specialist
postalCode                 28337
physicalDeliveryOfficeName Accounting Office
telephoneNumber            910-862-8720
givenName                  John
initials                   B
distinguishedName          CN=John Doe,OU=Accounting,OU=Mylab Users,DC=mylab,DC=local
instanceType               4
whenCreated                9/18/2025 4:53:58 PM
whenChanged                9/18/2025 4:53:58 PM
displayName                John Doe
uSNCreated                 19664
memberOf                   CN=TestGroup001,OU=Mylab Groups,DC=mylab,DC=local
uSNChanged                 19668
department                 Accounting
company                    Active Directory Pro
streetAddress              2628 Layman Avenue
nTSecurityDescriptor       System.DirectoryServices.ActiveDirectorySecurity
name                       John Doe
objectGUID                 {225, 241, 160, 222…}
userAccountControl         512
badPwdCount                0
codePage                   0
countryCode                0
badPasswordTime            0
lastLogoff                 0
lastLogon                  0
pwdLastSet                 0
primaryGroupID             513
objectSid                  {1, 5, 0, 0…}
accountExpires             9223372036854775807
logonCount                 0
sAMAccountName             john.doe
sAMAccountType             805306368
userPrincipalName          john.doe@mylab.com
objectCategory             CN=Person,CN=Schema,CN=Configuration,DC=mylab,DC=local
dSCorePropagationData      1/1/1601 12:00:00 AM
mail                       john.doe@mylab.com

[!TIP]

-Properties * retrieves all available attributes from each object.

Use friendly names (e.g. Country → c, City → l, PasswordLastSet → pwdLastSet) or raw LDAP names — the key in .AdditionalProperties matches what you requested.

See the full list of supported friendly names in the source code LdapMap.cs

Get group members recursively, include only groups and display all processed groups

The -Recursive switch indicates that the cmdlet should traverse traverse the entire group hierarchy.
The -Group switch limits the members tree view to nested groups only.
By default, previously processed groups will be marked as "Processed Group" and their hierarchy will not be displayed.
The -ShowAll switch indicates that the cmdlet should display the hierarchy of all previously processed groups.

PS ..\PSADTree> Get-ADTreeGroupMember TestGroup007 -Recursive -Group -ShowAll

   Source: CN=TestGroup007,OU=Operations,DC=ChildDomain,DC=ParentDomain,DC=myDomain,DC=xyz

Domain         ObjectClass Hierarchy
------         ----------- ---------
ChildDomain          group TestGroup007
ChildDomain          group ├── TestGroup001
ChildDomain          group │   ├── TestGroup005
ParentDomain         group │   │   ├── TestGroup001
ParentDomain         group │   │   │   └── TestGroup002
ParentDomain         group │   │   └── TestGroup002
ChildDomain          group │   ├── TestGroup006
ChildDomain          group │   └── TestGroup007 ↔ Circular Reference
ChildDomain          group ├── TestGroup005
ParentDomain         group │   ├── TestGroup001
ParentDomain         group │   │   └── TestGroup002
ParentDomain         group │   └── TestGroup002
ChildDomain          group └── TestGroup006

Get group memberships for a user

PS ..\PSADTree> Get-ADTreePrincipalGroupMembership TestUser002

   Source: CN=TestUser002,OU=Operations,DC=ChildDomain,DC=ParentDomain,DC=myDomain,DC=xyz

Domain         ObjectClass Hierarchy
------         ----------- ---------
ChildDomain           user TestUser002
ChildDomain          group ├── TestGroup003
ChildDomain          group │   └── TestGroup000
ChildDomain          group ├── TestGroup001
ChildDomain          group │   ├── TestGroup007
ChildDomain          group │   │   ├── TestGroup004
ChildDomain          group │   │   ├── TestGroup002
ChildDomain          group │   │   └── TestGroup001 ↔ Circular Reference
ChildDomain          group │   └── TestGroup000 ↔ Processed Group
ChildDomain          group ├── Terminal Server License Servers
ChildDomain          group └── Domain Users
ChildDom

PSADTree

Install / Use

README

Documentation

Installation

Gallery

Source

Requirements

Usage

Get the members of a group

Control the grade of recursion with the `-Depth` parameter

Retrieve and inspect additional properties

Get group members recursively, include only groups and display all processed groups

Get group memberships for a user

PSADTree

Install / Use

README

Documentation

Installation

Gallery

Source

Requirements

Usage

Get the members of a group

Control the grade of recursion with the -Depth parameter

Retrieve and inspect additional properties

Get group members recursively, include only groups and display all processed groups

Get group memberships for a user

Control the grade of recursion with the `-Depth` parameter