tag:blogger.com,1999:blog-7365513794075231499.post2477345143386886639..comments2024-03-08T00:28:08.621-08:00Comments on My blog about Active Directory and everything else: Find Nested Group Membersmklinehttp://www.blogger.com/profile/03770498033295580147noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-7365513794075231499.post-58574157041986180172014-06-24T06:36:49.225-07:002014-06-24T06:36:49.225-07:00Command won't work, not recognized, is there a...Command won't work, not recognized, is there a specific module to import first?????Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7365513794075231499.post-18542756807507081292012-12-14T09:05:33.148-08:002012-12-14T09:05:33.148-08:00Or, for shortness, and assuming the current user (...Or, for shortness, and assuming the current user (for use in login scripts or other):<br /><br />[System.DirectoryServices.AccountManagement.UserPrincipal]::Current.GetAuthorizationGroups()<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7365513794075231499.post-44996981410545885392012-05-10T11:53:05.800-07:002012-05-10T11:53:05.800-07:00did anyone ever resolve teh issue with multi domai...did anyone ever resolve teh issue with multi domains??Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7365513794075231499.post-15006629598619460482012-03-22T10:40:00.289-07:002012-03-22T10:40:00.289-07:00Awesome tip Andy!! Thanks for posting.Awesome tip Andy!! Thanks for posting.mklinehttps://www.blogger.com/profile/03770498033295580147noreply@blogger.comtag:blogger.com,1999:blog-7365513794075231499.post-57343620949312453232012-03-22T10:31:59.153-07:002012-03-22T10:31:59.153-07:00If you don't want to use Quest, ADFind or othe...If you don't want to use Quest, ADFind or other tools, but just "plain" PowerShell, try this (our .NET Geek showed me how to do it):<br /><br />$name = "arosen" #SamAccountName<br />$assembly = [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.AccountManagement")<br />$context = New-Object -typename "System.DirectoryServices.AccountManagement.PrincipalContext" -argumentlist $([System.DirectoryServices.AccountManagement.ContextType]::Domain)<br />$user = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($context,$([System.DirectoryServices.AccountManagement.IdentityType]::SamAccountName),$name)<br />$user.GetAuthorizationGroups() | select SamAccountNameAndynoreply@blogger.comtag:blogger.com,1999:blog-7365513794075231499.post-54333012774114766502012-02-06T08:07:52.480-08:002012-02-06T08:07:52.480-08:00If you are looking for one time export just downlo...If you are looking for one time export just download AD Admin & Reporting Tool by ldapsoft - Reporting from this tool is as easy as it can be, after connection click Audit Export and export all the reports in nice pdf format. Please note that the version is unrestricted for 14 days. <br /><br />http://www.ldapsoft.com/activedirectoryreports/adreports.htmlAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-7365513794075231499.post-25592189293538590472009-09-11T16:20:26.230-07:002009-09-11T16:20:26.230-07:00Mike,
Last week, we shipped a FREE and 100% SUPP...Mike, <br /><br />Last week, we shipped a FREE and 100% SUPPORTED edition of the Gold Finger, that features over 50 useful Active Directory security reports including - <br /><br />1. List of all privileged domain user accounts <br />2. List of all currently locked domain accounts <br />3. List of all domain accounts about to expire<br />4. List of all nested security groups<br />5. List of all Active Directory objects where a user has permissions <br />etc. <br /><br />Over the next few weeks, you can expect us to double the number of reports, and perhaps even offer a FREE AD auditing solution :-)<br /><br />BTW, the list of reports can be found at <a href="http://www.paramountdefenses.com/goldfinger_reports.php" rel="nofollow">http://www.paramountdefenses.com/goldfinger_reports.php</a> and you can download your free version <a href="http://www.paramountdefenses.com/goldfinger_download.php" rel="nofollow">http://www.paramountdefenses.com/goldfinger_download.php</a><br /><br />You're welcome to give it a shot - why waste your time writing scripts and using free unsupported tools, when you can use a free, supported and Microsoft endorsed tool? <br /><br />Oh, and this too installs in under 2 minutes, requires 0 config changes to your AD, and needs absolutely no administrative privilege :-) <br /><br />You see, having made what is considered largely impossible as easy as touching a button, making something as easy as generating basic security reports FREE is the least we can do for the AD ecosystem!<br /><br />Cheers,<br />SanjaySanjay Tandonhttp://www.sanjaytandon.comnoreply@blogger.comtag:blogger.com,1999:blog-7365513794075231499.post-11804182087188820332009-07-06T16:02:14.101-07:002009-07-06T16:02:14.101-07:00@yacoob -- I'll try and test this weekend, hav...@yacoob -- I'll try and test this weekend, have to build out another domain in my lab first.mklinehttps://www.blogger.com/profile/03770498033295580147noreply@blogger.comtag:blogger.com,1999:blog-7365513794075231499.post-5414264556022595382009-07-06T05:51:40.664-07:002009-07-06T05:51:40.664-07:00I think it should be added, that - as far as I kno...I think it should be added, that - as far as I know, but correct me if I'm wrong - none of these methods will work this way in multidomain environment, when we ask for the membership of the group from domain A, and members come from domain B through the membership in the group from domain B (GR_DOM_A has GR_DOM_B has USERS_DOM_B).<br />At least - in adfind method it didn't work for me, but I think it wouldn't work also in the other two.<br />There are of course exceptions (we direct the query to GC and all the groups have Universal scope), but I tested it only using adfind. I should probably do some more tests, but maybe You've already tested it.<br />Regards<br />yacoobyacoobnoreply@blogger.comtag:blogger.com,1999:blog-7365513794075231499.post-35793062831563173542009-06-26T09:07:18.670-07:002009-06-26T09:07:18.670-07:00@Sanjay
Thanks, looking forward to seeing what Go...@Sanjay<br /><br />Thanks, looking forward to seeing what Gold Finger can do. <br /><br />One question that comes up a lot on the boards is "how do I know if a security group is being used"<br /><br />To me that is tough because to truly know you have to go through not only AD but every file share and folder across the entire network. There are other places that need to be checked but I don't want to write a blog entry in the comments here :) If that is part of the 99.9% that you are talking about then it will be impressive.<br /><br />I'd also add that this post doesn't even begin to scratch the surface of the power of the Joeware tools or all the things that can be done using Powershell.mklinehttps://www.blogger.com/profile/03770498033295580147noreply@blogger.comtag:blogger.com,1999:blog-7365513794075231499.post-39901796206484073722009-06-25T18:44:43.219-07:002009-06-25T18:44:43.219-07:00Hmm... interesting.
This is about 0.1% of what G...Hmm... interesting. <br /><br />This is about 0.1% of what Gold Finger's "patent-pending" capabilities do during the course of accurately determining who really has what access on an Active Directory object.<br /><br />Sanjay Tandon<br />Former Microsoft Active Directory Security Program ManagerSanjay Tandonhttp://www.sanjaytandon.comnoreply@blogger.comtag:blogger.com,1999:blog-7365513794075231499.post-87988052593640055002009-06-25T11:29:49.124-07:002009-06-25T11:29:49.124-07:00Nice Visio diagrams :-)Nice Visio diagrams :-)tigermatthttp://tigermatt.wordpress.comnoreply@blogger.com