I am trying to find all owners and secondary owners of security groups within my environment
Could someone please advise me on how i could amend my option 1 command to include secondary owners?
Or any other command that i can use ADSI searcher for to get this information
Thanks,
Ryan
I have tried tackling this 2 ways:
find the specific user I am after and reporting back on any groups this person is an owner of - using the below
Distinguished Name of the user
$DN = "CN=***"
Retrieve the groups managed by this user
$groups = ([ADSISearcher]"(&(objectCategory=group)(ManagedBy=$DN))").findall()
foreach ($group in $groups)
{
$group.properties.samaccountname | out-file C:\users\...
}
this works to an extent but does not return any groups that the user is a secondary owner of.
The second way I am doing this is also looking at the specific groups that i know have multiple owners and trying to report back the necessary property for the secondary owner but having no luck
Related
I am trying to get a table of permissions out of some groups that I have in AD. I'm pretty new to PowerShell and I'm not sure what I want is even possible.
So far I've been able to select the groups that I want by using
Get-ADUser -Identity groupname
And I can see the info pulled up in the response from PowerShell, but from there I've hit a huge dead-end with piping the result into anything that would let me see the permissions for that group.
I'm assuming you want the permissions to the group itself (for example, who is allowed to modify the group).
You can use Get-Acl (ACL stands for Access-Control List), which is used for getting permissions from files as well. To direct it to AD, you use the AD: drive, along with the distinguished name of the AD object. For example:
(Get-Acl "AD:CN=SomeGroup,OU=Groups,DC=example,DC=com").Access
If you don't know the distinguished name, you can get that from your call to Get-ADGroup (I assume you meant to use Get-ADGroup, not Get-ADUser like you put in your question).
$group = Get-ADGroup groupname
(Get-Acl "AD:$($group.distinguishedName)").Access
More reading here: Understanding Get-ACL and AD Drive Output
I am creating a script that should check the file server for shares, and should list user's that have any kind of access control type (allow / deny) and their rights on the share. I've successfully managed to create collection of objects that have data that I want, but I have issues formatting them in the way I want.
Current situation, how the collection looks like
Path Identity Access Rights
Share1 User1 Allow Full Control
Share1 Group1 Allow Full Control
Share2 Group1 Deny Full Control
Share2 Group2 Allow Modify
I am fine with having shares appear in multiple objects, with one identity (user or a group) per object, but I would like to expand groups with its members, when the $_.Identity in pipe is a group. But I have issues getting there
My code example is practically non existing, I just tried to check every object in the pipe if it's Identity can be used with Get-ADGroupMember but that's it
$Collection | ForEachObject { if (Get-ADGroupMember $_.Identity) {Get-ADGroupMember $_.Identity }} ...
Desired solution should be like this:
Path Identity Access Rights
Share1 User1 Allow Full Control
Share1 User1,User2 Allow Full Control
Share2 User1,User2 Deny Full Control
Share2 User2,User3 Allow Modify
In this test example, Group1 is consisted of User1 and User2, while Group2 is consisted of User2 and User3.
Any help is appreciated.
I think what I would do is to generate the value on the pipeline like this:
$Collection | Select Path,#{l='Identity';e={ if (Get-ADGroupMember $_.Identity) {(Get-ADGroupMember $_.Identity) -join ", "}else{$_.Identity}}},Access,Rights
I was working on a very similar script. Rather than bore you with my code, here's where I found assistance in sorting out the nested groups.
Sort Nested Groups
Basically, you create a function to get all the group members and then test each item. If it is a group, call the same function and pass it the newly found group name.
Regarding:
$_.identity
I used
$_.objectclass
That will tell you if the get-adgroupmember result is a user or group. It will error on users, but I just suppress the errors at runtime with
$erroractionpreference = "silentlycontinue"
That's probably not best practice, but it works for me.
I tested this with circular nesting and it does not get stuck in an infinite loop. It actually handled it perfectly by returning the individual results only once. Probably has to do with safeguards built into windows for cirucular nesting situations.
Some of the info here might be helpful as well:
Circular Nesting Consequences - ServerFault
We're converting all SP permissions into ActiveDirectory groups (one per uninherited object, per role level). I wanted the group names to reflect where the permissions were/are, so I assigned each group with a name that matched the site structure:
sitecollection|site|list|Full Control
Active Directory had issues with the pipes and the potential length, so I reconfigured everything to use the description of the Active Directory object instead. The actual CN of the group is -someNumber- (-1-,-2-, etc).
I ran across an interesting phenomena while adding the groups into SharePoint under the same role level; I had to start the groups at 1000 else the EnsureUser couldn't find the group no matter what.
$web.EnsureUser('c:0-.f|myprovider|-1-') says it doesn't exist, whereas $web.EnsureUser('c:0-.f|myprovider|-1000-') does just fine.
Is there some sort of limitation to the number of characters a SAM Account Name / Principal Name must be when being searched by SharePoint?
You need to include the Domain name in EnsureUser - Domain\Username
Or you can just add i:0#.f|myprovider| to the username so it looks like i:0#.f|myprovider|myuser and pass the result into EnsureUser. In my case "myprovider" is the name of my custom membership provider.
I have a requirment to create a report/text file that displays the users that arent in specific AD groups. I know displaying users that are in specific AD groups is easy enough with Powershell.
Surely its possible to display the users that ARENT in specific AD groups with powershell also ??
One approach:
Export all users
Export users that are members of that specific group
Do excel work to find out users that aren't members
However, if the task is to perform it with powershell only, you have to do your research how to perform those steps without excel.
Export a list of all users 'cn' in your active directory to a text file
Get-ADUser | Select-Object sAMAccountname > c:\temp\directory list
Depending on group sizes .netFramework has issues with groups with a large number of members (1500+) use 'dsget' to get a list of members in the group and store these into a variable
$groupName = dsget group "groupname" -members
compose foreach statement
if you need the actual code syntax -
http://stackoverflow.com/questions/22145586/powershell-compare-csv-to-ad
I am using the Get-AdGroupMember -recursive powershell command to list users in groups, and users in nested groups.
Can I output the name of the nested group as well in the output results?
Ie User A is in Group A, User B is in Group B, User C is in Group C
Group C is in Group B, and Group B is in Group A. User C correctly appears as having group membership in Group A, but it's not obvious initially without drilling down through the groups.
In my 'realworld' case there are ~seven groups at the top level, then five/six at the next level, so I have to look in each one to find the user. Some of the results coming back are three nested groups down, and it takes a bit of digging to work out what group the user is actually in.
Thanks
You will find a the end of this answer, a way to find all the groups a user belongs to (in a recursive way) using a .NET 3.5 assembly in C#, here is a convertion to PowerShell. This is not an exact answer to your question, but this way in your 'realworld' it should help.
# Load the .NET 3.5 assembly
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
# Get an enum value
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
# Retreive the user as a user principal
$username = "jblanc"
$up = [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($ct,$username)
# Get all the authorization groups a user belongs to
$up.GetAuthorizationGroups()