I am looking for a clean and simple solution (One-Liner?) to add the well-known domain-group Domain Users to a local group like "Direct Access Users".
The command/script will be executed on a Win10-client.
No additional module like "RSAT-AD-PowerShell" should be used for that.
The code should work regardless of OS-language.
I used the following code to add the "Authenticated Users" (= Well-known-SID S-1-5-11) to the local group:
Add-LocalGroupMember -Group "Direct Access Users" -Member S-1-5-11 -Verbose
This works fine, because the SID is static, but the SID for "Domain Users" looks like this S-1-5-21Domain-513 and I want to get the domain-SID dynamic too.
Thank you
I don't see any short way of doing this -- as in, something that will fit in one line "naturally" (you can always just smoosh it together if you really want to, of course). The difficult part seems to be getting the domain SID; once you have that, constructing the well-known SID of the Domain Users group is simple enough. The below uses the computer account to do that; the code could be abbreviated if you were allowed to assume a domain user is running this.
$qualifiedComputerName = [DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name + "\" + [Environment]::MachineName + "$"
$computerAccount = [Security.Principal.NTAccount]::new($qualifiedComputerName)
$domainSid = $computerAccount.Translate([Security.Principal.SecurityIdentifier]).AccountDomainSid
$domainUsersSid = [Security.Principal.SecurityIdentifier]::new("AccountDomainUsersSid", $domainSid).Value
Add-LocalGroupMember -Group "Direct Access Users" -Member $domainUsersSid -Verbose
Grab the domain SID from the dNC root:
$RootDSE = [adsi]"LDAP://RootDSE"
$dNC = [adsi]"LDAP://$($RootDSE.defaultNamingContext)"
$domainSID = [System.Security.Principal.SecurityIdentifier]::new($dNC.Properties['objectSID'].Value, 0)
$domainUsers = [System.Security.Principal.SecurityIdentifier]::new('AccountDomainUsersSid', $domainSID)
Add-LocalGroupMember -Group "Direct Access Users" -Member $domainUsers.Value
Related
I'm trying to add an AD group to another AD group but in a different forest.
There's a trust between these 2 domains.
$DomainA = "<domain>"
$DomainB = "<different domain>"
Add-ADGroupMember -Identity "<ad group name>" -Server $DomainA -Members "<ad group name>" -Server $DomainB
What is the best way to cross add the groups?
Error I receive:
Add-ADGroupMember : Cannot bind parameter because parameter 'Server' is specified more than once. To provide multiple values to parameters that can accept multi
ple values, use the array syntax.
Use the param server only once, either DomainA or DomainB.
Make sure the group names have their respective domains prefixed i.e. DomainA\GroupName.
As an example, GroupB in DomainB would become a member of GroupA in DomainA :
Add-ADGroupMember -Identity "DomainA\GroupA" -Members "DomainB\GroupB" -Server "DomainA"
I'm trying to write a powershell command that checks to see if a user is part of an AD Group, however, I don't want to use the RSAT modules, as this may end up being a logon script (and we don't want users having those modules installed). This did lead me to this question, Search AD with PowerShell without using AD module (RSAT), however, I can't figure out how to filter the results check it the value is in there.
For example, the below does return a list of users, in LDAP form, for the group IT, but how do I then check a specific user (with their Username, not display name) is in there?
([System.DirectoryServices.DirectorySearcher]"(&(objectCategory=group)(name=IT))").FindOne().Properties["Member"]
FindOne() despite what it says as well, returns multiple rows; in fact FindAll() and FindOne() both return the same results.
Should I be using a different command to search AD? Specifically I want to either check an AD group contains a user (the current user), or the inverse, check a user (the current user) is a member of a particular AD group.
You can do it that way if you really need to (and I can help you do it that way if you really need) but if you are going to be running this script under the credentials of the user you are interested in, then you can get all the groups from the user's login token. That already contains a recursive list of all security groups that the user is in. (It won't include groups where the 'Group type' is "Distribution")
The login token contains a list of SIDs, so the absolute fastest way is to compare using the SID of the group you are interested in, since it won't have to make any network request at all. That's especially convenient for laptop users who may not be online when they login - your script would still work.
$currentIdentity = [Security.Principal.WindowsIdentity]::GetCurrent()
if ($currentIdentity.Groups.Where({$_.Value -eq "S-1-1-0"}, "First")) { #Is in "Everyone"?
"Yes"
} else {
"No"
}
To find the SID of a group, use this:
(Get-ADGroup "GroupName").SID.Value
Then copy/paste that value into the script.
If you would prefer to use the name of the group in the script, then you can convert it to a WindowsPrincipal and use IsInRole. However, this will need to make a network request to find the group by its name.
