Powershell – (Powershell) Method to return a list of groups where a specific user has ‘write member’ security

access-control-listactive-directorygroupspowershell

We use a piece of web-based software that users can log on to in order to manage access to shares controlled with AD groups. The list of groups a user can manage are the groups on which they have 'Write Members' security. This allows users to maintain file shares without requiring knowledge of AD.

I am trying to write a Powershell script using the quest.activeroles.admanagement that will return a neat list of groups that a specified user has 'Write Members' security on, in order to clean out permissions for departed users. The groups I need to search through are stored in an OU, though there are over 1,000 of them.

I have so far come up with:

add-pssnapin quest.activeroles.admanagement
Get-QADObject -ShowProgress -SearchRoot 'domain.server.com/path/to/OU' -SearchScope 'OneLevel' -Type Group -SizeLimit 2500 | Get-QADPermission -Rights 'WriteProperty' -Property 'member' -Account "user" -WarningAction SilentlyContinue

This works fine (however inefficiently) but the host output is fairly messy:

Permissions for: full.domain.path/OU/path/group1

Ctrl   Account                                  Rights                              Source           AppliesTo                                    
----   -------                                  ------                              ------           ---------                                    
       Domain\user                              Write member                        Not inherited    This object and all child objects            
Permissions for: full.domain.path/OU/path/group2
       Domain\user                              Write member                        Not inherited    This object and all child objects                        Not inherited    This object and all child objects            
Permissions for: full.domain.path/OU/path/group3
       Domain\user                              Write member                        Not inherited    This object and all child objects                        Not inherited    This object only                             
Permissions for: full.domain.path/OU/path/group4
       Domain\user                              Write member                        Not inherited    This object and all child objects                        Not inherited    This object and all child objects

I get the required information, but a whole lot of chaff surrounding it. If I pipe/append to a text file, I only get the username, not the group names.
Ideally what I'd want is just a list of group names without the OU path, or in a perfect world, a CSV where column one is the user name and column two is the group, so that I could run multiple users (foreach ($username in $usernames)):

User                Group
domain\username     group_name_one
domain\username     group_name_two
domain\username     group_name_three

What would be the best way to tackle this in such a way that Export-CSV would spit out something a little bit nicer?

Best Answer

There are two problems here.

The CMDlet Get-QADPermission is writing directly to the console during execution which is why you're seeing Permissions for: .... Since your pipeline is writing to the same output, it all gets mixed together. Store the output from your pipeline to a variable instead.
When you pipe the group into Get-QADPermission, you're throwing away the group object and getting a permissions object instead. If you want to keep the original object, you need to filter with Where-Object.

Also, be careful with Get-QADPermission. If you only query for WriteProperty, it won't return results with both Read+Write access. Usually you want to query for both. And in most cases, you also want to use -Inherited to get permissions granted from parent OU's. If you're really looking for once-off permissions, then you can ignore this switch.

function Test-UserCanModifyGroupsInOU ($Username, $OU)
{
  $results = Get-QADGroup -SearchScope 'OneLevel' -SearchRoot $OU |
    Where-Object {
      $_ | Get-QADPermission -Rights ReadProperty,WriteProperty -Property member -Account $username
    } |
    Select @{Name="User";Expression={$username}}, @{Name="Group";Expression={$_.Name}}
  $results | Write-Output
  $results | Export-Csv "$username.csv"
}

@("bob","sally") |
  ForEach-Object {
    Test-UserCanModifyGroupsInOU -Username $_ -OU 'domain.org.com/path/to/OU'
  }

Also note that this only works for permissions on specific properties. It won't return results for a user that has "Full Control" on the group, even though they're stil allowed to modify the member attribute.

Related Solutions

Powershell show users who are members of a group twice – once directly once indirectly

The following will walk a given parent group (name must be compatible with Get-ADGroupMember syntax) and populate two hashes. One hash will have user sAMAccountName as the key and a array of direct group memberships as the value. The second hash will contain keys of all processed groups.

It will correctly detect, and skip, circular group nestings (e.g. parent is child of child). You can comment out the Write-Host lines for less line noise in the console.

Import-Module ActiveDirectory

function Walk-Group ( $group ) {

    Get-ADGroupMember $group | Group-Object objectClass -ash | Foreach-Object {

        # Add each user to $users hash, add current group to their collection
        if ( $_.user ) {
            foreach ( $u in $_.user.GetEnumerator() ) {
                if ( $users[$u.sAMAccountName] ) {
                    $users[$u.sAMAccountName] += $group
                } else {
                    $users.Add( $u.sAMAccountName, @($group) )
                }
            }
        }

        # Recurse into each child group, skip if group is circular member
        if ( $_.group ) {
            foreach ( $g in $_.group.GetEnumerator() ) {
                if ( $groups[$g.Name] ) {
                    Write-Host "Existing:" $g.Name
                } else {
                    Write-Host "New Group:" $g.Name
                    $groups.Add( $g.Name, $true )
                    Walk-Group $g.Name
                }
            }
        }

    }
}

# Hash to collect user/group info.
$users = @{}

# Hash to collect processed groups.
$groups = @{}

# Root group to walk
Walk-Group "Department-staff"

# Display users with mulitple direct memberships
$users.GetEnumerator() | Where-Object { $_.Value.Count -gt 1 }

Windows – Get list of AD groups a user is a member of

You can do this in PowerShell pretty easily. I'm sure you can do it with the ds tools too, but they're old and crusty and PowerShell should be used for everything possible nowadays.

Import-Module ActiveDirectory
(Get-ADUser userName –Properties MemberOf | Select-Object MemberOf).MemberOf

Shorter version

(Get-ADUser userName –Properties MemberOf).MemberOf

Best Answer

Related Solutions

Powershell show users who are members of a group twice – once directly once indirectly

Windows – Get list of AD groups a user is a member of

Related Topic