Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to list users of a Administrators group in Powershell

Posted on 2010-08-18
10
Medium Priority
?
2,763 Views
Last Modified: 2013-12-24
I have a requirement to find whether a user is member of Local Administrators group of a computer or not. This is a domain user on domain D1. It is also member of a group "Domain Admins" on AD. Now i am using the below code to find out if he is in "Local Administrators" group on Computer C1. iam using following script:
# $strComputer = "C1"
# $computer = [ADSI]("WinNT://" + $strComputer + ",computer")
# $Group = $computer.psbase.children.find("Administrators")
# $members= $Group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
#  
# foreach($user in $members)
# {
#     Write-Host $user
#     $a = $strComputer + "!" + $user.ToString()
# }

This code is fine but it not giving the user as a member but giving "Domain Admins" as member.

Is there a way to find out if the user is member of a group on AD and that group is member of Administrators group.
0
Comment
Question by:vickytaurus
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 3

Expert Comment

by:MaSTeRiTo
ID: 33462143
You need to use powershell?
I use "ifmember.exe" for that.
You can find it in the resource kit

http://www.microsoft.com/downloads/details.aspx?FamilyID=07C2F6D7-815E-4FA0-9043-4E4635CCD417&displaylang=en&displaylang=en

 
0
 

Author Comment

by:vickytaurus
ID: 33462158
I cannot use any exe, i have to write a powershell script.
Thanks.
0
 
LVL 13

Expert Comment

by:soostibi
ID: 33462310
If you have Quest's Quest.ActiveRoles.ADManagement snapin, then maybe this is yours:
$strComputer = "soostpc"
$strUser = "iqjb\iqjbadmin"

$usertofind = Get-QADUser $struser
$computer = [ADSI]("WinNT://" + $strComputer + ",computer") 
$Group = $computer.psbase.children.find("Administrators") 
$members= $Group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("ADSPath", 'GetProperty', $null, $_, $null)} 
  
$members = $members | Select-Object -Property @{n="domain"; e={($_ -split "/+")[-2]}}, 
                @{n="user"; e={($_ -split "/+")[-1]}} , @{n="fullname"; e={"$(($_ -split '/+')[-2])\$(($_ -split '/+')[-1])"}}
$allusermembers = $members | ?{$_.domain -ne $strcomputer} | %{Get-QADObject $_.fullname} | %{
        if($_.type -eq "group"){ Get-QADGroupMember $_}
        else{$_}
    }
if(($allusermembers | %{$_.dn}) -contains $usertofind.dn) {"$struser is member of the local Administrators group"}
else {"$struser is NOT member of the local Administrators group"}

Open in new window

0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 71

Expert Comment

by:Chris Dent
ID: 33462317

To test that you'd have to expand all the groups listed in the local admin group.

Starting from the beginning, you'd need the classes for the members. Then you'd have to take each group and see if the user was a member.

There's a complication, do you want it to handle nested group membership?

Chris
$Computer = "C1"

#
# Get the members of the local admin group
#

$AdminGroup = [ADSI]"WinNT://$strComputer/Administrators"
$Members = $AdminGroup.Members() | Select-Object `
  @{n='Name';e={ $_.GetType().InvokeMember('Name', 'GetProperty', $Null, $_, $Null) }},
  @{n='ADSPath';e={ $_.GetType().InvokeMember('ADSPath', 'GetProperty', $Null, $_, $Null) }},
  @{n='Class';e={ $_.GetType().InvokeMember('class', 'GetProperty', $Null, $_, $Null) }},
  @{n='Type';e={ "Direct" }}

#
# Expand groups (one level only)
#

$Members | ForEach-Object {
  If ($_.Class -eq "Group") {
    $Group = [ADSI]$_.ADSPath
    $Group.Members() | Select-Object `
      @{n='Name';e={ $_.GetType().InvokeMember('Name', 'GetProperty', $Null, $_, $Null) }},
      @{n='ADSPath';e={ $_.GetType().InvokeMember('ADSPath', 'GetProperty', $Null, $_, $Null) }},
      @{n='Class';e={ $_.GetType().InvokeMember('class', 'GetProperty', $Null, $_, $Null) }},
      @{n='Type';e={ "Indirect" }}
  } Else {
    $_
  }
}

Open in new window

0
 
LVL 13

Expert Comment

by:soostibi
ID: 33462345
If you have nested groups, then this code should be further developed... So if the user is in a group and this group is inside the Domain Admins group... Tell me is this is your case.
There are other options if you have Windows Server 2008 R2 or the Management Gataway installes, in these case we can use the Microsoft's AD cmdlets.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 33462363

Yours is easy soostibi, add -Indirect to Get-QADGroupMember :)

Alas mine isn't so easy.

Chris
0
 

Author Comment

by:vickytaurus
ID: 33462503
I am trying to use solution byChris, modifying to call recursively. I cannot use Get-QADUser, can only use basic Powershell.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 33462554

I would avoid recursion, instead aim for the LDAP operator to match down a chain. One moment, I'll pop another example up.

Chris
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 33462617

Like this :)

The LDAP filter I'm using is documented here:

http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx

Lets you trivially pull the members down nested chains without having to worry about loops.

Chris
$Computer = "C1"

Function Get-GroupMember {
  Param(
    [String]$GroupName
  )

  # Get the group DN
  $Group = (New-Object DirectoryServices.DirectorySearcher("sAMAccountName=$GroupName")).FindOne()

  # Build the filter
  $LdapFilter = "(memberOf:1.2.840.113556.1.4.1941:=$($Group.Properties["distinguishedname"][0]))"

  # Get the group members
  (New-Object DirectoryServices.DirectorySearcher($LdapFilter)).FindAll() | Select-Object `
    @{n='Name';e={ $_.Properties["name"][0] }},
    @{n='ADSPath';e={ $_.Properties["adspath"][0] }},
    @{n='Class';e={ $Class = [Array]($_.Properties["objectclass"]); $Class[-1] }},
    @{n='Type';e={ "Indirect" }}
}

#
# Get the members of the local admin group
#

$AdminGroup = [ADSI]"WinNT://$strComputer/Administrators"
$Members = $AdminGroup.Members() | Select-Object `
  @{n='Name';e={ $_.GetType().InvokeMember('Name', 'GetProperty', $Null, $_, $Null) }},
  @{n='ADSPath';e={ $_.GetType().InvokeMember('ADSPath', 'GetProperty', $Null, $_, $Null) }},
  @{n='Class';e={ $_.GetType().InvokeMember('class', 'GetProperty', $Null, $_, $Null) }},
  @{n='Type';e={ "Direct" }}

#
# Expand groups (one level only)
#

$Members | ForEach-Object {
  If ($_.Class -eq "Group") {
    Get-GroupMember $_.Name
  } Else {
    $_
  }
}

Open in new window

0
 

Author Comment

by:vickytaurus
ID: 33462934
Thanks Chris, i will use the approach and code given by you. It seems to solve the problem.
Thanks
0

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question