Ability to expand nested Active Directory groups is a very useful feature which got added in the recently released AD cmdlets 1.1.
Before that you could get direct group membership:
[PS] C:\>Get-QADGroupMember AdministratorsName Type DN---- ---- --Administrator user CN=Administrator,CN=Users,DC=...Enterprise Admins group CN=Enterprise Admins,CN=Users...Domain Admins group CN=Domain Admins,CN=Users,DC=...Exchange Organization Admin... group CN=Exchange Organization Admin...
But then you got stuck with just direct members and had to go through each subgroup to get the full list of all indirect members - who in AD world get exactly the same rights as the direct guys but are somewhat hidden. Not anymore! Now with a simple -Indirect parameter you can get them all:
[PS] C:\>Get-QADGroupMember Administrators -IndirectName Type DN---- ---- --Administrator user CN=Administrator,CN=Users,DC=...Enterprise Admins group CN=Enterprise Admins,CN=Users...Domain Admins group CN=Domain Admins,CN=Users,DC=...Exchange Organization Admin... group CN=Exchange Organization Admin...Temp Account user CN=Temp Account,OU=Demo,DC=sc...
And if you just want to see who sneaked in, Compare-Object is your friend:
[PS] C:\>Compare-Object (Get-QADGroupMember Administrators) (Get-QADGroupMember Administrators -Indirect)
InputObject SideIndicator----------- -------------CN=Temp Account,OU=Demo,DC=scorpio,DC=local =>
I don’t know who this Temp Account is, but I am removing him from admins right away!
Tags: AD, AD cmdlets, Active Directory, Examples, PowerShell, cmdlets, one-liner
Subscribe by email
0 Responses to “Nested AD Groups and PowerShell”