Author Posts

February 8, 2016 at 9:03 am

Hi,
I've recently started working in an environment where the AD is a bit of a mess, with too much access given to the wrong accounts all over the place. We have admin accounts that are in groups that are nested across the network where they shouldn't be. All of our admin accounts have 'admin' somewhere in the name, so I want to try and find groups that contain accounts that have 'admin' in the name, where they sit in a group alongside other non-admin accounts (so for example if we have an account called 'admin1', I want to identify where that is in a group with accounts that don't have 'admin' in the account name).

It's not seeming particularly simple....does anyone have any ideas please?

February 8, 2016 at 9:06 am

Membership in a group is stored as an attribute of the group, not of the user, which can make this kind of query more difficult. Further, because membership lists can obviously be huge, they're not indexed for searching within the AD database. I suspect you're going to have to enumerate every group, and then enumerate every member.

Alternately, user objects do have a "memberOf" shortcut property that lets you see which groups the user is a member of. You could query the known admin users, and then enumerate their group membership.

But there isn't an easy, one-liner way of doing this, no. AD isn't the kind of relational DB that would make this straightforward.

February 8, 2016 at 9:40 am

Turn the group members into a string and match/notmatch 'admin'. If both conditions return true than you have your group of mixed users.

ex.
(((Get-ADGroupMember 'groupname').name -join " ") -match 'admin')

February 18, 2016 at 9:21 am

Not sure why I wasn't alerted to your reply, apologies about that, I would have replied sooner if I had known.

I managed to get what I needed in the end with a post here:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/e3fb465a-940c-40b9-865c-2b94531237fa/powershell-script-to-catch-groups-with-admin-and-nonadmin-accounts?forum=winserverpowershell

Thanks for taking the time to reply!