none
Where is an AD Group Used within my environment RRS feed

  • Question

  • I can pull the AD group members, but am having trouble getting my script to go out and see where the group is used within my environment, i.e. on remote servers.  I am only concerned with the one AD group, so  that is the trouble I am having.
    • Moved by Bill_Stewart Thursday, December 20, 2018 9:35 PM This is not "develop custom solutions for me" forum
    Tuesday, October 16, 2018 3:57 PM

All replies

  • huh?

    are you trying to figure out where the group is in your AD tree or where the group has permissions set on other computers?


    Tuesday, October 16, 2018 4:01 PM
  • There is no way to do this except to query the security on every server including all files and all resources like printers, DCOM, services and all  other resources that would use a group.


    \_(ツ)_/

    Tuesday, October 16, 2018 6:29 PM
  • Yeah it's a painful process. If you can narrow down the types of things you are looking for it helps. You can start by sweeping the rights assignment, local groups, services, NTFS/Share permissions and so on.

    If the group is in active use then the security logs would be the best place to look but if you are looking for stale groups then you have to take the low road.

    Check out this for getting local user rights assignments.

    https://gallery.technet.microsoft.com/scriptcenter/Grant-Revoke-Query-user-26e259b0

    For local groups I use ADSI but others may suggest something better (There is a cmdlet in PS 5 for this if you have v5 running everywhere).

    $ADSIComputer = [ADSI]("WinNT://$($_.Name),computer") 
    $group = $ADSIComputer.psbase.children.find('Administrators',  'Group') 
    $group.psbase.invoke("members")

    That returns the members of the local admins group, but you can get the others in the same way.

    For NTFS/Share permissions I would do something like this,

    https://gallery.technet.microsoft.com/scriptcenter/Get-Share-Users-3866a711

    But I am positive there is a newer/better way of doing that I just can't remember it right now.

    For NTFS perms just use get-acl

    And so on...

    Tuesday, October 16, 2018 9:54 PM
  • I wanted to know if one group in particular has admin rights on systems and file shares.
    • Edited by river19dog Friday, October 19, 2018 7:05 PM
    Friday, October 19, 2018 7:01 PM
  • I wanted to know if one group in particular has admin rights on systems and file shares.

    Then you will  have to query all local administrator groups and shares.

    Look in the Gallery for scripts that can get group and share permissions.


    \_(ツ)_/

    Friday, October 19, 2018 7:21 PM