Nested AD Groups and PowerShell

Ability to expand nested Active Directory groups is a very useful feature which got added in the recently released AD cmdlets 1.1.

Before that you could get direct group membership:

[PS] C:\>Get-QADGroupMember Administrators

Name                           Type    DN
----                           ----    --
Administrator                  user    CN=Administrator,CN=Users,DC=...
Enterprise Admins              group   CN=Enterprise Admins,CN=Users...
Domain Admins                  group   CN=Domain Admins,CN=Users,DC=...
Exchange Organization Admin... group   CN=Exchange Organization Admin...

But then you got stuck with just direct members and had to go through each subgroup to get the full list of all indirect members – who in AD world get exactly the same rights as the direct guys but are somewhat hidden. Not anymore! Now with a simple -Indirect parameter you can get them all:

[PS] C:\>Get-QADGroupMember Administrators -Indirect

Name                           Type   DN
----                           ----   --
Administrator                  user   CN=Administrator,CN=Users,DC=...
Enterprise Admins              group  CN=Enterprise Admins,CN=Users...
Domain Admins                  group  CN=Domain Admins,CN=Users,DC=...
Exchange Organization Admin... group  CN=Exchange Organization Admin...
Temp Account                   user   CN=Temp Account,OU=Demo,DC=sc...

And if you just want to see who sneaked in, Compare-Object is your friend:
[PS] C:\>Compare-Object (Get-QADGroupMember Administrators) (Get-QADGroupMember Administrators -Indirect)


InputObject                                    SideIndicator
-----------                                    -------------
CN=Temp Account,OU=Demo,DC=scorpio,DC=local    =>

I don’t know who this Temp Account is, but I am removing him from admins right away!

Tags: , , , , , ,

0 Responses to “Nested AD Groups and PowerShell”



  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




My Recent Tweets

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

May 2008
M T W T F S S
« Apr   Jun »
 1234
567891011
12131415161718
19202122232425
262728293031  

%d bloggers like this: