AGDLP… it’s an old principle. Almost as old as Active Directory itself.
You put a User in a Global group, the Global group in a Domain Local group and you provide Permissions on a resource to that Domain Local group.
This gives you flexibilty and managebility.
But… every once in a while someone violates the rules and you’ll get a mess in your AD.
So, here’s a PowerShell function that reports the users that are directly a members of a Domain Local group:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
function Get-UsersInDomainLocalGroups { $Groups = Get-ADGroup -Filter 'GroupScope -eq "DomainLocal"' foreach ($Group in $Groups) { $Users = $Group | Get-ADGroupMember | Where-Object {$_.ObjectClass -eq 'User'} if ($Users -ne $null) { foreach ($User in $Users) { $Object = New-Object -TypeName PSObject $Object | Add-Member -MemberType noteproperty -name 'Group' -Value $Group.Name $Object | Add-Member -MemberType noteproperty -name 'UserName' -value $User.samaccountname $Object } } } } |