Welcome Forums General PowerShell Q&A Sid translation of FSP's from group memberships

Viewing 3 reply threads
  • Author
    Posts
    • #111139
      Inactive
      Topics: 1
      Replies: 3
      Points: 0
      Rank: Member

      My apologies if this is a bit convoluted for my first post here but I’m at my wits end on this. I have a script which audits certain groups within a trusted domain for membership changes, adds, removes and the dates associated. For some group members who are cross domains I’m obviously getting the sid in place of the account name. I’m needing a way to translate these sids and keep the formatting provided in the script as this is for non-technical auditing types. My code is below and followed by this is the report formatting:

      https://gist.github.com/ezbakelovin/17f99cdf0a4f2194795aebd6d3fe46de

       

       

      Support Services

      S-1-5-21-1565465683-344022488-928725530-11781,03/05/2018 17:44:55 – needs translation

      User Numberone ,11/03/2017 09:12:44

      Enterprise Admins

      $AZSYNC,11/30/2017 12:39:35

       

      Operations-Admins

      S-1-5-21-1565465683-344022488-928725530-339742,06/11/2018 16:47:29 – needs translation

      S-1-5-21-1565465683-344022488-928725530-402282,06/01/2018 15:27:08 – ”   ”

      S-1-5-21-1565465683-344022488-928725530-84525,04/23/2018 10:17:04 – ”   ”

      $admin,03/23/2018 14:41:51

      S-1-5-21-1565465683-344022488-928725530-347271,01/08/2018 13:32:46

      S-1-5-21-1565465683-344022488-928725530-353447,01/05/2018 10:01:07

       

    • #111175
      Participant
      Topics: 12
      Replies: 232
      Points: 466
      Helping Hand
      Rank: Contributor

      Not exactly sure what you’re after but have you tried and do e.g.

      get-aduser -filter "SID -eq 'S-1-5-21-1565465683-344022488-928725530-353447'" -server 'dc in other domain'
      
      

      If that works for you then it should be simple to add an IF statement if you have a SID for the account name and then make a seperate call to the other domain.

      But again not sure if that is what you’re looking for.

      • #111217
        Inactive
        Topics: 1
        Replies: 3
        Points: 0
        Rank: Member

        This does seem to work, but I’m curious as to how the if statement would format the output. Its going to auditors so this needs to remain in the same format/place. I could probably make my life easier  by just ouputting the group memberships after the initial report but I’d like to work through this first. Seems not many have come across this issue or have no need for it :/

    • #111226
      Participant
      Topics: 12
      Replies: 232
      Points: 466
      Helping Hand
      Rank: Contributor

      Well I would refactor lines 21-24 to something like this:

      foreach ($member in (Get-ADGroup -server $domain -Filter {Name -eq $group} -Properties Members).Members)
      {
          $memberData = Get-ADObject $member -Properties whenCreated
          $name = ""
      
          if($memberData.Name -like "S-1-5-*")
          {
              $name = (Get-ADuser -filter "SID -eq '$memberData.Name'" -Server 'dc in other domain').Name
          }
          else
          {
              $name = $memberData.Name
          }
      
          "`t`t$($name),$($memberData.whenCreated)" | Out-File -FilePath $outputfile -Append
      }
      

      So first $memberData collects the necessary information in one call instead of two seperate calls.
      Next the if-statement evaluates the name value, if it looks like a SID then check against the other domain.
      If it doesn’t look like a SID, just grab the name as in your current code.
      Last step, create the string you want using the $name variable and the whencreated from the $memberData variable.

      • #111233
        Inactive
        Topics: 1
        Replies: 3
        Points: 0
        Rank: Member

        So I hate that I wasted your time. It turns out I can accomplish this by querying the principal name instead of just name. So for instance:

         

        "`t`t$((Get-ADObject $member).Name),$((Get-ADObject $member -Properties whenCreated).whenCreated)" | Out-File -FilePath $outputfile -Append
        

        vs

        "`t`t$((Get-ADObject $member -Properties "msDS-PrincipalName")."msDS-PrincipalName")),$((Get-ADObject $me
    • #111253
      Participant
      Topics: 12
      Replies: 232
      Points: 466
      Helping Hand
      Rank: Contributor

      No problem, whatever works 🙂

      But you should probably look at the number of times you query the DC’s.
      At least if there is a lot of users you look up.

      • #111674
        Inactive
        Topics: 1
        Replies: 3
        Points: 0
        Rank: Member

        Haven’t thought about this in the past but the domain its querying isnt large at all. I really appreciate your help however.

Viewing 3 reply threads
  • The topic ‘Sid translation of FSP's from group memberships’ is closed to new replies.