none
can i get a list of security groups that a machine belongs to? RRS feed

  • Question

  • Hello. We are changing to Cisco ISE and are finding machines that do not get added to a security group that is needed to place the switch port in the correct vlan. I am trying to use Dell KACE to check on computers every hour to see what security groups the computer itself belongs to. I know that if I use net localgroup it will create a list of the local groups, but that does not seem to return the security group that the computer itself is a member of. For example, when run on my local machine net localgroup will return:

    Aliases for \\my-computer

    -------------------------------------------------------------------------------
    *Administrators
    *Backup Operators
    *Cryptographic Operators
    *Distributed COM Users
    *Event Log Readers
    *Guests
    *IIS_IUSRS
    *Network Configuration Operators
    *Performance Log Users
    *Performance Monitor Users
    *Power Users
    *Remote Desktop Users
    *Replicator
    *Users
    The command completed successfully.

    but nowhere here does it list the AD security group "staff-computers" that the computer itself is a member of to get the correct vlan. Is there another command that can return this?

    Tuesday, January 5, 2016 7:17 PM

Answers

All replies

  • PowerShell:


    PS C:\> Get-ADComputer $ENV:COMPUTERNAME -Properties memberOf | Select-Object -ExpandProperty memberOf


    -- Bill Stewart [Bill_Stewart]

    Tuesday, January 5, 2016 7:22 PM
    Moderator
  • Hi,

    Get-ADPrincipalGroupMembership will show you which groups a machine is a member of.

    http://ss64.com/ps/get-adprincipalgroupmembership.html


    Tuesday, January 5, 2016 7:23 PM
  • Using Get-ADPrincipalGroupMembership:


    Get-ADComputer $ENV:COMPUTERNAME | Get-ADPrincipalGroupMembership

    However this is markedly slower, depending on the domain, than getting the memberOf attribute from the computer object (first example). However, it is worth noting memberOf does not list primary group membership, whereas Get-ADPrincipalGroupMembership does (this may not matter, depending on the requirements).


    -- Bill Stewart [Bill_Stewart]

    Wednesday, January 6, 2016 4:04 PM
    Moderator