Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
Moof
Frequent Visitor

Active Directory hierarchy - getting all users inside a group including child groups

‎08-17-2018 02:50 AM

Hi,

 

I've been playing around with Active Directory as a data source on PowerBI for a while, trying to make reports.

 

One report I'm interested in is "Users in the Administrators Group"

 

My Administrators group has a number of users in it, as well as a Group - Domain Admins.

 

Domain Admins itself has a group in it too - Security administrators.

 

I'm trying to navigate the tree somehow either in M or DAX so that I can get a list of "In the Administrators Group, all the users are x, y, and z" where x is in Administrators, y is in Domain Admins, and z is in Security Administrators.

 

I've been thinking about seeing if I can get a list of "this group is a member of this group" (which I can do using top.memberOf) but I can't seem to work out how to navigate from Security Admins to Administrators, so I can see that Security Admins is a member of Domain admins and Administrators.

 

If I could do that, from there I could just say that since user z is in Security Administrators, it's also in Domain Administrators and Administrators. 

 

I'm specifically trying to find a generic solution here, rather than hard coding my tree into the programme.

 

Am I barking up the wrong tree? How do I do this sort of recursive query in M/DAX?

 

Labels:
Message 1 of 7
11,918 Views
0
6 REPLIES 6
Madalina2801
Advocate II
Advocate II

‎02-13-2025 03:10 AM

Hello,

 

Are there any updates here? Do you know if there is a way to expand all levels of nested groups recursively?

 

Thanks!

Message 7 of 7
835 Views
0
dtjdtj
Advocate I
Advocate I

‎07-22-2024 02:03 AM

Has anyone found a solution here? I'm also interested in expanding all levels of nested groups recursively. 
Thank you in advance!

Message 6 of 7
1,925 Views
0
v-yuezhe-msft
Microsoft Employee
Microsoft Employee

‎08-20-2018 12:27 AM

@Moof,

Please help to post sample data of your tables and post expected result  based on sample data here.

Regards,
Lydia

Community Support Team _ Lydia Zhang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 2 of 7
11,900 Views
0
Moof
Frequent Visitor
In response to v-yuezhe-msft

‎08-24-2018 05:06 AM

Or, placing it a different way...

 

I have a hierachy of groups in ActiveDirectory, and a bunch of users that belong to those groups.

 

Security Administrators is a member of Domain Admins which is a member of Administrators. Each of these groups has users in it. I want to filter by group Administrators, and get users from all the subgroups.

 

Essentially, using sample date, the result I'm looking for is:

 

Sample result.png

 

The code I'm using to get there is as follows:

 

let
    Source = ActiveDirectory.Domains("lapsang.example"),
    lapsang.example = Source{[Domain="lapsang.example"]}[#"Object Categories"],
    user1 = lapsang.example{[Category="user"]}[Objects],
    #"Expanded top" = Table.ExpandRecordColumn(user1, "top", {"cn", "memberOf"}, {"top.cn", "top.memberOf"}),
    #"Removed Other Columns" = Table.SelectColumns(#"Expanded top",{"top.cn", "top.memberOf", "distinguishedName"}),
    #"Expanded top.memberOf" = Table.ExpandListColumn(#"Removed Other Columns", "top.memberOf"),
    #"Expanded top.memberOf1" = Table.ExpandRecordColumn(#"Expanded top.memberOf", "top.memberOf", {"distinguishedName", "memberOf"}, {"top.memberOf.distinguishedName", "top.memberOf.memberOf"}),
    #"Reordered Columns1" = Table.ReorderColumns(#"Expanded top.memberOf1",{"top.cn", "distinguishedName", "top.memberOf.distinguishedName", "top.memberOf.memberOf"}),
    #"Expanded top.memberOf.memberOf" = Table.ExpandListColumn(#"Reordered Columns1", "top.memberOf.memberOf"),
    #"Expanded top.memberOf.memberOf1" = Table.ExpandRecordColumn(#"Expanded top.memberOf.memberOf", "top.memberOf.memberOf", {"distinguishedName", "memberOf"}, {"top.memberOf.memberOf.distinguishedName", "top.memberOf.memberOf.memberOf"}),
    #"Expanded top.memberOf.memberOf.memberOf" = Table.ExpandListColumn(#"Expanded top.memberOf.memberOf1", "top.memberOf.memberOf.memberOf"),
    #"Expanded top.memberOf.memberOf.memberOf1" = Table.ExpandRecordColumn(#"Expanded top.memberOf.memberOf.memberOf", "top.memberOf.memberOf.memberOf", {"distinguishedName", "memberOf"}, {"top.memberOf.memberOf.memberOf.distinguishedName", "top.memberOf.memberOf.memberOf.memberOf"}),
    #"Unpivoted Columns" = Table.UnpivotOtherColumns(#"Expanded top.memberOf.memberOf.memberOf1", {"top.cn", "distinguishedName", "top.memberOf.memberOf.memberOf.memberOf"}, "Attribute", "Value"),
    #"Grouped Rows" = Table.Group(#"Unpivoted Columns", {"top.cn", "distinguishedName", "Value"}, {{"Count", each Table.RowCount(_), type number}}),
    #"Renamed Columns" = Table.RenameColumns(#"Grouped Rows",{{"Value", "InGroup"}}),
    #"Removed Columns" = Table.RemoveColumns(#"Renamed Columns",{"Count"})
in
    #"Removed Columns"

Now, as you can see, I've used Table.ExpandListColumn, and Table.ExpandRecordColumn several times there, and I can't guarantee that if I query a different AD that I'll have managed to get all the levels of expanding. 

 

Is there a way to recurse through the table, such that it does that as many times as neccesary, and then leaves an unpivoted result?

Message 4 of 7
11,873 Views
claitonjs
New Member
In response to Moof

‎08-28-2019 07:22 PM
Hi! I have the same question. Do you have some update?
Message 5 of 7
10,824 Views
Moof
Frequent Visitor
In response to v-yuezhe-msft

‎08-24-2018 04:39 AM

OK, it's taken me a little while to sort out a test environment.

 

I have set up a fresh AD domain. The Built-in Administrators group has the following:

 

Administrators Group.png

 

And then I populated the hierarchy as follows:

Domain Admins GroupDomain Admins GroupSecurity Administrators GroupSecurity Administrators Group

 

As you can see, a fairly simple hierarchy.

 

I am trying to set up an audit screen that shows the members of a group, including any sub groups that are in the group. So if I were to filter by the group Administrators, I get the following expected result for users:

 

  • lapsangadmin
  • Siuan Sanche (admin)
  • Lean Sharif (admin)

 

So now I enter Power BI and use the AD connector to Users. This gives me a rather difficult to deal with table:

 

Unedited Users QueryUnedited Users Query

When I filter it a bit, and expand the "top" column I get:

Users first filter.png

 

Again, I expand those lists into separate rows, and expand the records, and I get...

 

Users expanded.png

 

 

The code I use to get there is:

let
    Source = ActiveDirectory.Domains("lapsang.example"),
    lapsang.example = Source{[Domain="lapsang.example"]}[#"Object Categories"],
    user1 = lapsang.example{[Category="user"]}[Objects],
    #"Expanded top" = Table.ExpandRecordColumn(user1, "top", {"cn", "memberOf"}, {"top.cn", "top.memberOf"}),
    #"Removed Other Columns" = Table.SelectColumns(#"Expanded top",{"top.cn", "top.memberOf", "distinguishedName"}),
    #"Expanded top.memberOf" = Table.ExpandListColumn(#"Removed Other Columns", "top.memberOf"),
    #"Expanded top.memberOf1" = Table.ExpandRecordColumn(#"Expanded top.memberOf", "top.memberOf", {"distinguishedName"}, {"top.memberOf.distinguishedName"}),
    #"Reordered Columns" = Table.ReorderColumns(#"Expanded top.memberOf1",{"top.cn", "distinguishedName", "top.memberOf.distinguishedName"})
in
    #"Reordered Columns"

 

with this, I can tell that lapsangadmin is in Administrators and Domain Admins, that Siuan Sanche (admin) is in Domain Admins and that Leane Sharif (admin) is in Security Admins.

 

But I can't filter by Administrators and get all three.

 

So I start to look at the group object instead, which is an equally unappetising initial query:

 

Groups unfiltered.png

 

In top, there is again a "memberOf" column, which has a list of other records:

 

Groups first filter.png

 

And again, expanding that gives me:

 

Groups expanded.png

 

The code I use to get here is:

 

let
    Source = ActiveDirectory.Domains("lapsang.example"),
    lapsang.example = Source{[Domain="lapsang.example"]}[#"Object Categories"],
    user1 = lapsang.example{[Category="user"]}[Objects],
    #"Expanded top" = Table.ExpandRecordColumn(user1, "top", {"cn", "memberOf"}, {"top.cn", "top.memberOf"}),
    #"Removed Other Columns" = Table.SelectColumns(#"Expanded top",{"top.cn", "top.memberOf", "distinguishedName"}),
    #"Expanded top.memberOf" = Table.ExpandListColumn(#"Removed Other Columns", "top.memberOf"),
    #"Expanded top.memberOf1" = Table.ExpandRecordColumn(#"Expanded top.memberOf", "top.memberOf", {"distinguishedName"}, {"top.memberOf.distinguishedName"}),
    #"Reordered Columns" = Table.ReorderColumns(#"Expanded top.memberOf1",{"top.cn", "distinguishedName", "top.memberOf.distinguishedName"})
in
    #"Reordered Columns"

So this is where I'm stuck. 

 

Eventually, I could just keep expanding memberOf until I run out of things, and then unpivot the resulting distinguishedName columns into one. The thing is, I'm trying to make this a generic solution that doesn't need to know how many times to expand, because whilst in this test case, I only have a simple hierarchy like this, in some of the Active Directories I deal with this hierarchy may go up to 6 or 8 groups deep.

 

So I suppose I'm asking: how do I do this sort of recursion in M, such that I can get a table of all the parents a group may have, withough needing to do it a specific number of times?

 

I suppose I'm trying to get a table like this:

 

GroupContained in
AdministratorsAdministrators
Security AdministratorsSecurity Administrators
Security AdministratorsDomain Admins
Security AdministratorsAdministrators
Domain AdminsDomain Admins
Domain AdminsAdministrators

 ...and so on

 

 From there, I can link my users to that Group Column, and then filter by a summary of the Contained In Column.

 

Any hints gratefully appreciated...

Message 3 of 7
11,872 Views
0

Helpful resources

Announcements
July 2025 community update carousel

Fabric Community Update - July 2025

Find out what's new and trending in the Fabric community.

July PBI25 Carousel

Power BI Monthly Update - July 2025

Check out the July 2025 Power BI update to learn about new features.

View All