vCenter VM permission query using Powershell / PowerCLI

Question

I've been trying to use Powershell with imported PowerCLI commands for VMware administration and I've hit a snag. What I'm trying to do is query all VM's in a location (doesn't matter where), and for every VM I want the group with "Virtual Machine User with Snapshot" permission, and then use that group name to run a Get-ADGroupMembers query for everyone in that group. I also have to remove the domain prefix from the AD query, which would otherwise cause an error.

After some more playing around with outputting hash table information into the csv, as opposed to 'SystemObject[]', I finally got the script so it doesn't return errors EXCEPT on VM's where there is more than one group. It throws an error but the script continues, and just outputs the members of the first group.

How do I get it to do a recursive AD query for every group that is pulled into the owner groups hashtable? The output would be the same as for all the other VM's, just with a line for each group and members.

$AllVMs = @()
$vms = get-vm  * -Location datacenter
foreach ($vm in $vms)
    {
        $owners = Get-VIPermission $vm.name | where-object {$_.role -eq "virtual machine user with snapshot"}   
        foreach ($owner in $owners) 
            {
            $members = Get-ADGroupMember ($owners.principal -replace '^prefix\\')

        $temp = New-Object psobject |
        Add-Member Noteproperty "Name" -value $vm.name -PassThru |
        Add-Member Noteproperty "Owner" -value (@($owners.principal) -join ',') -PassThru |
        Add-Member Noteproperty "Members" -value  (@($members.SamAccountName) -join ',') -passthru
        $AllVMs+=$temp
    }
$AllVMs | Export-Csv -Path c:\users\me\desktop\AllVMs.csv

Answer 1

I was playing around with it some more today and figured it out! I'm running the script right now against a datacenter with 350+ machines so technically I don't know 100% that it works, but it worked against 3 machines :-) I also added a line to list every machine that's owned by more than one group - handy for troubleshooting. Here's the script:

$AllVMs = @()
$vms = get-vm -Location DATACENTER
foreach ($vm in $vms)
    {
        $owners = @(Get-VIPermission $vm.name | where-object {$_.role -eq "virtual machine user with snapshot"})
        if ($owners.count -gt 1) {write-host "** Note ** '$vm' has"$owners.count "owner groups"}
        foreach ($owner in $owners)
            {
                $members = Get-ADGroupMember ($owner.principal -replace '^prefix\\')
                $temp = New-Object psobject |
                Add-Member Noteproperty "Name" -value $vm.name -PassThru |
                Add-Member Noteproperty "Owner" -value (@($owner.principal) -join ',') -PassThru |
                Add-Member Noteproperty "Members" -value  (@($members.SamAccountName) -join ',') -PassThru
                $AllVMs+=$temp
            }
    }

$AllVMs

Answer 2

Change $owners.principal to $owner.principal after $members = Get-ADGroupMember ? In case you have nested AD groups, Get-ADGroupMember has a -Recursive parameter.