Skip to content

DefensiveOrigins/ADGroupDiagram

BranchesTags

Repository files navigation

ADGroupGrapher

A .NET console tool that enumerates Active Directory groups in the current domain, builds a membership graph (including nested groups), detects circular relationships, and emits portable outputs:

  • DOT (ad-groups.dot)
  • PNG (ad-groups.png, if Graphviz is installed)
  • HTML viewer (ad-groups.html, renders the DOT in any browser via Viz.js)

Optionally, include users in the graph with --include-users (or -u).

A compiled download is prepared for those that don't wish to build from source. Check the App folder.

Features

  • Uses current Windows logon context (no credentials in code).
  • Builds group → group edges from immediate membership.
  • Highlights cycles (circular nesting) with red edges.
  • Labels each group node with:
    • sAMAccountName
    • Users: <count of immediate non-group members>
    • Groups: <count of immediate nested groups>
  • Optional group → user edges (dashed) and user nodes (ellipses).
  • Portable outputs: viewable as PNG or via a self-contained HTML page (browser).

Requirements

  • Windows with domain connectivity.
  • .NET 8 SDK (to build) or .NET 8 Runtime (if publishing framework-dependent).
  • Permissions: your user must be allowed to enumerate group memberships.
  • Optional: Graphviz installed and dot.exe on PATH (for PNG output). If Graphviz isn’t available, use the HTML output.

Getting Started

# Groups only (default)
ADGroupGrapher.exe

# Include users (adds user nodes and dashed group→user edges)
ADGroupGrapher.exe --include-users
# or
ADGroupGrapher.exe -u

Outputs (in working dir):

  • ad-groups.dot – Graphviz DOT
  • ad-groups.png – PNG (only if Graphviz dot is available)
  • ad-groups.html – Portable HTML viewer (renders DOT in-browser via Viz.js)

Legend:

  • Red edges: group↔group edges that are part of a cycle.
  • Dashed edges: group → user membership (immediate only).
  • Group nodes: boxes (label shows immediate user & group counts).
  • User nodes: ellipses (when --include-users is used).

Publishing (distribution)

Tips & Scaling

  • Large domains can produce very large graphs. Consider:

    • Running without --include-users (groups only) first.
    • Post-processing the DOT to focus on specific areas.

  • PNG vs HTML:

    • PNG is quick if Graphviz is installed.
    • HTML viewer is convenient and portable (requires internet to load Viz.js CDN).

Troubleshooting

  • Access/permission errors
    Your account must be allowed to query group memberships. Run from a domain-joined machine with sufficient rights.

Security Notes

  • The tool reads directory information only and uses your current logon context.
  • Outputs may reveal internal group & user names. Handle ad-groups.* files per your org’s data handling policy.

Roadmap

  • Filters: by OU, prefix, regex.
  • Export metadata (CSV/JSON) alongside DOT.
  • Split huge graphs into subgraphs by OU.

Contributing

PRs and issues welcome. Please describe your environment (domain size, OS, .NET version) and include repro steps.

License

MIT (or your preference). Add a LICENSE file at the repo root.

Sample Graph

image

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages