query admincount for security groups in all domain for a User

This topic contains 3 replies, has 3 voices, and was last updated by Profile photo of Jeff Taylor Jeff Taylor 6 months, 3 weeks ago.

  • Author
    Posts
  • #38705
    Profile photo of Jeff Taylor
    Jeff Taylor
    Participant

    I want to discover the admincount attribute for all security groups that a user is a memberOf.

    I have this so far:

    Get-ADUser -Filter {displayName -LIKE "admin_User*"} -Credential $C -Properties * | % memberof

    and I get the list of groups but how do I:

    1) get the admincount attribute from each of those groups?
    2) query across the domain from which these groups may be nested?

    thank you

  • #38723
    Profile photo of Arie H
    Arie H
    Participant

    Something similar to this ?

    For User
    Get-ADuser -LDAPFilter “(admincount=1)” | select name

    For Group
    Get-ADgroup -LDAPFilter “(admincount=1)” | select name

  • #38770
    Profile photo of Alex
    Alex
    Participant

    Here is a one liner that will get you all the groups assigned to a user.

    I am not too sure how you would get nested groups in groups.

    You would have to do a check on the members of the group to see if any are groups and then iterate through it (loops within loops)

    get-aduser ainnes -Properties * | select -ExpandProperty memberof | %{Get-ADGroup $_ | select name }
    

    You can remove the "select name" at the end and it will pull back the default info on the group and then add a -properties * on the get-adgroup to return more info

    I hope this helps.

  • #38802
    Profile photo of Jeff Taylor
    Jeff Taylor
    Participant

    Alex: This works for to some extent

    get-aduser -filter {displayname -like "adminUser"} -credential $Cred -Properties * | select -ExpandProperty memberof | %{Get-ADGroup $_ -Properties * }

    I don't see admincoutn attribute in the list.

    I know it exists as what Arie posted does work for querying admincount = 1 in general

    So I tried this one liner:

    get-aduser -filter {displayname -like "adminUser"} -credential $Cred -Properties * | select -ExpandProperty memberof | %{Get-ADgroup -LDAPFilter “(admincount=1)” | select name }

    ...and I get local domain results for admincount=1 on some groups however, my queried adminUser is not a member of any of them.

You must be logged in to reply to this topic.