Check if an Object is a User or Group

This topic contains 0 replies, has 1 voice, and was last updated by  Forums Archives 5 years, 11 months ago.

  • Author
    Posts
  • #6230

    by TomKemp at 2012-12-10 08:25:54

    I am sure this is something very simple but I just cannot work out how to do it.

    I am running a script which finds the list of Groups which grant access to specific folders.
    Some of the ACL entries relate to Groups and some to rights being granted specifically to a User.

    I need to identify if the output is a Group or a User.

    So something like:


    If ($ObjectFound = 'User') then
    {Do appropriate action for a User}
    else
    {Do appropriate action for a Group}

    I know that is not the correct syntax, it is just a sort of pseudocode for what I need to do.

    Can anyone help please? This is driving me nuts. Either I get a valid answer but this then means all subsequent tests also give a True result when they should not, or it doesn't separate the two types at all.

    I am using the ActiveDirectory module but I have the QAD module if required.

    by kittH at 2012-12-10 10:06:46

    What command are you using to generate the list of objects? The parameter is going to depend on exactly what information is being returned.

    For example, if you were using Get-QADObject to generate a list, you would use the "Type" property.

    If ($Object.Type -eq 'User'){do-thing}
    ElseIf ($Object.Type -eq 'Group'){do-otherthing}

    by TomKemp at 2012-12-11 01:22:53

    The part of the script I am using is this:


    $CurrentRightsTable=(get-acl $DirPath).GetAccessRules($true,$true,[System.Security.Principal.NTAccount])

    FOREACH ($RightsAssignment in $CurrentRightsTable)
    {
    $LongGroupName=$Rightsassignment.IdentityReference
    $UserRights=$Rightsassignment.FileSystemRights
    $UserAccessControllType=$Rightsassignment.AccessControlType
    $UserAccessControlInheritance=$Rightsassignment.IsInherited
    $UserAccessControlInheritanceFlag=$Rightsassignment.InheritanceFlags
    $UserAccessControlPropogateFlag=$Rightsassignment.PropagationFlags

    $Groupname="$LongGroupname".replace("WCC-CORP\","")
    }

    Once I have this I want to test whether $Groupname is actually a group or a user – so I can either lookup the members of the group or report the user details directly if there are rights assigned directly to a user.

    I have tried this:


    if($Groupname.type -eq 'User'){Write-Host "User"}
    elseif($Groupname.type -eq 'Group'){Write-Host "Group"}

    This does not seem to work. I know that some of the results are groups and some are users. However, neither of these tests results in any output, so I assume both are testing as 'false'.

    by kittH at 2012-12-11 10:11:47

    It looks like you're just getting a string back that is the name of a group or user, you are not returning them as objects that have other properties.

    You will need to perform another step to turn the name you have into an AD object.

    I would do something more like:

    $dirpath = "C:\users\kholland\desktop\ARC-1160"
    $CurrentRightsTable=(get-acl $DirPath).GetAccessRules($true,$true,[System.Security.Principal.NTAccount])

    FOREACH ($RightsAssignment in $CurrentRightsTable)
    {
    $LongGroupName=$Rightsassignment.IdentityReference
    $UserRights=$Rightsassignment.FileSystemRights
    $UserAccessControllType=$Rightsassignment.AccessControlType
    $UserAccessControlInheritance=$Rightsassignment.IsInherited
    $UserAccessControlInheritanceFlag=$Rightsassignment.InheritanceFlags
    $UserAccessControlPropogateFlag=$Rightsassignment.PropagationFlags

    $ADobject = Get-QADObject ($LongGroupName | select -ExpandProperty value)
    $Groupname = $ADObject.Name
    $ObjectType= $ADObject.Type
    }

    you can then do any processing you need based on $ObjectType variable.

    by RichardSiddaway at 2012-12-11 13:45:15

    You need to filter out any local groups or users before passing to Get-QADObject otherwise you are going to get a lot of errors

You must be logged in to reply to this topic.