$currentIdentity = [Security.Principal.WindowsIdentity]::GetCurrent()
$currentPrincipal = New-Object System.Security.Principal.WindowsPrincipal($currentIdentity)
if ($currentPrincipal.IsInRole("Everyone")) {
"Yes"
} else {
"No"
}
I am currently trying to create an Active Directory contact object in a specific OU in our Active Directory. I am not looking at using Exchange PowerShell. I would like to do this via normal PowerShell directly in to AD.
I have looked online and found that I can create a contact using the below command, this creates it in a specific OU.
New-ADObject -Name SaraDavisSGTContact3 -Type contact -Path "OU=SGTestOU,OU=Contacts,DC=example,DC=Example,DC=local"
How would I also get it to add other attributes such as mail (email address), first name, surname, etc.? I tried -Mail example.com, etc., but this didn't work.
Please bear in mind I will eventually try and get this to read from a CSV to do in bulk, so the simplier the code the better.
Use the -OtherAttributes Parameter to add additional attributes.
See New-ADObject MSDN Documentation
New-ADObject -name SaraDavisSGTContact3 -Type Contact -path "OU=SGTestOU,OU=Contacts,DC=example,DC=Example,DC=local" -OtherAttributes #{
'mail'="sara#gmail.com";
'proxyAddresses'="sara#gmail.com";
'givenName'="Sara";
'sn'="Davis";
'displayname'="Sara Davis"
}
What I would like to do is get a list of all users in exchange and loop through them giving each user full access ("owner") right to every other calendar. So basically I want everyone at the company to have "owner" permission to everyone else.
Here is what I have to far it works fine but I would like this to be automated meaning the "username1" and "username2" to be replaced with active users from my exchange server.
Add-MailboxFolderPermission -Identity "username1":\calendar -user "username2" -AccessRights owner
From my comment on the question.
You have lots of options but you can use
Get-Mailbox | ForEach-Object{Add-MailboxFolderPermission -Identity "username1":\calendar -user $_.SamAccountName -AccessRights owner}
This will grab every mailbox, since no filter is applied, and add the MailboxFolderPermission to those mailboxes.
That should work. Be careful as you are making irreversable changes to everyone.
How can I create a $Null username and $Null password PScredentials object?
According to this article, the null PSCredential causes Powershell to use Windows Authentication, which seems a much easier way to run scripts in a domain setting. Unfortunatelly I cant seem to figure out where/how he's setting it to Null:
http://blogs.msdn.com/b/dvespa/archive/2010/02/22/how-to-use-windows-authentication-with-the-pscredential-class.aspx
Other resources:
This answer specified $Null for password, but wont allow $Null username.
Create PSCredential without a password
Thank you.
Why do you need a $null PSCredential object ?
According to the documentation
-Credential <PSCredential>
Specifies a user account that has permission to perform this action. The default is the current user.
It means tha if you just don't use this parameter you will use Windows Authentication.
Edited :
So in Powershell if you want a null credential you just have to specify it :
test :
Get-WmiObject Win32_Process -Credential
Get-WmiObject Win32_Process -Credential $null
and
Get-WmiObject Win32_Process -Credential (Get-Credential)
The constant [PSCredential]::Empty (aka [System.Management.Automation.PSCredential]::Empty) gives you a valid object of type PSCredential but with both username and password set to null.
However, that is not the current user's credentials; rather it means "no credentials". There may be logic in the function you're calling for this to be a moot point (i.e. where the function's the logic says to use the current security context when $credentials -eq [PSCredential]::Empty), but in some contexts this same value may be used for other purposes (e.g. to say you want to use anonymous authentication).
You cannot get the current user's credentials without prompting for them or explicitly assigning them in some other way; otherwise this would present a security risk
#create a credential object for demo purposes.
#Imagine that instead of this line we were saying `$credential = Get-CurrentUserCredential`
#(you have to imagine this, since no such function exists).
$credential = [PSCredential]::new('myUsername', ('superSecretPassword' | ConvertTo-SecureString -AsPlainText -Force))
#we can now see this user's password;
#someone malicious could have this script run under the current user's
#profile & have this information reported back to them.
$credential.GetNetworkCredential().Password
If you want to run something as the current user, you already are (i.e. hence them being the current user); so you don't need to get their credentials.
That said, there are cases where it would be nice to have their credentials; e.g. if accessing a resource which doesn't use the current user context / needs explicit credentials. In such cases you have to either prompt for credentials (Get-Credential $env:username), or read them from some resource (see https://stackoverflow.com/a/6240319/361842).
There's a really thorough explanation of credentials here: http://duffney.io/AddCredentialsToPowerShellFunctions; definitely worth a read.