PowerShell "white belt" here, first time poster. I'll try not to lower the collective IQ of such a helpful community while I'm here! :) I'm running PowerShell 3.0 with Quest installed.

My organization has an Active Directory OU with several Security Groups that all control VPN access - these were created in the days before we had naming conventions (ugh!)

I'd prefer not to rely on the names by going "get me the members of X and Y and Z" but rather say "get me the members of anything in OU XXX" instead.

Ideally, I'd like a count at the end too, because ultimately this is for auditing "how many users have VPN access" (although I could barf results out to a .CSV or something if that's too complicated)

So I have some pieces that will do PARTS of this, I just can't quite visualize how to fit them all together. Any help would be appreciated. Here are my moving parts:

returns users in one specific group:

get-adgroupmember "group_of_coolness" -recursive | Select name

returns results from a user-filled OU using "searchbase":

Get-ADUser -Filter * -SearchBase 'ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=org' -Properties GivenName, Surname, EmailAddress, Office, Company, Title, distinguishedname | 
select GivenName, Surname, EmailAddress, Office, Company, Title, distinguishedname | Out-GridView 

returns results from a couple of specific groups but also gives a count (my most advanced patch-work so far ^^):

    $GroupMembers=(get-ADGroup -filter {(Name -eq "XXXX") -or (Name -eq "YYYY")} |
     get-adgroupmember -Recursive | select distinguishedname -Unique)

    $Users=foreach ($user in $GroupMembers.distinguishedname) {
    Get-ADUser $user
    }

    $Users | Sort-Object DistinguishedName |
    select name, DistinguishedName

    Write-Host
    Write-Host "Total Users = " $Users.count

That last code-snippet seems closest to me, IF I could replace the "name -eq XXXX or YYYY" with "-searchbase "ou=XXX..."

What do you think smart people - am I at all close to the answer? Again, thanks for any advice, and let me know if I'm being a jack-ass and overlooking a thread where this is already answered (I found some close calls but nothing quite on-the-money).

I'm excited to see what I'm missing here :)

You can pretty easily simplify this:

$Users = Get-ADGroup -SearchBase 'ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=org' -Filter * `
    | Get-ADGroupMember -Recursive `
    | Select-Object -Unique `
    | Sort-Object DistinguishedName;
$Users | Select-Object Name, DistinguishedName;
Write-Output ("Total Users = {0}" -f $Users.Count);

If you want to search by group name, you can change the first line to Get-ADGroup -Filter {(Name -eq "Group A") -or (Name -eq "Group B")} like you were using.

You're not using anything other than Name and Distinguished name in your example, so there's no reason to run it through Get-ADUser a second time and fetch the same data from the server like you were. No reason to waste the DC's time.

If you do need to get additional properties beyond the name and distinguished name, then you do need to do that. You can do it like this:

$Users = Get-ADGroup -SearchBase 'ou=XXX,ou=XXX,dc=XXX,dc=XXX,dc=org' -Filter * `
    | Get-ADGroupMember -Recursive `
    | Select-Object -Unique `
    | ForEach-Object { Get-ADUser $_ -Properties GivenName, Surname, EmailAddress, Office, Company, Title, distinguishedname; } `
    | Sort-Object DistinguishedName;