Solved

How to list users of a Administrators group in Powershell

Posted on 2010-08-18
10
2,737 Views
Last Modified: 2013-12-24
I have a requirement to find whether a user is member of Local Administrators group of a computer or not. This is a domain user on domain D1. It is also member of a group "Domain Admins" on AD. Now i am using the below code to find out if he is in "Local Administrators" group on Computer C1. iam using following script:
# $strComputer = "C1"
# $computer = [ADSI]("WinNT://" + $strComputer + ",computer")
# $Group = $computer.psbase.children.find("Administrators")
# $members= $Group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
#  
# foreach($user in $members)
# {
#     Write-Host $user
#     $a = $strComputer + "!" + $user.ToString()
# }

This code is fine but it not giving the user as a member but giving "Domain Admins" as member.

Is there a way to find out if the user is member of a group on AD and that group is member of Administrators group.
0
Comment
Question by:vickytaurus
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 3

Expert Comment

by:MaSTeRiTo
ID: 33462143
You need to use powershell?
I use "ifmember.exe" for that.
You can find it in the resource kit

http://www.microsoft.com/downloads/details.aspx?FamilyID=07C2F6D7-815E-4FA0-9043-4E4635CCD417&displaylang=en&displaylang=en

 
0
 

Author Comment

by:vickytaurus
ID: 33462158
I cannot use any exe, i have to write a powershell script.
Thanks.
0
 
LVL 13

Expert Comment

by:soostibi
ID: 33462310
If you have Quest's Quest.ActiveRoles.ADManagement snapin, then maybe this is yours:
$strComputer = "soostpc"
$strUser = "iqjb\iqjbadmin"

$usertofind = Get-QADUser $struser
$computer = [ADSI]("WinNT://" + $strComputer + ",computer") 
$Group = $computer.psbase.children.find("Administrators") 
$members= $Group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("ADSPath", 'GetProperty', $null, $_, $null)} 
  
$members = $members | Select-Object -Property @{n="domain"; e={($_ -split "/+")[-2]}}, 
                @{n="user"; e={($_ -split "/+")[-1]}} , @{n="fullname"; e={"$(($_ -split '/+')[-2])\$(($_ -split '/+')[-1])"}}
$allusermembers = $members | ?{$_.domain -ne $strcomputer} | %{Get-QADObject $_.fullname} | %{
        if($_.type -eq "group"){ Get-QADGroupMember $_}
        else{$_}
    }
if(($allusermembers | %{$_.dn}) -contains $usertofind.dn) {"$struser is member of the local Administrators group"}
else {"$struser is NOT member of the local Administrators group"}

Open in new window

0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 70

Expert Comment

by:Chris Dent
ID: 33462317

To test that you'd have to expand all the groups listed in the local admin group.

Starting from the beginning, you'd need the classes for the members. Then you'd have to take each group and see if the user was a member.

There's a complication, do you want it to handle nested group membership?

Chris
$Computer = "C1"

#
# Get the members of the local admin group
#

$AdminGroup = [ADSI]"WinNT://$strComputer/Administrators"
$Members = $AdminGroup.Members() | Select-Object `
  @{n='Name';e={ $_.GetType().InvokeMember('Name', 'GetProperty', $Null, $_, $Null) }},
  @{n='ADSPath';e={ $_.GetType().InvokeMember('ADSPath', 'GetProperty', $Null, $_, $Null) }},
  @{n='Class';e={ $_.GetType().InvokeMember('class', 'GetProperty', $Null, $_, $Null) }},
  @{n='Type';e={ "Direct" }}

#
# Expand groups (one level only)
#

$Members | ForEach-Object {
  If ($_.Class -eq "Group") {
    $Group = [ADSI]$_.ADSPath
    $Group.Members() | Select-Object `
      @{n='Name';e={ $_.GetType().InvokeMember('Name', 'GetProperty', $Null, $_, $Null) }},
      @{n='ADSPath';e={ $_.GetType().InvokeMember('ADSPath', 'GetProperty', $Null, $_, $Null) }},
      @{n='Class';e={ $_.GetType().InvokeMember('class', 'GetProperty', $Null, $_, $Null) }},
      @{n='Type';e={ "Indirect" }}
  } Else {
    $_
  }
}

Open in new window

0
 
LVL 13

Expert Comment

by:soostibi
ID: 33462345
If you have nested groups, then this code should be further developed... So if the user is in a group and this group is inside the Domain Admins group... Tell me is this is your case.
There are other options if you have Windows Server 2008 R2 or the Management Gataway installes, in these case we can use the Microsoft's AD cmdlets.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33462363

Yours is easy soostibi, add -Indirect to Get-QADGroupMember :)

Alas mine isn't so easy.

Chris
0
 

Author Comment

by:vickytaurus
ID: 33462503
I am trying to use solution byChris, modifying to call recursively. I cannot use Get-QADUser, can only use basic Powershell.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33462554

I would avoid recursion, instead aim for the LDAP operator to match down a chain. One moment, I'll pop another example up.

Chris
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 33462617

Like this :)

The LDAP filter I'm using is documented here:

http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx

Lets you trivially pull the members down nested chains without having to worry about loops.

Chris
$Computer = "C1"

Function Get-GroupMember {
  Param(
    [String]$GroupName
  )

  # Get the group DN
  $Group = (New-Object DirectoryServices.DirectorySearcher("sAMAccountName=$GroupName")).FindOne()

  # Build the filter
  $LdapFilter = "(memberOf:1.2.840.113556.1.4.1941:=$($Group.Properties["distinguishedname"][0]))"

  # Get the group members
  (New-Object DirectoryServices.DirectorySearcher($LdapFilter)).FindAll() | Select-Object `
    @{n='Name';e={ $_.Properties["name"][0] }},
    @{n='ADSPath';e={ $_.Properties["adspath"][0] }},
    @{n='Class';e={ $Class = [Array]($_.Properties["objectclass"]); $Class[-1] }},
    @{n='Type';e={ "Indirect" }}
}

#
# Get the members of the local admin group
#

$AdminGroup = [ADSI]"WinNT://$strComputer/Administrators"
$Members = $AdminGroup.Members() | Select-Object `
  @{n='Name';e={ $_.GetType().InvokeMember('Name', 'GetProperty', $Null, $_, $Null) }},
  @{n='ADSPath';e={ $_.GetType().InvokeMember('ADSPath', 'GetProperty', $Null, $_, $Null) }},
  @{n='Class';e={ $_.GetType().InvokeMember('class', 'GetProperty', $Null, $_, $Null) }},
  @{n='Type';e={ "Direct" }}

#
# Expand groups (one level only)
#

$Members | ForEach-Object {
  If ($_.Class -eq "Group") {
    Get-GroupMember $_.Name
  } Else {
    $_
  }
}

Open in new window

0
 

Author Comment

by:vickytaurus
ID: 33462934
Thanks Chris, i will use the approach and code given by you. It seems to solve the problem.
Thanks
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
The following article is intended as a guide to using PowerShell as a more versatile and reliable form of application detection in SCCM.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now