Get Group Membership with conditions

This topic contains 4 replies, has 3 voices, and was last updated by Profile photo of Tony Bennett Tony Bennett 5 months, 3 weeks ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #34988
    Profile photo of Tony Bennett
    Tony Bennett
    Participant

    Hi,
    I've recently started working in an environment where the AD is a bit of a mess, with too much access given to the wrong accounts all over the place. We have admin accounts that are in groups that are nested across the network where they shouldn't be. All of our admin accounts have 'admin' somewhere in the name, so I want to try and find groups that contain accounts that have 'admin' in the name, where they sit in a group alongside other non-admin accounts (so for example if we have an account called 'admin1', I want to identify where that is in a group with accounts that don't have 'admin' in the account name).

    It's not seeming particularly simple....does anyone have any ideas please?

    #34989
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Membership in a group is stored as an attribute of the group, not of the user, which can make this kind of query more difficult. Further, because membership lists can obviously be huge, they're not indexed for searching within the AD database. I suspect you're going to have to enumerate every group, and then enumerate every member.

    Alternately, user objects do have a "memberOf" shortcut property that lets you see which groups the user is a member of. You could query the known admin users, and then enumerate their group membership.

    But there isn't an easy, one-liner way of doing this, no. AD isn't the kind of relational DB that would make this straightforward.

    #34994
    Profile photo of Dan Potter
    Dan Potter
    Participant

    Turn the group members into a string and match/notmatch 'admin'. If both conditions return true than you have your group of mixed users.

    ex.
    (((Get-ADGroupMember 'groupname').name -join " ") -match 'admin')

    #35436
    Profile photo of Tony Bennett
    Tony Bennett
    Participant

    Not sure why I wasn't alerted to your reply, apologies about that, I would have replied sooner if I had known.

    I managed to get what I needed in the end with a post here:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/e3fb465a-940c-40b9-865c-2b94531237fa/powershell-script-to-catch-groups-with-admin-and-nonadmin-accounts?forum=winserverpowershell

    Thanks for taking the time to reply!

    #37229
    Profile photo of Tony Bennett
    Tony Bennett
    Participant
Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.