If Get-ADPrincipalGroupMembership shows me what groups a user account is in, what would you use to look up a computer? I would like to display this in powershell as output.
This question was asked before and some solutions were posted in these threads:
I need a script to detect if a computer is in an active directory user group
PowerShell: Get membership info for a computer account (not a user account)
Related
folks,
my Active Directory accounts with admin privileges all start with the same characters: "ad" followed by a dot and the name of the admin. Example: "ad.tim".
I would like to have admin accounts (every account beginning with "ad.") automatically deleted (profiles and user data) by the Windows clients and would like to distribute a Powershell script to my clients (better ideas are welcome).
I'm not very familiar with Powershell nor Scripting, but I allready figured out (thanks, Google) how to list all Accounts:
Get-WMIObject -Class Win32_UserProfile | select LocalPath
Now I'd have to filter (-like ad.*) and delete, but I'm not sure how or where to install it. It would be great if someone could give me some information so that I can better understand it and reach my goal!
I want to check whether a given Active Directory user (specified by username and domain) has read/(write) permissions on a given folder. And this unrelated to having them granted directly by user name or indirectly by some group membership. However I've been googling like 5 hours by now to no avail.
I understand, that Get-Acl Cmdlet is used to read folder permissions. Most likely the user is member of some group, that indirectly grants it permissions.
So my idea was to just match the output of
(Get-Acl <Folder>).Access | ft
against the group membership of the user.
I collect the group Information using the command
Get-ADPrincipalGroupMembership "<Username>" | select name
but found out, that this features an entirely different set of group names. I assumed, that the groups outputted by Get-Acl are local ones, while the other ones were AD-sided groups.
I found the command whoami /groups, that prints all groups, but only for the currently logged in user.
After quite some additional time I figured out the command (based on .NET):
(New-Object Security.Principal.WindowsIdentity -ArgumentList #(,"<User#fullDomain.com>")).Claims | select Value
This however just prints SIDs, while
(Get-Acl <Folder>).Access | ft
displays some human friendly output like "NT SERVICE\TrustedInstaller" and such.
I believe I'm pretty close, but I just can't get it to work.
On another note: Does this really have to be that complicated?
Other solutions I found only work based on direct user permissions but do not check group permissions.
Oh and one thing: Everything has to run on PowerShell 4.0 on Windows Server 2012 R2 and the PowerShell script will be running locally. No NuGet packages or anything requiring an Internet connection are allowed.
This may not even be possible without powershell (or Azure Powershell), but can I use a script to retrieve user information from AZURE active directory on a Windows 10 computer?
Since the user has already provided credentials and the user name has been pulled down from Azure, is there any other information pulled down that I can reference as a system object (for eg).
Example of code to show user name:
Set objSysInfo = CreateObject("ADSystemInfo")
wScript.Echo objSysInfo.UserName
I want to see other information such as users department(i.e. .department , so that I can map drives by identifying the users department rather than using the user name).
If I can't use vbs then is this possible with Azure powershell without re-entering user credentials and/or re-verifying user credentials?
It's possible with Azure PowerShell commandlets:
Connect-MsolService -CurrentCredential
Get-MsolUser -UserPrincipalName username#domain
I am running Outlook 2010, Exchange 2010, and Windows Server Std 2012. I want to view the owner and permissions of a shared folder for an email user without prior knowledge through the exchange shell.
The Scenario
In outlook, user1 creates a folder named “shared” under their mailbox. User1 then adds permissions to said folder allowing user2 to read and write. User2 then adds the folder named “shared” by utilizing outlook’s “Add another person's mailbox” found in the email account settings. The shared folder will now replicate any data that is place in it by either user.
From the exchange management shell, how can I tell that User2 has access to a share folder in User1’s mailbox without knowing about User1 or that a share even exists?
I have tried several commands and scripts found on the internet; however my guess is the mailbox/folder permissions are stored in exchange for User1, but offline for User2.
If needed, I can provide links to scripts and list of commands tomorrow.
Update #1 10/29/2013
Get-MailboxFolderPermission only produces permissions for specific folders i.e. Get-MailboxFolderPermission -Identity User2:/foldername. This will not work because when I run Get-MailboxFolderStatistics -Identity userid, which lists all folders for a user, the shared folder does not appear. More So, when user the Get-MailboxFolderPermission -Identity User2:/shared it too does also not work. But remember, I’m trying to deduce the presence of a shared folder without prior knowledge.
So if it doesn’t list it as a folder it must be a mailbox right? Cause, after all, I am using the “Add another person's mailbox” in outlook to add this shared folder. However, Get-Mailbox userid | Get-MailboxPermission does not show that User2 has permission to access User1 shared folder under their mailbox.
In addition, I have also tried the script found here
http://exchangeblog.pl/en/2013/03/list-exchange-mailbox-folder-permissions-script/
that list all folder permissions in a mailbox.
Now if i take the commands above and point them to User1, I can see a folder name shared and User2 permissions. However, once again, In my scenario, I do not know about User1 or a shared folder exists.
Update #2 10/30/2013
It is not a public folder as it was 1) not configured in that manner and 2) does not show when any of the Get-PublicFolder commands are used.
Use Get-MailboxFolderPermission to get the delegate permissions on mailbox folders.
http://technet.microsoft.com/en-us/library/dd335061(v=exchg.141).aspx
Note this cmdlet uses a rather odd Identity syntax primarysmtpaddress\folder path to specify the folder to get the permission on.
I am writing a simple script to copy AD group membership from one user to the other. I am doing it using the ActiveDirectory module only.
The script looks like it would work and does work up until I try to ad the groups to the user.
Code:
import-module ActiveDirectory
$templateUser = get-ADUser user1
$targetUser = getADUser user2
$groups =get-adprincipalgroupmembership $templateUser
$groups2 = get-ADPrincipalGroupMembership $targetUser
foreach($group in $groups) {
add-adGroupMember $group $targetUser
}
Error:
Add-ADGroupMember : insufficient access rights to performt the operation
At line:9 char:18
+ FullyQualifiedErrorID : Insufficient access rights to perform the operation,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
Notes/Thoughts:
I am logged in as a normal user, but I ran the powershell as a different user (my admin account). I am not a local admin, but I am an admin on the domain. I am able to add the user to groups if I launch the AD Tools and do it manually (I have permissions to add to those groups).
Edit:
Run the powershell as admin.
Run powershell as administrator.
I hit this today in Server 2012. I was running the powershell as Administrator, I was a domain admin, I was a local admin, I was every kind of admin I could find.
I "fixed" it by using the Active Directory Users and Computers tool, adding myself as the Manager of the AD groups I was trying to add users to, and ticked the box to allow the manager to change membership. I could then run AD-AddGroupMember happily.
I ran into this problem as well using Powershell remoting to connect to a domain controller.
In my case it turned out Include inheritable permissions from this object's parent was turned off for the specific object I couldn't change.
I ran into this issue today where an automated system was using powershell scripts for various things.... It turned out to be executionpolicy.
We were running our script with the ExecutionPolicy Bypass flag, and even running the command directly in powershell outside of a script wouldn't work, but once we set executionpolicy to unrestricted, everything magically worked.
For us we were able to create security groups even, but not add users to groups via powershell, even though we could make the same changes in ADUC.