Powershell exit "if not member" of a domain security group - possible?

This topic contains 4 replies, has 5 voices, and was last updated by Profile photo of Dan Potter Dan Potter 3 weeks, 1 day ago.

  • Author
    Posts
  • #57023
    Profile photo of Malcolm
    Malcolm
    Participant

    Hi guys,

    We have a domain with 250 users.

    I have written a very simple PS script – The script runs at login (as a Group policy login script – bit its only aimed at two departments only) the script checks for the existence of a "flag file" in a user share – if it doesn't exist, then it copies some files and folders from an "application" share down to the users local drive, and then creates a flag file into the users network share)

    It all works fine, but the only snag is, it runs for everyone, and if the person doesn't have permission to the network share (not in the right security group, it still runs the script, and creates the flag file – but cant copy the files.

    Now, although its not a massive problem, it would be great if the script could do a check as it launches, checking the users security group permission, to dictate if the script runs or not, something like, IF NOT MEMBER OF "domain\tax" then QUIT else proceed...

    Is this easily achievable?

    Many thanks for reading.

  • #57538
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Not terribly easily, no, but not impossible. You need a command that's going to be readily accessible on every client computer (which lets out the AD cmdlets, so probably the [ADSI] provider), query the group members, and see if the user is a member of the group or not. Frankly, it'd probably be easier to modify the permissions on the GPO so that only the correct people receive that GPO in the first place.

    Either that, or implement some error handling. Catch the DENIED error and quietly move on. See "The Big Book of PowerShell Error Handling" on our ebooks menu.

  • #57554
    Profile photo of Anthony
    Anthony
    Participant

    Could shift this to server side if it's just for two departments (Depending on how big they are I guess)? Why does it need to be via a logon script each time they logon? If it's just two departments why not just schedule a script to get a list of all users in the AD group and copy it to their share without the need for a logon event to trigger it?

  • #57565
    Profile photo of Peter Jurgens
    Peter Jurgens
    Participant

    Don's suggestions will work (and there's plenty of info on the web for more details), but to expand on his suggestion regarding Group Policy, the Group Policy Preferences File Item would be a perfect solution for this. It offers "item level targeting" which you can use to specify filters (eg. Your group membership requirement) for each item. I do this in my environment (files, registry entries, printers, drive mappings, etc) and GPP has 100% replaced my login scripts.

  • #57596
    Profile photo of Dan Potter
    Dan Potter
    Participant
    
    $da = [ADSI]"LDAP://CN=Domain Admins,OU=...,DC=somewhere,DC=com"
    	
    $searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]'')
    $searcher.Filter = "(&(objectClass=User)(samAccountName=$env:username))"
    $result = $searcher.FindOne()
    $userdn = $result.GetDirectoryEntry().DistinguishedName
    	
    	
    	
    if ($da.member -match $userdn) { }
    if ($da.member -contains $userdn) { }
    if ($userdn -in $da.member) { }
    
    

You must be logged in to reply to this topic.