AD Security group membership

clindell · 2021-06-01T14:24:40.000Z

I’m looking for a script to ID what “security groups” a single user may be a member of, not Get-ADPrincipalGroupMembership “username” | select name

For instance I was able to list all the AD groups and ID them, however, “Security” group membership “Security” is not the same as “Member of” AD groups.

I could go to every Security group and list every user who is included in that security group, however, that would not be the same and take a very long time. I need the reverse. I need to list every security group a single user belongs to, make sense?

Thanks

@alexw

Neally · 2021-06-01T14:25:38.000Z

CLINDELL:

make sense?

Sure, what have you tried where are you stuck?
We’re happy to help but not a script writing service.

so just this would not be good enough?

Get-ADPrincipalGroupMembership $username |
Where-Object {$_.GroupCategory -eq 'Security' } |
Select-Object name

If you post code, please use the ‘Insert Code’ button. Please and thank you!

PLEASE READ BEFORE POSTING! Read if you're new to the PowerShell forum! Programming & Development

Hi, and welcome to the PowerShell forum! Don’t apologize for being a “noob” or “newbie” or “n00b.” There’s just no need – nobody will think you’re stupid, and the forums are all about asking questions. Just ask! Use a descriptive subject. Don’t say “Need help” or “PowerShell Help”, actually summarize what the problem is. It helps the rest of us keep track of which problem is which. Don’t post massive scripts. We’re all volunteers and we don’t have time to read all that, nor will we copy…

clindell · 2021-06-01T14:50:45.000Z

I ran this below and found std group memberships. I was able to save them for future need and then though I should also export the Security group membership and found I could list members for a single group, but I could not find a way to list a single user membership in al Security groups in the event I want to replicate a specific power user and questioned why this person was in various groups I felt were inappropriate. I’m looking for another user, not me. Your script on the bottom lists the user as a member of Domain users, which isn’t “Security”.

Get-ADPrincipalGroupMembership fhall | select name

PS C:\windows\system32> Get-ADPrincipalGroupMembership $username |
>> Where-Object {$_.GroupCategory -eq 'Security' } |
>> Select-Object name
Get-ADPrincipalGroupMembership : Cannot validate argument on parameter 'Identity'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
At line:1 char:32
+ Get-ADPrincipalGroupMembership $username |
+                                ~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-ADPrincipalGroupMembership], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership

Run another way

PS C:\Users\cl> Get-ADPrincipalGroupMembership **fhall** | Where-Object {$_.GroupCat
egory -eq 'Security' } | Select-Object name

name
----
Domain Users

Neally · 2021-06-01T15:07:58.000Z

CLINDELL:

Domain users, which isn’t “Security”.

Yes it is.

if you want to exclude it you can add another ‘where-object’ statement.

$username = 'fhall'
Get-ADPrincipalGroupMembership $userName | 
Where-Object {$_.GroupCategory -eq 'Security' } | 
Where-Object {$_.Name -ne 'Domain Users' } |
Select-Object name

jitensh · 2021-06-01T15:14:16.000Z

what if you try

get-aduser username -prop MemberOf |
select Name,@{N="MemberGroups"; E={(($_.MemberOf).split(",") | where-object {$_.contains("CN=")}).replace("CN=","")-join ','}}

all

get-aduser -f * -prop MemberOf |
select Name,@{N="MemberGroups"; E={(($_.MemberOf).split(",") | where-object {$_.contains("CN=")}).replace("CN=","")-join ','}}

Neally · 2021-06-01T15:17:18.000Z

JitenSh:

what if you try

get-aduser username -prop MemberOf |
select @{N="MemberGroups"; E={(($_.MemberOf).split(",") | where-object {$_.contains("CN=")}).replace("CN=","")-join ','}}

all

get-aduser -f * -prop MemberOf |
select @{N="MemberGroups"; E={(($_.MemberOf).split(",") | where-object {$_.contains("CN=")}).replace("CN=","")-join ','}}

I thought that’s what OP didn’t want?

“Security” group membership “Security” is not the same as “Member of” AD groups.

I’m confused.

OP, can you clarify a bit more what exactly you are looking for?

clindell · 2021-06-01T15:36:28.000Z

Neally:

JitenSh:
what if you try
get-aduser username -prop MemberOf |
select @{N="MemberGroups"; E={(($_.MemberOf).split(",") | where-object {$_.contains("CN=")}).replace("CN=","")-join ','}}
all
get-aduser -f * -prop MemberOf |
select @{N="MemberGroups"; E={(($_.MemberOf).split(",") | where-object {$_.contains("CN=")}).replace("CN=","")-join ','}}
I thought that’s what OP didn’t want?

“Security” group membership “Security” is not the same as “Member of” AD groups.

I’m confused.

OP, can you clarify a bit more what exactly you are looking for?

Sure can, “Security” group membership “Security” is exactly what I’m trying to list for an individual, I want to list every “Security” group this user belongs to

Neally · 2021-06-01T15:39:00.000Z

CLINDELL:

Sure can, “Security” group membership “Security” is exactly what I’m trying to list for an individual, I want to list every “Security” group this user belongs to

And ‘get-principalgroupmembership’ doesn’t do that with what I gave you?

