Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Powershell Active Directory: List complete hierarchy of upstream nested groups recursively of User

September 15, 2017 05:27PM

Recently I had seen big mess in one of my client's Active directory environment, AD Groups where keep nested into groups and further, Due to this clients where having hard time to get either exact effective permissions of particular users, and causing users have unnecessary authorization or getting unnecessary emails due to member of upstream groups, which he should not. Just to show demo here I have a user1, it is has memberof group1, that group1 is member of group2, again group 2 is member of group3, and so on. If I want to do troubleshooting it is very hard if someone is new to the environment to co-relate group members.

Active directory domain controller Microsoft Powershell, Get-aduser, get-adGroup, username and groups, nested membership memberof

Manual searching nested group memberof is be a big task if they are further nested into multiple level. I have written this powershell script to search the complete path how those Hierarchy, below articles shows how to us and run the script.

Different ways to bypass Powershell execution policy :.ps1 cannot be loaded because running scripts is disabled
POWERSHELL: INSTALLING AND CONFIGURING ACTIVE DIRECTORY
Installing, importing and using any module in powershell

Active Directory domain Controller powershell, user group tree view hierarchy upstream list group members

Active Directory domain Controller powershell, user group tree view hierarchy upstream list groupmembers recursive

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#requires -version 4
<#
.SYNOPSIS
    List all upstream nested memberof groups recursively of a Active Directory user.
.DESCRIPTION
    The Get-ADGroupsUpStream list all nested group list of a AD user. It requires only valid parameter AD username, 
.PARAMETER UserName
    Prompts you valid active directory User name. You can use first character as an alias, If information is not provided it provides 'Administrator' user information. 'Name' can be used as an alias
.INPUTS
    Microsoft.ActiveDirectory.Management.ADUser
.OUTPUTS
    Microsoft.ActiveDirectory.Management.ADGroup
.NOTES
    Version:        1.0
    Author:         Kunal Udapi
    Creation Date:  10 September 2017
    Purpose/Change: Get the exact nested group info of user
    Useful URLs: http://vcloud-lab.com
.EXAMPLE
    PS C:\>.\Get-ADGroupsUpStream -UserName Administrator

    This list all the upstream group an user a member of.
#>
[CmdletBinding(SupportsShouldProcess=$True,
    ConfirmImpact='Medium',
    HelpURI='http://vcloud-lab.com',
    DefaultParameterSetName='Manual')]
Param
(
    [parameter(Position=0, <#Mandatory=$True,#> ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true, HelpMessage='Type valid AD username')]
    [alias('Name')]
    [Microsoft.ActiveDirectory.Management.ADUser]$UserName = 'Administrator'
)
begin {
    if (!(Get-Module Activedirectory)) {
        try {
            Import-Module ActiveDirectory -ErrorAction Stop 
        }
        catch {
            Write-Host -Object "ActiveDirectory Module didn't find, Please install it and try again" -BackgroundColor DarkRed
            Break
        }
    }
}
process {
    #$UserName = 'User1'
    try {
        $MemberInfo = Get-ADUser $UserName Properties MemberOf -ErrorAction Stop
    }
    catch {
        Write-Host -Object "`'$username`' doesn't exist in Active Directory, try again with valid user" -BackgroundColor DarkRed
        break
    }
    $MemberOf = $MemberInfo | Select-Object -ExpandProperty MemberOf 
    foreach ($Group in $MemberOf) {
        $CompleteInfo = @()
        $GroupInfo = Get-ADGroup $Group Properties MemberOf
        $CompleteInfo += $MemberInfo.Name
        $CompleteInfo += $GroupInfo.Name
        $UpperGroup = $GroupInfo | Select-Object -ExpandProperty MemberOf
        #$GroupInfo.Name #test
        do 
        {
            foreach ($x in $UpperGroup) {
                $UpperGroupInfo = Get-AdGroup $x -Properties Memberof
                $CompleteInfo += $UpperGroupInfo.Name
                $UpperGroup =  $UpperGroupInfo | Select-Object -ExpandProperty Memberof
                #$UpperGroupInfo.Name #test
                #$UpperGroup
            }
        }
        while ($UpperGroup -ne $null)
        $CompleteInfo -Join " << "
        #[array]::Reverse($CompleteInfo)
        #$CompleteInfo -join '\'
    }
}
end {}

 

Go Back

Comment