How to Retrieve a List of User Groups with PowerShell
-
Thursday, March 29, 2012 8:11 PM
I am looking for a lowest common demoninator appriach to retrieve a list of current user's domain groups with PowerShell, and I need the code to work on PowerShell 2.0 for Windows Server 2008 as well as Windows Server 2003, without downloading any non-Microsoft code. (Otherwise, I will not be able to keep the auditors happy.)
We have some servers shared by two different admin groups. In the past, our group always created a $pshome\profile.ps1 file to customize PowerShell from the entire server (because we were the only ones working on that server). The other group prefers not to have a custom PowerShell profile at all. This worked fine until both groups started sharing one key server for certain operations. Now, I need to find a way to execute our custom code for our group, but let the other group "fall through" profile.ps1 without picking up any of the custimizations.
At one point, I thought I had a solution using "net user," but our site protects "net.exe" as part of its hardening standard, and Task Scheduler jobs got errors on the locked down "net user" command.
As an alternative, the following code works interactively, but fails under Task Scheduler on Windows Server 2003 without displaying any error:
(Please excuse any typos. For whatever reason, I cannot paste anything into this web page.)
[string]$UserGroups_STR = ([System.SEcurity.Principal.WindowsIdentity]::GetCurrent()).Groups | ForEach-Object {$_.Translate([System.Security.Principal,NTAccount])}
if ($UserGroups_STR.IndexOf('MyGroup') -ge 0) { execute custom code }
Any ideas?
All Replies
-
Thursday, March 29, 2012 8:19 PM
By the way, I tried using the following, but the "ActiveDirectory" module does not appear to work on Windows Server 2003.
Import-Module ActiveDirectory
get-ADGroupMember -Identity MyGroup | select name
-
Thursday, March 29, 2012 9:54 PM
A PowerShell V1 example, which will work on any computer with PowerShell:
$Domain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher = New-Object System.DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = $Domain
$Searcher.PageSize = 100
$Searcher.SearchScope = "subtree"
$Name = Read-Host "Enter pre-Windows 2000 logon name of user"
$Searcher.Filter = "(sAMAccountName=$Name)"
$Searcher.PropertiesToLoad.Add("memberOf") > $Null
$Results = $Searcher.FindAll()
ForEach ($Result In $Results)
{
$Groups = $Result.Properties.Item("memberOf")
ForEach ($Group In $Groups)
{
"Member of group $Group"
}
}
-----
Richard Mueller - MVP Directory Services
- Proposed As Answer by Richard MuellerMVP Friday, March 30, 2012 2:14 PM
- Marked As Answer by Yan Li_Microsoft Contingent Staff, Moderator Friday, April 06, 2012 1:56 AM
-
Friday, March 30, 2012 11:10 AM
Richard,
Very nice. Just what I needed. Thanks!
-
Friday, May 25, 2012 8:14 PM
Here's another way:
(GET-ADUSER -Identity $UserID -Properties MemberOf | Select-Object MemberOf).MemberOf
Where $UserID is the user's who groups you want a list of. The DN of the groups are returned.
To get current user's groups:
(GET-ADUSER -Identity (ls env:\username).value -Properties MemberOf | Select-Object MemberOf).MemberOf
And to get this in <Domain>\<SamAccountName> format:
$UserID = [Security.Principal.WindowsIdentity]::GetCurrent() $groups = $UserId.Groups | foreach-object {$_.Translate([Security.Principal.NTAccount])} $Groups
If this post helps to resolve your issue, please click the "Propose as Answer" If you find it helpful , mark it as helpful by clicking on "Vote as Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster. If you need an expert migration consultant to assist your organization feel free to contact me directly.
Jason Sherry | Blog | Hire Me | Twitter: @JasonSherry
Microsoft Infrastructure Architect, MCSE: M, MCTIP, Microsoft Exchange MVP- Proposed As Answer by Jason SherryMVP Friday, May 25, 2012 8:14 PM
.png)
