Powershell exit "if not member" of a domain security group - possible?

Welcome Forums General PowerShell Q&A Powershell exit "if not member" of a domain security group - possible?

This topic contains 4 replies, has 5 voices, and was last updated by

2 years, 6 months ago.

  • Author
  • #57023

    Topics: 1
    Replies: 0
    Points: 0
    Rank: Member

    Hi guys,

    We have a domain with 250 users.

    I have written a very simple PS script – The script runs at login (as a Group policy login script – bit its only aimed at two departments only) the script checks for the existence of a "flag file" in a user share – if it doesn't exist, then it copies some files and folders from an "application" share down to the users local drive, and then creates a flag file into the users network share)

    It all works fine, but the only snag is, it runs for everyone, and if the person doesn't have permission to the network share (not in the right security group, it still runs the script, and creates the flag file – but cant copy the files.

    Now, although its not a massive problem, it would be great if the script could do a check as it launches, checking the users security group permission, to dictate if the script runs or not, something like, IF NOT MEMBER OF "domain\tax" then QUIT else proceed...

    Is this easily achievable?

    Many thanks for reading.

  • #57538

    Topics: 13
    Replies: 4872
    Points: 1,811
    Helping HandTeam Member
    Rank: Community Hero

    Not terribly easily, no, but not impossible. You need a command that's going to be readily accessible on every client computer (which lets out the AD cmdlets, so probably the [ADSI] provider), query the group members, and see if the user is a member of the group or not. Frankly, it'd probably be easier to modify the permissions on the GPO so that only the correct people receive that GPO in the first place.

    Either that, or implement some error handling. Catch the DENIED error and quietly move on. See "The Big Book of PowerShell Error Handling" on our ebooks menu.

  • #57554

    Topics: 5
    Replies: 39
    Points: 0
    Rank: Member

    Could shift this to server side if it's just for two departments (Depending on how big they are I guess)? Why does it need to be via a logon script each time they logon? If it's just two departments why not just schedule a script to get a list of all users in the AD group and copy it to their share without the need for a logon event to trigger it?

  • #57565

    Topics: 1
    Replies: 111
    Points: 89
    Rank: Member

    Don's suggestions will work (and there's plenty of info on the web for more details), but to expand on his suggestion regarding Group Policy, the Group Policy Preferences File Item would be a perfect solution for this. It offers "item level targeting" which you can use to specify filters (eg. Your group membership requirement) for each item. I do this in my environment (files, registry entries, printers, drive mappings, etc) and GPP has 100% replaced my login scripts.

  • #57596

    Topics: 17
    Replies: 573
    Points: 21
    Rank: Member
    $da = [ADSI]"LDAP://CN=Domain Admins,OU=...,DC=somewhere,DC=com"
    $searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]'')
    $searcher.Filter = "(&(objectClass=User)(samAccountName=$env:username))"
    $result = $searcher.FindOne()
    $userdn = $result.GetDirectoryEntry().DistinguishedName
    if ($da.member -match $userdn) { }
    if ($da.member -contains $userdn) { }
    if ($userdn -in $da.member) { }

The topic ‘Powershell exit "if not member" of a domain security group - possible?’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort