While this is technically possible, there's probably a better way to go about it.
And speaking of better ways to go about it, You could do this in a GPO with a few lines of code as a startup or shutdown script, which is how I handle this. With a few more lines of code you could log the results of checking for the presence of this thing and/or uninstalling it, which would undoubtedly be useful in your compliance efforts.
If a GPO-linked startup/shutdown script's not an option for whatever reason, I think I'd use PSExec to kill the process on a list of computers read in from file and then script the uninstall in an appropriate language. Seem to me that this is a lot easier in VB, for example.
a=WshShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\UninstallString")
If a<>"" Then
WshShell.Run(a&" /S"),1,True
i=i+1
end if
(Goodbye Google Toolbar, in that example which I wrote or copied a few years back. Copied, probably. I am rather lazy.)
Without debugging the PS script you copied, I'd point out that you might be running a different PS version, different PS modules installed/loaded and/or there might be some dependencies that your XP machines don't have in place that's causing problems.
There are two problems here.
The CMDlet Get-QADPermission
is writing directly to the console during execution which is why you're seeing Permissions for: ...
. Since your pipeline is writing to the same output, it all gets mixed together. Store the output from your pipeline to a variable instead.
When you pipe the group into Get-QADPermission
, you're throwing away the group object and getting a permissions object instead. If you want to keep the original object, you need to filter with Where-Object.
Also, be careful with Get-QADPermission
. If you only query for WriteProperty
, it won't return results with both Read+Write access. Usually you want to query for both. And in most cases, you also want to use -Inherited
to get permissions granted from parent OU's. If you're really looking for once-off permissions, then you can ignore this switch.
function Test-UserCanModifyGroupsInOU ($Username, $OU)
{
$results = Get-QADGroup -SearchScope 'OneLevel' -SearchRoot $OU |
Where-Object {
$_ | Get-QADPermission -Rights ReadProperty,WriteProperty -Property member -Account $username
} |
Select @{Name="User";Expression={$username}}, @{Name="Group";Expression={$_.Name}}
$results | Write-Output
$results | Export-Csv "$username.csv"
}
@("bob","sally") |
ForEach-Object {
Test-UserCanModifyGroupsInOU -Username $_ -OU 'domain.org.com/path/to/OU'
}
Also note that this only works for permissions on specific properties. It won't return results for a user that has "Full Control" on the group, even though they're stil allowed to modify the member attribute.
Best Answer
Try this (Untested). Though it still doesn't get around the fact that you're testing blind.