Thanks to Shay Levy for pointing me to the possibility to filter on the GroupType to get the authorative groups in Active Directory.
Here’s a function you can use to list the users that are a member of such a group:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
function Get-ElevatedUsers { $GroupTypes = '-2147483643' $ElevatedGroups = Get-ADGroup -Filter {grouptype -eq $GroupType} -Properties members $Elevatedgroups = $ElevatedGroups | Where-Object {($_.Name -ne 'Guests') -and ($_.Name -ne 'Users')} foreach ($ElevatedGroup in $ElevatedGroups) { $Members = $ElevatedGroup | Select-Object -ExpandProperty members foreach ($Member in $Members) { $Status = $true try { $MemberIsUser = Get-ADUser $Member -ErrorAction silentlycontinue } catch { $Status = $false} if ($Status -eq $true) { $Object = New-Object -TypeName PSObject $Object | Add-Member -MemberType noteproperty -Name 'Group' -Value $ElevatedGroup.Name $Object | Add-Member -MemberType noteproperty -name 'User' -Value $MemberIsUser.Name $Object } else { $Status = $true try { $GroupMembers = Get-ADGroup $Member -ErrorAction silentlycontinue | Get-ADGroupMember -Recursive -ErrorAction silentlycontinue } catch { $Status = $false } if ($Status -eq $true) { foreach ($GroupMember in $GroupMembers) { $Object = New-Object -TypeName PSObject $Object | Add-Member -MemberType noteproperty -Name 'Group' -Value $ElevatedGroup.Name $Object | Add-Member -MemberType noteproperty -Name 'User' -Value $GroupMember.Name $Object } } } } } } |
Would you mind explaining a bit about what is considered an authorative group in AD and what they are used for ? I’m only familiar with authoritative restores and google also points me in that direction.
I mean the built-in groups, thanks for asking. I’ll try to find a few minutes to update the post and title accordingly 🙂