What’s wrong or missing with it? You said ‘Domain Users’ is not “Security” ? What do you define as ‘security’? the group type is definitely security. Do you have a different definition what you label as ‘security’ ?

clindell · 2021-06-01T15:57:56.000Z

Neally:

CLINDELL:

Sure can, “Security” group membership “Security” is exactly what I’m trying to list for an individual, I want to list every “Security” group this user belongs to

And ‘get-principalgroupmembership’ doesn’t do that with what I gave you?

What’s wrong or missing with it? You said ‘Domain Users’ is not “Security” ? What do you define as ‘security’? the group type is definitely security. Do you have a different definition what you label as ‘security’ ?

Thanks, but not it’s not running as I expected and/or I don’t know how to run the script?

PS C:\Users\cl> Get-ADPrincipalGroupMembership fhall

distinguishedName : CN=Domain Users,CN=Users,DC=Removed,DC=org
GroupCategory : Security
GroupScope : Global
name : Domain Users
objectClass : group
objectGUID :
SamAccountName : Domain Users
SID :

This user should not be a member of any of these security groups and I want to list them and later reuse the same script when I encounter others I expect to find.

clindell · 2021-06-01T16:03:27.000Z

When I run the script as this below having copied and pasted it I just get a solid curser

$username = 'fhall'
Get-ADPrincipalGroupMembership $userName | 
Where-Object {$_.GroupCategory -eq 'Security' } | 
Select-Object name

Neally · 2021-06-01T16:04:45.000Z

Oh… you are talking about PERMISSIONS … not security groups.

$username = 'neally'
(get-acl "AD:$((get-aduser $username).distinguishedname)").access

Neally · 2021-06-01T16:05:44.000Z

CLINDELL:

When I run the script as this below having copied and pasted it I just get a solid curser
$username = 'fhall'
Get-ADPrincipalGroupMembership $userName | 
Where-Object {$_.GroupCategory -eq 'Security' } | 
Select-Object name

You are not actually running it, press enter again.

Don’t just copy and paste code. Save it as a .ps1 file and then call it.

clindell · 2021-06-01T16:28:05.000Z

Neally, you corrected me, thank you! The user had Domain Admin Permissions and others and I have not determined why. So I don’t think I’ve ever come across this before or I am really wrong and need clarification? Why would a user who is not part of Domain Admins or shouldn’t be there be included in IdentityReference : ADNAME\Domain Admins and have full rights? Is it also possible to just list the IdentityReference ?

ActiveDirectoryRights : GenericAll
InheritanceType : None
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AccessControlType : Allow
IdentityReference : ADNAME\Domain Admins
IsInherited : False
InheritanceFlags : None
PropagationFlags : None

Neally · 2021-06-01T16:31:24.000Z

CLINDELL:

I am really wrong and need clarification

yeah you are reading this wrong.

That means domain admins have full rights to the user object.

Of course it is possible, what have you tried? Just select it. (select-object)

give it a shot.

clindell · 2021-06-01T16:37:16.000Z

Neally wrote

yeah you are reading this wrong.

That means domain admins have full rights to the user object.

Of course it is possible, what have you tried? Just select it. (select-object)

give it a shot.

Ok, thanks! The user object when opened has a security tab, in the security tab there are the various groups that have rights to the user object, the list seems much larger than expected to have rights over the object than I’ve ever noticed previously anywhere! So, with that I questioned all the security over the object and misconstrued it as the object having those rights… false alarm! I do not need to record the groups that have rights to the user object.

Thanks for kicking me!

Neally · 2021-06-01T16:42:53.000Z

CLINDELL:

The user object when opened has a security tab, in the security tab there are the various groups that have rights to the user object

Right, that’s similar to folder permissions.

You go to proeprties of a folder and Security tab, there you see who all has access and what access (read, write, etc) to the folder.

Same with AD. You were looking at the permissions in AD to the object.

moorebeers · 2021-06-03T13:00:19.000Z

So down the rabbit hole I went… and found something from Scripting guy that said the value you’re looking for (objGroup.groupType) is actually saved as a number and not as a string variable…so:

Scripting Blog [archived] – 21 Dec 04

How Can I Tell Whether a Group is a Security Group or a Distribution Group? -...

Hey, Scripting Guy! Is there any way to tell whether an Active Directory group is a security group or a distribution group?— AW Hey, AW. As a matter of fact, there is; this script will tell you what type of group you’re dealing with:Set objGroup =...

Their end was to check the number and see if it’s greater than 0 or less than 0 to determine if it’s a distribution group verses a security group…Hope this helps

Edit:
Did a bit more digging and found that the GroupCategory is suppose to tell if the group is a Distribution or a Security Group so the previous examples may be just fine to use and may require you to have a statement ignoring any group that doesn’t have a GroupCategory as Security:

TheITBros.com

Active Directory Group Types and Scopes Explained – TheITBros

In this article we'll take a closer look on different types of Active Directory groups, how they differ and will show how to create AD groups in few ways