Product: Windows
Utility: Powershell, ActiveDirectory
Windwos AD domain users who are not administrator of ActiveDirectory users are often getting confusing push back from AD admin when the business users are requesting for access that controlled by AD.
This article is going to show various commands that business users (end users) who are not AD admin, and allows them to find out which AD group they belongs to directly, or indirectly (Windows term if group nesting).
CMD
Following command will display all the nesting group that a user belongs to
1. net user <username> /domain
Limitation #1: You cannot change the domain, if the computer you login to belongs to multiple domain
Limitation #2: Doesn't show child groups. It will always display direct groups the user belongs to
Limitation #3: Display "Description" name of the group, not the actual group name
Limitation #4: Group name is truncated after 21 characters
2. gpresult /v
Limitation #1: can't specify which domain if you belongs to multiple AD domain
Limitation #2: Cannot show direct group. It will always display nesting child groups
3. whoami /groups
Limitation #1: can't specify which domain if you belongs to multiple AD domain
Limitation #2: Cannot show direct group. It will always display nesting child groups
PowerShell
1. Show AD group the current login user directly belongs to:
(Get-ADuser $env:username -server $env:userdomain -Properties memberof).memberof | get-adgroup -server $env:userdomain | select-object -ExpandProperty name
Limitation #1: It cannot show nesting group
1.1. Show AD group of username tester1
(Get-ADuser tester1 -server $env:userdomain -Properties memberof).memberof | get-adgroup -server $env:userdomain | select-object -ExpandProperty name
1.2. Similar to above, but sorted
(Get-ADuser tester1 -server $env:userdomain -Properties memberof).memberof | get-adgroup -server $env:userdomain | select-object -ExpandProperty name | sort
2. Show AD group user in specific domain, e.g. domain GAME-ADM
(Get-ADuser $env:username -server GAME-ADM -Properties memberof).memberof | get-adgroup -server GAME-ADM | select-object name
3. Show AD group user GAMER1 in domain GAME-ADM
(Get-ADuser GAMER1 -server GAME-ADM -Properties memberof).memberof | get-adgroup -server GAME-ADM | select-object -ExpandProperty name
4. Show AD group is managed by who
General syntax: Get-ADGroup [group name] -server [domain name] -properties ManagedBy
Example: group name GAMEVIPUSR, domain name GAME-ADM, the command will be
Get-ADGroup GAMEVIPUSR -server GAME-ADM -properties ManagedBy
Get-ADGroup GAMEVIPUSR -server $env:userdomain -properties ManagedBy
Get-ADGroupMember SAP-Admins -server $env:userdomain | select-object -ExpandProperty name
6. Similar to #5, but don't display user. Only display child AD group that belongs to it
Get-ADGroupMember SAP-Admins -server $env:userdomain | where-object objectClass -ne "user" | select-object -ExpandProperty name
7. Show a child group TESTER-GRP belongs to which parent group
Get-ADPrincipalGroupMembership GWRE-CASE-DataManagement -server $env:userdomain | select-object -ExpandProperty name
8. Show a child group TESTER-GRP belongs to which parent group like "PROD*" and not case-sensitive
Get-ADPrincipalGroupMembership GWRE-CASE-DataManagement -server $env:userdomain | | where name -match "PROD*" | select-object -ExpandProperty name
No comments:
Post a Comment