I'm trying to create a multi purpose report to query Share permissions and group members who have access.
All the data is shown in a table on screen, or outputted to a file, but I'm having trouble with Convertto-HTML/CSV. Apparently due to not using original properties. Everything I try fails... Anyone able to figure out what can be the issue or have a solution? You can see the screenshot here.
Function Get-Membr {
$Groups = Get-Acl $UNC |
Select-Object -ExpandProperty Access |
Where-Object { (-not $_.IsInherited) -and ('NT AUTHORITY\SYSTEM','BUILTIN\Administrators','CREATOR OWNER','BUILTIN\Users' -notcontains $_.IdentityReference) } |
Select-Object -Exp IdentityReference
foreach ($Group in $Groups)
{ $group | ft Value,Name,Department #| ConvertTo-HTML
$group.Translate('System.Security.Principal.SecurityIdentifier').Value |
Get-ADGroupMember -ErrorAction SilentlyContinue |
Get-ADObject -Properties name, Department |
select name, Department |
ft -HideTableHeaders Value,Name,Department #| ConvertTo-HTML #| out-file -append $tmp
}
}
EDIT / UPDATE:
I was able to solve the issue myself by:
Function Get-Membr {
$Groups = Get-Acl $UNC |
Select-Object -ExpandProperty Access |
Where-Object { (-not $_.IsInherited) -and ('NT AUTHORITY\SYSTEM','BUILTIN\Administrators','CREATOR OWNER','BUILTIN\Users' -notcontains $_.IdentityReference) } |
Select-Object -Exp IdentityReference
$global:Results2 = foreach ($Group in $Groups){
$group.Translate('System.Security.Principal.SecurityIdentifier').Value |
Get-ADGroupMember -ErrorAction SilentlyContinue | Select-Object -Property #{l="GroupName";e={$Group}}, Name, #{name="Description";expression={(Get-ADUser -Identity $_.SamAccountName -Properties Description).Description}},#{name="Enabled";expression={((Get-ADUser $_.SamAccountName).Enabled)}},#{name="- - Action - -";e={(get-aduser -identity $_.Manager -properties DisplayName).DisplayName}}
}
}
You can see the End result here
Related
I have a list of users (their CN), and I want a list of the groups they are member of.
I already have a code which almost does the trick, but it shows as follows:
User1 - group1;group2
User2 - group1;group2;group3 etc...
Also, groups are shown as distinguished name (with container etc), so very long. I only want the name.
I want to show it as follows:
User1 - group1
User1 - group2
User2 - group1, etc
The code that shows the groups the users are member of, but not in the visual way i like is below:
Import-Csv -Path .\Input_CN.csv |
ForEach-Object {
$User = Get-ADUser -filter "CN -eq '$($_.CN)'" -properties memberof
[PSCustomObject]#{
SourceCN = $_.CN
MemberOf = $User.MemberOf -join ";"
}
} | Export-Csv -Path .\Output.csv -Delimiter ";" -NoTypeInformation
.\Output.csv
I have some other code that list the groups how I want, but I am unable to list it per user. And unable to combine it with the above code.
get-aduser -filter {cn -eq "Testuser"} -properties memberof |
Select -ExpandProperty memberof |
ForEach-Object{Get-ADGroup $_} |
Select -ExpandProperty Name
Thanks in advance :)
You could combine both code pieces like this:
Import-Csv -Path .\Input_CN.csv |
ForEach-Object {
$user = Get-ADUser -Filter "CN -eq '$($_.CN)'" -Properties MemberOf, CN -ErrorAction SilentlyContinue
foreach($group in $user.MemberOf) {
[PSCustomObject]#{
SourceCN = $user.CN
MemberOf = (Get-ADGroup -Identity $group).Name
}
}
} | Export-Csv -Path .\Output.csv -Delimiter ";" -NoTypeInformation
Edit
Although I have never seen an AD user to have no group membership at all (should have at least the default Domain Users in the MemberOf property), You commented that you would like to have a test for that aswell.
