AD user security group membership

This topic contains 0 replies, has 1 voice, and was last updated by  Forums Archives 5 years, 7 months ago.

  • Author
    Posts
  • #6168

    by jaeagle78 at 2012-08-28 05:40:13

    Hi all

    I need some help. I am looking for a way to have the security groups of a user displayed so I can use them is a script

    The scenario is this

    10 user in ad in the same OU but all require different printers they are in the same OU so they can all have group e-mails sent to them through exchange so can’t move them in to their own OU and don’t want 10 sub OU’s for each printer so want I am thinking is if I can get powershell to list all security groups (SG) a user is a member of I can use these to add the printers

    So user one is a member of the printer 1 and printer 2 SG so has both printer added

    User two has printer 1 and printer 3 SG they are added

    And so on and so on

    The script would run on user login and so they can sit anywhere and they will be fine

    So does anyone know of a command or set of that can do this

    Something like get-adgroupmember or get-adgroup where I can cut it down to just the names or even search it for a name or login to see if they are a member of it something like that

    Will carry on looking but if anyone can help it would be grate

    by poshoholic at 2012-08-28 05:53:20

    If you're using the Microsoft cmdlets, you can start with Get-ADUser to retrieve the user object, being sure to pass in MemberOf to the -Properties parameter. That will allow you to retrieve the property so that you can then look at the group membership.

    Something like this:

    [script=powershell]$user = Get-ADUser -Identity username -Properties MemberOf
    $user.MemberOf[/script]
    Another method that might be easier would be to use the Quest AD cmdlets, where there is a Get-QADMemberOf cmdlet. This cmdlet goes further than simply enumerating the MemberOf property by including options to look for direct and indirect memberships, taking primary group into account, etc. Essentially it is a more thorough and robust solution to this problem.

    You should probably start there, retrieve membership, and work out the logic you need to perform the tests you want to run to check their membership.

    by jaeagle78 at 2012-08-30 03:57:06

    hi

    commands work really well though i have a problem now they wont run on a normal PC as they don't have the remote admin pack installed and don't really want to install them on every PC just for this to work

    can they be called from somewhere else eg install-module \\someserver\activedirectory not sure just can't see it being a good idea to have remote admin installed on all PC's

    by jaeagle78 at 2012-08-30 04:33:06

    hi again

    i have been looking and you can get a simmler result by using

    dsquery user -samid %username% |dsget user -memberof

    i know it is not a power shell command but i also don't have to install the remote admin pack just need to copy dsquery.exe and dsget.exe into the local machine c:\windows\system32\ and them the logic i have worked out should work with the normal powershell commands i have

    thanks for the help though

    by poshoholic at 2012-08-30 05:20:00

    Here's an alternative approach. PowerShell natively supports ADSI (since version 1), so you could use ADSI to check group membership. It would look something like this:

    [script=powershell]$user = [ADSI]"LDAP://cn=$username,cn=Users,dc=Contoso,dc=Com"
    $groups = $user.MemberOf | ForEach-Object {[ADSI]"LDAP]

    Once you have the groups, you can check for the presence of a specific group to see if they should have a printer added or not. This will remove any dependency on a module that might not be installed on the system.

    by RichardSiddaway at 2012-08-31 03:36:47

    Regarding the comment on installing the remote admin pack on every PC – why do you need it on every PC?

    Usual approach is to create a few admin workstations with all of the required tools. Alternatively set up a server with the tools installed & RDP into that

    by coderaven at 2012-09-06 14:09:54

    I did exactly what you are talking about. It works for GPO Preferences but once you start processing a large number of printers it can take a long time. In addition clients do not have the AD tools installed so they do not have Get-AD* or ds* commands.


