Author Posts

October 4, 2017 at 7:59 pm

Problem – Trying to create a script that searches multiple shares, and pulls access levels for users and group AND expands the first level group. Exporting to a file. For quarterly audits and the like

Using Get-NTFSACCESS, which gets the info I'm looking for. But also trying to output the membership of the group itself.

The first part works great, and I get a stored variable with the groups to look up, but then when i try to transfer that into the get-adgroup or get-adgroupmember command its unrecongized. The name and samaccountname are the same for the groups I'm testing with. It behaves the same if i define a variable directly as below or if i pipe it to a file then recall the file.

What am I missing to make that simple statement work? If i manually type get-adgroup "server administrators" it works as expected, but if i run it in a foreach loop from a variable or from a file it fails.

$groupnames = "Server Administrators", "Domain Admins"
foreach ($group in $Groupnames){
Get-ADGroup "$groupname" | Select -ExpandProperty $_.SamAccountName}

PS C:\temp> $groupnames
Server Administrators
Domain Admins

I continue to get this error

Get-ADGroup : Cannot find an object with identity: 'Server Administrators Domain Admins' under: 'DC=Domain,DC=com'.
At line:3 char:1
+ Get-ADGroup "$groupname" | Select -ExpandProperty $_.SamAccountName}
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Server Administrators Domain Admins:ADGroup) [Get-ADGroup], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup

Get-ADGroup : Cannot find an object with identity: 'Server Administrators Domain Admins' under: 'DC=DOmain,DC=com'.
At line:3 char:1
+ Get-ADGroup "$groupname" | Select -ExpandProperty $_.SamAccountName}
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Server Administrators Domain Admins:ADGroup) [Get-ADGroup], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup

October 4, 2017 at 8:00 pm

$groupnames = "Server Administrators", "Domain Admins"
foreach ($group in $Groupnames){
Get-ADGroup "$groupname" | Select -ExpandProperty $_.SamAccountName}

Your query is using $groupname, which you've not defined. I feel it should be $group, because that's your enumerator in the ForEach, no?

October 4, 2017 at 8:11 pm

$groupnames = "Server Administrators", "Domain Admins"
foreach ($group in $Groupnames){
Get-ADGroup "$groupname" | Select -ExpandProperty $_.SamAccountName}

you use $groupnames for the list of groups; $group as the foreach variable but $groupname in get-adgroup

Also if you look at the help file for Get-ADGroup you'll see a limited number of choices for identifying the group (the -Identity parameter which you are trying to access positionally)

Distinguished Name
Example: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com
GUID (objectGUID)
Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
Security Identifier (objectSid)
Example: S-1-5-21-3165297888-301567370-576410423-1103
Security Accounts Manager (SAM) Account Name (sAMAccountName)
Example: saradavisreports

You'll have to rethink how you're doing this

October 4, 2017 at 8:14 pm

Sorry that was a typo obviously. That bit of code works fine. Though it doesnt output exactly as I would like, as It combines the data instead of separating it based on group name, but that i can deal with later. That same "logic" doesn't when I combine with my Get-ntfsaccess code.

$ADgroups = "Server Administrators", "Domain Admins"
foreach ($group in $ADgroups){
Get-ADGroupmember "$group"}

That works

This doesn't

$ADgroups = Get-ntfsaccess |select * | where {$_.AccountType -eq "Group" -and $_.Account -like "Atricure*"} |select @{N="Groups"; E={$_.Account -replace "Atricure\\",""}} #| export-csv C:\temp\groups.csv -NoTypeInformation

foreach ($group in $ADgroups){
Get-ADGroupmember "$group"}

Results of the stored variable are

PS C:\temp> $ADgroups
Server Administrators
Domain Admins

The 1st that works

The one that doesn't

Groups
——
Domain Admins
Server Administrators

What am I NOT calling for? lol Thanks!

October 4, 2017 at 8:17 pm

That's because of this:

select @{N="Groups"; E={$_.Account -replace "Atricure\\",""}}

You're creating an object with a Groups property. Get-ADGroupMember has no interest in that. If you changed:

Get-ADGroupmember "$group"

To:

Get-ADGroupmember "$($group.Groups)"

E.g., so you're passing a string to Get instead of an object having a Groups property, then it'll work better, if I'm imagining the code correctly.

October 4, 2017 at 8:22 pm

Thank you, I actually had tried $group.groups before but I did not include $( ) only $group.groups

Just tried that and it parsed through and I got the results I was expecting. Now I just have to separate them so everything outputs appropriately, but at least I have the data I was looking for now.

Thanks Again!