Active directory Memberof

rated by 0 users
This post has 1 Reply | 1 Follower

Not Ranked
Posts 2
zwan Posted: 04-03-2012 12:18 PM

Hello we try in a large compagnie (6000 PC) to switch our logon script java to powershell.

what we try to do is

1 get group for a user (i did this) and its working  (said array1)

2 get the group that are memberof the parent group array1

normaly i should have built a lot of new array contening child but those array don't reflect our structure AD (sometime array are empty sometime they are well populated)

 

so we have to go 4 level under that

 

the basic function i use is here

Function Get-AdUser {
param($user,$category )


$filter = "(&(objectCategory=$category)(SamAccountname=$user))"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry(//ldpap CN=Users,dc=xxx,dc=xxx)
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $filter
$objSearcher.SearchScope = "Subtree"
$objSearcher.FindOne()

}

Get-AdUser "user" "myself"

 

then i try loop (foreach 3 time)

if let root directory it take long time

so i addedd (//ldpap CN=Users,dc=xxx,dc=xxx) to directory but seem this filter won't work

 

 

AD is like this

users-->|wifii access------->admingroup----->moregroup

              |                   |                                  >another

              |                   |

              |                   |    - anothergroup---->fooaccess

              |                                              ----->anaccess

              |

              |Lotofothergroup........................................................................

i don't get also why subtree  display only wifii access and not child group?

Top 500 Contributor
Posts 6

If i understand you correct - you would like to have access to the current users ActiveDirectory Object and get his group Membership. If it's enough to have just the direct and one below Group Memberships you can do as follows. "Subtree" does tell LDAP to search for objects from the starting OU and below - this has nothing to do with Group Memberships. Memberships are stored in the object Attributes - member and memberOf for Groups and memberOf for Users. Those Attributes are Arrays of distinguishedNames - you can have a look at with any LDAP Browser - for example LDP (since Win2008 it's a Feature under AD Management)


function main {
 
    $ErrorLog=@()
    try
    {
        [System.Security.Principal.WindowsIdentity]$me=[System.Security.Principal.WindowsIdentity]::GetCurrent()
        if(($me.IsAuthenticated -eq $true) -AND ($me.IsGuest -eq $false) -AND ($me.IsSystem -eq $false) -AND ($me.IsAnonymous -eq $false))
        {
            #valid object
            [System.DirectoryServices.DirectoryEntry]$aduser=new-object System.DirectoryServices.DirectoryEntry([String]::Format("LDAP://<SID={0}>",$me.User.Value))
            if($aduser -ne $null)
            {
                if($aduser.Properties.Contains("memberof"))
                {
                    $grpfilter=@()
                    $grpMembership=@{} #use hashtable to store groups since it has method containsKey
                    @($aduser.Properties["memberof"])|%{ $grpfilter+=([String]::Format("(distinguishedName={0})(member={0})",$_)) }
                    $ldapFilter=[String]::Format("(&(objectclass=group)(|{0}))",([String]::Join("",$grpfilter)))
                    [System.DirectoryServices.DirectorySearcher]$adSearch=new-object System.DirectoryServices.DirectorySearcher(new-object System.DirectoryServices.DirectoryEntry)
                    $adSearch.PageSize=1000;
                    $adSearch.PropertiesToLoad.AddRange(@("samAccountName","cn"));
                    $adSearch.Filter=$ldapFilter
                    $adResult=$adSearch.FindAll()
                    if($adResult -ne $null)
                    {
                        $adResult|%{ $grpMembership.Add(([String]$_.Properties["samaccountname"]),$_.Properties) }
                    }
                    #now all infos be there
                   
                    echo $ldapFilter
                    $grpMembership|fl
                    $grpMembership.ContainsKey("someGroupName") #to check if he is member
                    $grpMembership["someGroupName"].cn #get some attribute
                   
                }
            }
        }
    }
    catch [system.exception]
    {
        $ErrorLog+=$_.Exception.ToString()
    }
    finally
    {
        echo ([String]::Join("`n",$ErrorLog))
    }
}
 
main

Page 1 of 1 (2 items) | RSS
Copyright 2012 PowerShell.com. All rights reserved.