Import-Csv -Path .\Input_CN.csv |
ForEach-Object {
$user = Get-ADUser -Filter "CN -eq '$($_.CN)'" -Properties MemberOf, CN -ErrorAction SilentlyContinue
if (!$user) {
Write-Warning "No user found with CN '$($_.CN)'"
# skip this one and resume with the next CN in the list
continue
}
$groups = $user.MemberOf
if (!$groups -or $groups.Count -eq 0) {
[PSCustomObject]#{
SourceCN = $user.CN
MemberOf = 'No Groups'
}
}
else {
foreach($group in $groups) {
[PSCustomObject]#{
SourceCN = $user.CN
MemberOf = (Get-ADGroup -Identity $group).Name
}
}
}
} | Export-Csv -Path .\Output.csv -Delimiter ";" -NoTypeInformation
This is a bit clunky, but you can use nested loops:
Import-Csv -Path .\Input_CN.csv | ForEach-Object {
$user = Get-ADUser -filter "CN -eq '$($_.CN)'" -properties cn, memberof
$user | ForEach-Object {
$_.MemberOf |
ForEach-Object {
[PSCustomObject]#{
SourceCN = $user.CN
MemberOf = $_.split('[=,]')[1]
}
}
}
} | Where-Object {$null -ne $_.MemberOf} |
Export-Csv -Path .\Output.csv -Delimiter ";" -NoTypeInformation
UPDATE: Updated to show only the 'CN' part of the group name and to filter any users who are not a member of any group.
All in one line could be
Get-ADUser -filter {Enabled -eq $True} -Properties Name, Created | Select-Object Name, Created, #{Name="Groups";Expression={Get-ADPrincipalGroupMembership -Identity $_.SamAccountName | Where-Object {$_.GroupCategory -Eq 'Security'} | Join-String -Property Name -Separator ", "}}
I try to get result from this part of my powershell scrip into Clixml.
I'm just beginner in powershell so i have kind of problem using arrays.
I'm unable to get result of this script into file.
$groupname = "Domain Admins"
$users = Get-ADGroupMember -Identity $groupname | ? {$_.objectclass -eq "user"}
foreach ($activeusers in $users) { Get-ADUser -Identity $activeusers | ? {$_.enabled -eq $true} |
select-object SamAccountName | Sort-Object -Descending | select-object SamAccountName }
Here is code used for export to Clixml
Export-Clixml -Path 'C:\TEMP\CurrentDomainAdmins3.xml'
You aren't assigning the result of foreach () {} to any variable, e.g. $results = foreach () {} and you cannot pipe the output of that style of loop to another cmdlet.
I don't think you need a loop for it at all; you could rewrite it like this:
$groupName = 'Domain Admins'
Get-AdGroupMember -Identity $groupName |
where-Object -Property ObjectClass -eq -Value User |
Get-AdUser |
Where-Object -Property Enabled |
Export-Clixml -Path 'C:\TEMP\CurrentDomainAdmins3.xml'
or for a more interactive style:
AdGroupMember 'Domain Admins' | ? ObjectClass -eq User | AdUser | ? Enabled
I'm trying to collect folder permissions to a csv file with Powershell. My problem is that I'd need the results to contain both the SamAccountName and FileSystemRights.
I tried two different method. The first I came up with was a simple approach that gave me IdentityReference and FileSystemRights, but I couldn't find any working method that can get SamAccountName from IdentityReference.
The second one I found on the internet was much more sophisticated. It collects all the accounts that has access to the folder, but it doesn't show FileSystemRights and I couldn't figure out how to change it to do so.
My own solution
(Get-Acl "FolderPath").Access | Select-Object IdentityReference, FileSystemRights
The solution I found
Get-Acl $UncPath | Select-Object -ExpandProperty Access | Where-Object { (-not $_.IsInherited) -and ('NT AUTHORITY\SYSTEM','BUILTIN\Administrators','CREATOR OWNER' -notcontains $_.IdentityReference) } | Select-Object -ExpandProperty IdentityReference | ForEach-Object { $_.Translate('System.Security.Principal.SecurityIdentifier').Value } | Get-ADGroup -ErrorAction SilentlyContinue | get-adgroupmember | select-object SamAccountName | Format-Table | Out-String
Is there any working method that can get me a result where I can see SamAccountName and FileSystemRights?
Thank you in advance.
