Nested AD Groups and PowerShell

Ability to expand nested Active Directory groups is a very useful feature which got added in the recently released AD cmdlets 1.1.

Before that you could get direct group membership:

[PS] C:\>Get-QADGroupMember Administrators

Name                           Type    DN
----                           ----    --
Administrator                  user    CN=Administrator,CN=Users,DC=...
Enterprise Admins              group   CN=Enterprise Admins,CN=Users...
Domain Admins                  group   CN=Domain Admins,CN=Users,DC=...
Exchange Organization Admin... group   CN=Exchange Organization Admin...

But then you got stuck with just direct members and had to go through each subgroup to get the full list of all indirect members – who in AD world get exactly the same rights as the direct guys but are somewhat hidden. Not anymore! Now with a simple -Indirect parameter you can get them all:

[PS] C:\>Get-QADGroupMember Administrators -Indirect

Name                           Type   DN
----                           ----   --
Administrator                  user   CN=Administrator,CN=Users,DC=...
Enterprise Admins              group  CN=Enterprise Admins,CN=Users...
Domain Admins                  group  CN=Domain Admins,CN=Users,DC=...
Exchange Organization Admin... group  CN=Exchange Organization Admin...
Temp Account                   user   CN=Temp Account,OU=Demo,DC=sc...

And if you just want to see who sneaked in, Compare-Object is your friend:
[PS] C:\>Compare-Object (Get-QADGroupMember Administrators) (Get-QADGroupMember Administrators -Indirect)

InputObject                                    SideIndicator
-----------                                    -------------
CN=Temp Account,OU=Demo,DC=scorpio,DC=local    =>

I don’t know who this Temp Account is, but I am removing him from admins right away!

Tags: AD, AD cmdlets, Active Directory, Examples, PowerShell, cmdlets, one-liner
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |

Advertisement