Solved

How to list users of a Administrators group in Powershell

Posted on 2010-08-18
10
2,735 Views
Last Modified: 2013-12-24
I have a requirement to find whether a user is member of Local Administrators group of a computer or not. This is a domain user on domain D1. It is also member of a group "Domain Admins" on AD. Now i am using the below code to find out if he is in "Local Administrators" group on Computer C1. iam using following script:
# $strComputer = "C1"
# $computer = [ADSI]("WinNT://" + $strComputer + ",computer")
# $Group = $computer.psbase.children.find("Administrators")
# $members= $Group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
#  
# foreach($user in $members)
# {
#     Write-Host $user
#     $a = $strComputer + "!" + $user.ToString()
# }

This code is fine but it not giving the user as a member but giving "Domain Admins" as member.

Is there a way to find out if the user is member of a group on AD and that group is member of Administrators group.
0
Comment
Question by:vickytaurus
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 3

Expert Comment

by:MaSTeRiTo
ID: 33462143
You need to use powershell?
I use "ifmember.exe" for that.
You can find it in the resource kit

http://www.microsoft.com/downloads/details.aspx?FamilyID=07C2F6D7-815E-4FA0-9043-4E4635CCD417&displaylang=en&displaylang=en

 
0
 

Author Comment

by:vickytaurus
ID: 33462158
I cannot use any exe, i have to write a powershell script.
Thanks.
0
 
LVL 13

Expert Comment

by:soostibi
ID: 33462310
If you have Quest's Quest.ActiveRoles.ADManagement snapin, then maybe this is yours:
$strComputer = "soostpc"

$strUser = "iqjb\iqjbadmin"



$usertofind = Get-QADUser $struser

$computer = [ADSI]("WinNT://" + $strComputer + ",computer") 

$Group = $computer.psbase.children.find("Administrators") 

$members= $Group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("ADSPath", 'GetProperty', $null, $_, $null)} 

  

$members = $members | Select-Object -Property @{n="domain"; e={($_ -split "/+")[-2]}}, 

                @{n="user"; e={($_ -split "/+")[-1]}} , @{n="fullname"; e={"$(($_ -split '/+')[-2])\$(($_ -split '/+')[-1])"}}

$allusermembers = $members | ?{$_.domain -ne $strcomputer} | %{Get-QADObject $_.fullname} | %{

        if($_.type -eq "group"){ Get-QADGroupMember $_}

        else{$_}

    }

if(($allusermembers | %{$_.dn}) -contains $usertofind.dn) {"$struser is member of the local Administrators group"}

else {"$struser is NOT member of the local Administrators group"}

Open in new window

0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33462317

To test that you'd have to expand all the groups listed in the local admin group.

Starting from the beginning, you'd need the classes for the members. Then you'd have to take each group and see if the user was a member.

There's a complication, do you want it to handle nested group membership?

Chris
$Computer = "C1"

#
# Get the members of the local admin group
#

$AdminGroup = [ADSI]"WinNT://$strComputer/Administrators"
$Members = $AdminGroup.Members() | Select-Object `
  @{n='Name';e={ $_.GetType().InvokeMember('Name', 'GetProperty', $Null, $_, $Null) }},
  @{n='ADSPath';e={ $_.GetType().InvokeMember('ADSPath', 'GetProperty', $Null, $_, $Null) }},
  @{n='Class';e={ $_.GetType().InvokeMember('class', 'GetProperty', $Null, $_, $Null) }},
  @{n='Type';e={ "Direct" }}

#
# Expand groups (one level only)
#

$Members | ForEach-Object {
  If ($_.Class -eq "Group") {
    $Group = [ADSI]$_.ADSPath
    $Group.Members() | Select-Object `
      @{n='Name';e={ $_.GetType().InvokeMember('Name', 'GetProperty', $Null, $_, $Null) }},
      @{n='ADSPath';e={ $_.GetType().InvokeMember('ADSPath', 'GetProperty', $Null, $_, $Null) }},
      @{n='Class';e={ $_.GetType().InvokeMember('class', 'GetProperty', $Null, $_, $Null) }},
      @{n='Type';e={ "Indirect" }}
  } Else {
    $_
  }
}

Open in new window

0
 
LVL 13

Expert Comment

by:soostibi
ID: 33462345
If you have nested groups, then this code should be further developed... So if the user is in a group and this group is inside the Domain Admins group... Tell me is this is your case.
There are other options if you have Windows Server 2008 R2 or the Management Gataway installes, in these case we can use the Microsoft's AD cmdlets.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 70

Expert Comment

by:Chris Dent
ID: 33462363

Yours is easy soostibi, add -Indirect to Get-QADGroupMember :)

Alas mine isn't so easy.

Chris
0
 

Author Comment

by:vickytaurus
ID: 33462503
I am trying to use solution byChris, modifying to call recursively. I cannot use Get-QADUser, can only use basic Powershell.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33462554

I would avoid recursion, instead aim for the LDAP operator to match down a chain. One moment, I'll pop another example up.

Chris
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 33462617

Like this :)

The LDAP filter I'm using is documented here:

http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx

Lets you trivially pull the members down nested chains without having to worry about loops.

Chris
$Computer = "C1"

Function Get-GroupMember {
  Param(
    [String]$GroupName
  )

  # Get the group DN
  $Group = (New-Object DirectoryServices.DirectorySearcher("sAMAccountName=$GroupName")).FindOne()

  # Build the filter
  $LdapFilter = "(memberOf:1.2.840.113556.1.4.1941:=$($Group.Properties["distinguishedname"][0]))"

  # Get the group members
  (New-Object DirectoryServices.DirectorySearcher($LdapFilter)).FindAll() | Select-Object `
    @{n='Name';e={ $_.Properties["name"][0] }},
    @{n='ADSPath';e={ $_.Properties["adspath"][0] }},
    @{n='Class';e={ $Class = [Array]($_.Properties["objectclass"]); $Class[-1] }},
    @{n='Type';e={ "Indirect" }}
}

#
# Get the members of the local admin group
#

$AdminGroup = [ADSI]"WinNT://$strComputer/Administrators"
$Members = $AdminGroup.Members() | Select-Object `
  @{n='Name';e={ $_.GetType().InvokeMember('Name', 'GetProperty', $Null, $_, $Null) }},
  @{n='ADSPath';e={ $_.GetType().InvokeMember('ADSPath', 'GetProperty', $Null, $_, $Null) }},
  @{n='Class';e={ $_.GetType().InvokeMember('class', 'GetProperty', $Null, $_, $Null) }},
  @{n='Type';e={ "Direct" }}

#
# Expand groups (one level only)
#

$Members | ForEach-Object {
  If ($_.Class -eq "Group") {
    Get-GroupMember $_.Name
  } Else {
    $_
  }
}

Open in new window

0
 

Author Comment

by:vickytaurus
ID: 33462934
Thanks Chris, i will use the approach and code given by you. It seems to solve the problem.
Thanks
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
Find out what you should include to make the best professional email signature for your organization.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now