Recently I had seen big mess in one of my client's Active directory environment, AD Groups where keep nested into groups and further, Due to this clients where having hard time to get either exact effective permissions of particular users, and causing users have unnecessary authorization or getting unnecessary emails due to member of upstream groups, which he should not. Just to show demo here I have a user1, it is has memberof group1, that group1 is member of group2, again group 2 is member of group3, and so on. If I want to do troubleshooting it is very hard if someone is new to the environment to co-relate group members.
Manual searching nested group memberof is be a big task if they are further nested into multiple level. I have written this powershell script to search the complete path how those Hierarchy, below articles shows how to us and run the script.
Different ways to bypass Powershell execution policy :.ps1 cannot be loaded because running scripts is disabled
POWERSHELL: INSTALLING AND CONFIGURING ACTIVE DIRECTORY
Installing, importing and using any module in powershell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
#requires -version 4 <# .SYNOPSIS List all upstream nested memberof groups recursively of a Active Directory user. .DESCRIPTION The Get-ADGroupsUpStream list all nested group list of a AD user. It requires only valid parameter AD username, .PARAMETER UserName Prompts you valid active directory User name. You can use first character as an alias, If information is not provided it provides 'Administrator' user information. 'Name' can be used as an alias .INPUTS Microsoft.ActiveDirectory.Management.ADUser .OUTPUTS Microsoft.ActiveDirectory.Management.ADGroup .NOTES Version: 1.0 Author: Kunal Udapi Creation Date: 10 September 2017 Purpose/Change: Get the exact nested group info of user Useful URLs: http://vcloud-lab.com .EXAMPLE PS C:\>.\Get-ADGroupsUpStream -UserName Administrator This list all the upstream group an user a member of. #> [CmdletBinding(SupportsShouldProcess=$True, ConfirmImpact='Medium', HelpURI='http://vcloud-lab.com', DefaultParameterSetName='Manual')] Param ( [parameter(Position=0, <#Mandatory=$True,#> ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true, HelpMessage='Type valid AD username')] [alias('Name')] [Microsoft.ActiveDirectory.Management.ADUser]$UserName = 'Administrator' ) begin { if (!(Get-Module Activedirectory)) { try { Import-Module ActiveDirectory -ErrorAction Stop } catch { Write-Host -Object "ActiveDirectory Module didn't find, Please install it and try again" -BackgroundColor DarkRed Break } } } process { #$UserName = 'User1' try { $MemberInfo = Get-ADUser $UserName –Properties MemberOf -ErrorAction Stop } catch { Write-Host -Object "`'$username`' doesn't exist in Active Directory, try again with valid user" -BackgroundColor DarkRed break } $MemberOf = $MemberInfo | Select-Object -ExpandProperty MemberOf foreach ($Group in $MemberOf) { $CompleteInfo = @() $GroupInfo = Get-ADGroup $Group –Properties MemberOf $CompleteInfo += $MemberInfo.Name $CompleteInfo += $GroupInfo.Name $UpperGroup = $GroupInfo | Select-Object -ExpandProperty MemberOf #$GroupInfo.Name #test do { foreach ($x in $UpperGroup) { $UpperGroupInfo = Get-AdGroup $x -Properties Memberof $CompleteInfo += $UpperGroupInfo.Name $UpperGroup = $UpperGroupInfo | Select-Object -ExpandProperty Memberof #$UpperGroupInfo.Name #test #$UpperGroup } } while ($UpperGroup -ne $null) $CompleteInfo -Join " << " #[array]::Reverse($CompleteInfo) #$CompleteInfo -join '\' } } end {} |
Must see new updated version of this script Powershell Active Directory: Show treeview of User or Group memberof hierarchy