$UncPath = 'E:\temp\test'
$all = Get-Acl $UncPath |
Select -ExpandProperty Access |
Where-Object { (-not $_.IsInherited) -and ('NT AUTHORITY\SYSTEM','BUILTIN\Administrators','CREATOR OWNER' -notcontains $_.IdentityReference) } |
Select-Object #{ Name = 'Identity'; Expression = { $_.IdentityReference -replace "\w+\\(.+)", '$1' } }, FileSystemRights
# Here you can get Users ACL
$distinct_users = $all |
Select-Object Identity, #{ Name = 'sAMAccountName'; Expression = { (Get-ADUser -Identity $_.Identity -ErrorAction SilentlyContinue).sAMAccountName }}, FileSystemRights |
Where-Object sAMAccountName -ne $null
# Here we will expand group acls
$groups = $all |
Select-Object Identity, #{ Name = 'sAMAccountName'; Expression = { (Get-ADGroup -Identity $_.Identity -ErrorAction SilentlyContinue).sAMAccountName }}, FileSystemRights |
Where-Object sAMAccountName -ne $null
# now we will get groups membership
$group_users = #()
Foreach($group in $groups){
Get-ADGroupMember -Identity $group.Identity | ForEach-Object { $group_users += [PSCustomObject]#{
'Identity' = $group.Identity
'sAMAccountName' = $_.sAMAccountName
'FileSystemRights' = $group.FileSystemRights
} }
}
$everyone = $distinct_users + $group_users
$everyone | Export-Csv -Path D:\example.csv
Check $everyone variable it will contain 3 columns: Identity as it was in the ACL, sAMAccountName and FileSystem Rights.
I have a list of users and I want to export their group names, sorted A-Z. The following script is not working in the inner ForEach-Object loop.
Get-Content users.txt | ForEach-Object {
$user = $_;
Get-ADUser –Identity $user –Properties MemberOf | Select-Object -ExpandProperty MemberOf | sort
ForEach-Object {
New-Object PSObject -property #{User=$user;Group=$_;}
}
} | Export-Csv -Path 'your_file_path.csv' -NoTypeInformation
The ForEach-Object is just sitting out there alone--you have to either pipe an object to it, or assign the object to a variable and use foreach to loop through the object instead. I took the second approach below as excessive piping makes scripts difficult to read (for me).
Get-Content c:\temp\users.txt | ForEach-Object {
$user = $_;
$AdUser = Get-ADUser –Identity $user –Properties MemberOf | Select-Object -ExpandProperty MemberOf | get-adgroup | select -ExpandProperty Name | sort
foreach($group in $AdUser) {
New-Object PSObject -property #{User=$user;Group=$group;} | Export-Csv -Path 'c:\temp\out.csv' -NoTypeInformation -Append
}
}
...and if you want to pipe it and use ForEach-Object, you just need to put a pipe after the sort and move the Export-Csvso that it exports the new object that was created:
Get-Content c:\temp\users.txt | ForEach-Object {
$user = $_;
Get-ADUser –Identity $user –Properties MemberOf | Select-Object -ExpandProperty MemberOf | get-adgroup | select -ExpandProperty Name | sort |
ForEach-Object {
New-Object PSObject -property #{User=$user;Group=$_;} | Export-Csv -Path 'c:\temp\out.csv' -NoTypeInformation -Append
}
}
I would like an active directory query to list all users who only belong to "Domain Users" and no other groups.
I already tried the following query, but it showed all users with all groups they belong to:
Import-Module Activedirectory
Get-ADUser -Filter * -Properties DisplayName,memberof | % {
New-Object PSObject -Property #{
UserName = $_.DisplayName
Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -join ","
}
} | Select UserName,Groups | Export-Csv C:\temp\report.csv -NTI
Search for an empty memberof-property while PrimaryGroup is "Domain Users". No need to list the groups if you expect nothing.
Get-ADUser -Filter "samaccountname -eq 'froflatest-sshf'" -Properties Memberof, PrimaryGroup, DisplayName, Description |
Where-Object { -not ($_.memberof) -and $_.PrimaryGroup -match 'Domain Users' } |
Select-Object SamAccountName, DisplayName, Description |
Export-CSV -Path "c:\report.csv" -NoTypeInformation
Import-Module Activedirectory
Get-ADUser -Filter "*" -Properties sAMAccountName,Description, Memberof, PrimaryGroup |
Where-Object { -not ($_.memberof) -and $_.PrimaryGroup -match 'Domain Users' } | Select sAMAccountName,Description | Export-Csv C:\temp\report.csv -NTI