Jeff Wouters's Blog

PowerShell function to list users in Authoritative Groups in Active Directory

by on Nov.12, 2013, under Active Directory, DuPSUG, Microsoft, PowerShell

Thanks to Shay Levy for pointing me to the possibility to filter on the GroupType to get the authorative groups in Active Directory.
Here’s a function you can use to list the users that are a member of such a group:

function Get-ElevatedUsers {
    $GroupTypes = '-2147483643'
    $ElevatedGroups = Get-ADGroup -Filter {grouptype -eq $GroupType} -Properties members
    $Elevatedgroups = $ElevatedGroups | Where-Object {($_.Name -ne 'Guests') -and ($_.Name -ne 'Users')}
    foreach ($ElevatedGroup in $ElevatedGroups) {
        $Members = $ElevatedGroup | Select-Object -ExpandProperty members
        foreach ($Member in $Members) {
            $Status = $true
            try {
                $MemberIsUser = Get-ADUser $Member -ErrorAction silentlycontinue
            } catch { $Status = $false}
            if ($Status -eq $true) {
                $Object = New-Object -TypeName PSObject
                $Object | Add-Member -MemberType noteproperty -Name 'Group' -Value $ElevatedGroup.Name
                $Object | Add-Member -MemberType noteproperty -name 'User' -Value $MemberIsUser.Name
                $Object
            } else {
                $Status = $true
                try {
                    $GroupMembers = Get-ADGroup $Member -ErrorAction silentlycontinue | Get-ADGroupMember -Recursive -ErrorAction silentlycontinue
                } catch { $Status = $false }
                if ($Status -eq $true) {
                    foreach ($GroupMember in $GroupMembers) {
                        $Object = New-Object -TypeName PSObject
                        $Object | Add-Member -MemberType noteproperty -Name 'Group' -Value $ElevatedGroup.Name
                        $Object | Add-Member -MemberType noteproperty -Name 'User' -Value $GroupMember.Name
                        $Object
                    }
                }
            }
        }
    }
}

2 Comments for this entry

  • Bjorn Houben

    Would you mind explaining a bit about what is considered an authorative group in AD and what they are used for ? I’m only familiar with authoritative restores and google also points me in that direction.

  • Jeff Wouters

    I mean the built-in groups, thanks for asking. I’ll try to find a few minutes to update the post and title accordingly 🙂

Leave a Reply