    Function Get-NestedGroups($Group, $grpMatch)
    {
    $gDE = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$Group")
    Try
    {
    foreach ($grpMbr in $gDE.Properties["memberof"])
    {
    if ($grpMbr -match $grpMatch)
    {
    $grp = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$grpMbr")
    $Ptr = [string]$grp.Properties["name"]
    if ($Ptr.Contains("-Default")) {$DefaultPtr = $Ptr}
    $Ptr = $Ptr.Replace("GPO_Printer-", "")
    $Ptr = $Ptr.Replace("-Default", "")
    If (!($Groups.ContainsKey($Ptr)))
    {
    $Groups.Add($Ptr, $grp.distinguishedName)
    }
    }
    Get-NestedGroups -Group $grpMbr.distinguishedName -grpMatch $grpMatch
    }
    }
    Catch {}

    }

    Function Set-PrintersUp($SVR)
    {
    $Printers = @{}
    $net = new-Object -com WScript.Network
    foreach ($Prt in (Get-WmiObject -Class Win32_Printer))
    {
    if ($Prt.Network)
    {
    $Printers.Add($Prt.ShareName, $Prt.Name)
    }
    }

    foreach ($Printer in $Printers.Keys)
    {
    if ($Groups.ContainsKey($Printer))
    {
    $Groups.Remove($Printer)
    }
    else
    {
    $net.RemovePrinterConnection($Printers.Item($Printer))
    }
    }
    foreach ($Printer in $Groups.Keys)
    {
    $PtrPath = "\\$SVR\$Printer"
    $net.AddWindowsPrinterConnection($PtrPath)
    }

    if ($DefaultPtr -ne "")
    {
    $DefaultPtr = $DefaultPtr.Replace("GPO_Printer-", "")
    $DefaultPtr = $DefaultPtr.Replace("-Default", "")
    $DefPath = "\\$SVR\$DefaultPtr"
    $net.SetDefaultPrinter($DefPath)
    }
    }

    #Start
    $host.UI.RawUI.WindowTitle = "Printers Connecting..."
    $usr = $env:USERNAME
    $comp = ($env:COMPUTERNAME+'$')
    $Global:Groups > $Null
    $Global:DefaultPtr > $Null
    $grpMatch = "GPO_Printer"
    $PrintSvr = "PrintServer"
    $Groups = @{}
    $DefaultPtr = [string]""
    $Term = (Get-ItemProperty -Path HKCU:\Environment -Name ClientName -ErrorAction "SilentlyContinue").ClientName+'$'

    $DS = New-Object "System.DirectoryServices.DirectorySearcher"
    $DS.Filter = "(|(samaccountname=$usr)(samaccountname=$comp)(samaccountname=$Term))"

    #$net.AddWindowsPrinterConnection($PrinterPath)
    $DSObj = $DS.FindAll()
    if ($DSObj -ne $Null)
    {
    Foreach ($DEObj in $DSObj)
    {
    Try
    {
    foreach ($grpMbr in $DEObj.Properties["memberof"])
    {
    if ($grpMbr -match $grpMatch)
    {
    $grp = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$grpMbr")
    $Ptr = [string]$grp.Properties["name"]
    if ($Ptr.Contains("-Default")) {$DefaultPtr = $Ptr}
    $Ptr = $Ptr.Replace("GPO_Printer-", "")
    $Ptr = $Ptr.Replace("-Default", "")
    If (!($Groups.ContainsKey($Ptr)))
    {
    $Groups.Add($Ptr, $grp.distinguishedName)
    }
    }
    Get-NestedGroups -Group $grMbr.distinguishedName -grpMatch $grpMatch
    }
    }
    Catch {}
    }
    if ($Groups.Count -gt 0)
    {Set-PrintersUp($PrintSvr)}

    This script has been working for me over a year now.

    You may need to modify to fit your needs. This script will test to see if a USER or COMPUTER is a member of a printer group. It will also look for a DEFAULT printer group and key off of the first one it finds. My Printer groups are prefixed "GPO_Printer" and suffixed "-Default" if is a group that sets the default printer. After the GPO_Printer prefix, is the true share name which is used to make the connection with the noted print server.

    It may be ugly but it works and works fast. I need to update the script in the future to remove the WSCRIPT COM object and now that Windows 8 has the Printer Module, that will be soon.

    Hope this helps!

You must be logged in to reply to this topic.