08 Nov 2013 @ 9:27 AM 

AGDLP… it’s an old principle. Almost as old as Active Directory itself.
You put a User in a Global group, the Global group in a Domain Local group and you provide Permissions on a resource to that Domain Local group.
This gives you flexibilty and managebility.

But… every once in a while someone violates the rules and you’ll get a mess in your AD.
So, here’s a PowerShell function that reports the users that are directly a members of a Domain Local group:

function Get-UsersInDomainLocalGroups {
    $Groups = Get-ADGroup -Filter 'GroupScope -eq "DomainLocal"'
    foreach ($Group in $Groups) {
        $Users = $Group | Get-ADGroupMember | Where-Object {$_.ObjectClass -eq 'User'}
        if ($Users -ne $null) {
            foreach ($User in $Users) {
                $Object = New-Object -TypeName PSObject
                $Object | Add-Member -MemberType noteproperty -name 'Group' -Value $Group.Name
                $Object | Add-Member -MemberType noteproperty -name 'UserName' -value $User.samaccountname
                $Object
            }
        }
    }
}
Posted By: Jeff Wouters
Last Edit: 11 Nov 2013 @ 07:35 AM

EmailPermalink
Tags



 Last 50 Posts
 Back
Change Theme...
  • Users » 1
  • Posts/Pages » 328
  • Comments » 468
Change Theme...
  • VoidVoid « Default
  • LifeLife
  • EarthEarth
  • WindWind
  • WaterWater
  • FireFire
  • LightLight

About



    No Child Pages.

Contact



    No Child Pages.

Speaking



    No Child Pages.

Health Check



    No Child Pages.