How to use Get-NTFSACCESS and GET-ADGROUPMEMBER in the same script

This topic contains 5 replies, has 3 voices, and was last updated by  Johnathan Tenoever 2 weeks, 5 days ago.

  • Author
    Posts
  • #81263

    Johnathan Tenoever
    Participant

    Problem – Trying to create a script that searches multiple shares, and pulls access levels for users and group AND expands the first level group. Exporting to a file. For quarterly audits and the like

    Using Get-NTFSACCESS, which gets the info I'm looking for. But also trying to output the membership of the group itself.

    The first part works great, and I get a stored variable with the groups to look up, but then when i try to transfer that into the get-adgroup or get-adgroupmember command its unrecongized. The name and samaccountname are the same for the groups I'm testing with. It behaves the same if i define a variable directly as below or if i pipe it to a file then recall the file.

    What am I missing to make that simple statement work? If i manually type get-adgroup "server administrators" it works as expected, but if i run it in a foreach loop from a variable or from a file it fails.

    $groupnames = "Server Administrators", "Domain Admins"
    foreach ($group in $Groupnames){
    Get-ADGroup "$groupname" | Select -ExpandProperty $_.SamAccountName}

    PS C:\temp> $groupnames
    Server Administrators
    Domain Admins

    I continue to get this error

    Get-ADGroup : Cannot find an object with identity: 'Server Administrators Domain Admins' under: 'DC=Domain,DC=com'.
    At line:3 char:1
    + Get-ADGroup "$groupname" | Select -ExpandProperty $_.SamAccountName}
    + ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Server Administrators Domain Admins:ADGroup) [Get-ADGroup], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup

    Get-ADGroup : Cannot find an object with identity: 'Server Administrators Domain Admins' under: 'DC=DOmain,DC=com'.
    At line:3 char:1
    + Get-ADGroup "$groupname" | Select -ExpandProperty $_.SamAccountName}
    + ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Server Administrators Domain Admins:ADGroup) [Get-ADGroup], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup

  • #81265

    Don Jones
    Keymaster
    $groupnames = "Server Administrators", "Domain Admins"
    foreach ($group in $Groupnames){
    Get-ADGroup "$groupname" | Select -ExpandProperty $_.SamAccountName}
    

    Your query is using $groupname, which you've not defined. I feel it should be $group, because that's your enumerator in the ForEach, no?

  • #81268

    Richard Siddaway
    Moderator

    $groupnames = "Server Administrators", "Domain Admins"
    foreach ($group in $Groupnames){
    Get-ADGroup "$groupname" | Select -ExpandProperty $_.SamAccountName}

    you use $groupnames for the list of groups; $group as the foreach variable but $groupname in get-adgroup

    Also if you look at the help file for Get-ADGroup you'll see a limited number of choices for identifying the group (the -Identity parameter which you are trying to access positionally)

    Distinguished Name
    Example: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com
    GUID (objectGUID)
    Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
    Security Identifier (objectSid)
    Example: S-1-5-21-3165297888-301567370-576410423-1103
    Security Accounts Manager (SAM) Account Name (sAMAccountName)
    Example: saradavisreports

    You'll have to rethink how you're doing this

  • #81269

    Johnathan Tenoever
    Participant

    Sorry that was a typo obviously. That bit of code works fine. Though it doesnt output exactly as I would like, as It combines the data instead of separating it based on group name, but that i can deal with later. That same "logic" doesn't when I combine with my Get-ntfsaccess code.

    $ADgroups = "Server Administrators", "Domain Admins"
    foreach ($group in $ADgroups){
    Get-ADGroupmember "$group"}

    That works

    This doesn't

    $ADgroups = Get-ntfsaccess |select * | where {$_.AccountType -eq "Group" -and $_.Account -like "Atricure*"} |select @{N="Groups"; E={$_.Account -replace "Atricure\\",""}} #| export-csv C:\temp\groups.csv -NoTypeInformation

    foreach ($group in $ADgroups){
    Get-ADGroupmember "$group"}

    Results of the stored variable are

    PS C:\temp> $ADgroups
    Server Administrators
    Domain Admins

    The 1st that works

    The one that doesn't

    Groups
    ——
    Domain Admins
    Server Administrators

    What am I NOT calling for? lol Thanks!

  • #81272

    Don Jones
    Keymaster

    That's because of this:

    select @{N="Groups"; E={$_.Account -replace "Atricure\\",""}}

    You're creating an object with a Groups property. Get-ADGroupMember has no interest in that. If you changed:

    Get-ADGroupmember "$group"

    To:

    Get-ADGroupmember "$($group.Groups)"

    E.g., so you're passing a string to Get instead of an object having a Groups property, then it'll work better, if I'm imagining the code correctly.

  • #81274

    Johnathan Tenoever
    Participant

    Thank you, I actually had tried $group.groups before but I did not include $( ) only $group.groups

    Just tried that and it parsed through and I got the results I was expecting. Now I just have to separate them so everything outputs appropriately, but at least I have the data I was looking for now.

    Thanks Again!

You must be logged in to reply to this topic.