Created
May 24, 2023 14:48
-
-
Save rileyz/bbdb4062372140031f9ea32a70a48140 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Script to assist with querying a Active Directory group which contains Foreign Security | |
| Principals. | |
| .DESCRIPTION | |
| Intended Use | |
| This script was produced to assist with querying a Active Directory group which contains a | |
| Foreign Security Principal (FSP). The FSB causues a error when Get-ADGroupMember cmdlet. | |
| Error example: | |
| Get-Adgroupmember : An operations error occurred | |
| At line:1 char:1 | |
| Example | |
| Logon as the test user, launch an elevate PowerShell console and execute this script. The script | |
| will discover all logged on users, even switched users. The Execution Policy must allow scripts | |
| to run. | |
| Run the script from a PowerShell or PowerShell ISE console. The App-V packages should be in the | |
| current working directory of the console. | |
| * PowerShell ISE. | |
| Run script, or press F5 and use Get-AdGroupForeignMembers cmdlet in PowerShell ISE console. | |
| About | |
| I got disgruntled of using Get-ADGroupMember and having it error when extracting members when | |
| the group contained a Foreign Security Principal. | |
| With thanks to Luke Arntz, for the original code. | |
| Known Defects/Bugs | |
| * None known. | |
| Code Snippet Credits | |
| * https://blue42.net/code/use-powershell-to-get-ad-group-members-with-foreign-security-principals/post | |
| * https://stackoverflow.com/questions/59387982/how-to-get-down-level-logon-name-from-userprincipal-in-net? | |
| * https://virot.eu/get-the-sid-of-all-domains-in-a-forest | |
| Version History | |
| 1.00 24/05/2023 | |
| Initial release. | |
| Copyright & Intellectual Property | |
| Feel to copy, modify and redistribute, but please pay credit where it is due. | |
| Feedback is welcome, please contact me on LinkedIn. | |
| .LINK | |
| Author:.......http://www.linkedin.com/in/rileylim | |
| Source Code:..https://gist.github.com/rileyz/bbdb4062372140031f9ea32a70a48140 | |
| .EXAMPLE | |
| PowerShell ISE. | |
| Run script, or press F5 and use Get-AdGroupForeignMembers cmdlet in PowerShell ISE console. | |
| #> | |
| # Function List ################################################################################### | |
| function Get-AdGroupForeignMembers { | |
| param ( | |
| [string]$Group | |
| ) | |
| $translatedMembers = @() | |
| $members = (Get-ADGroup $group -Properties member).member | |
| $ADForestDomains = @() | |
| (Get-ADForest).Domains| ForEach-Object {Get-ADDomain -Server $_}|select name, domainsid | ForEach-Object { | |
| $ADForestDomains += [PSCustomObject] @{ | |
| Name = $_.name | |
| DomainSID = $_.domainsid.AccountDomainSid.Value | |
| } | |
| } | |
| Write-Debug "Discovered domains. $($ADForestDomains | Out-String)" | |
| foreach ($m in $members) { | |
| $orphan = $false | |
| $email = 'NA' | |
| $name = "" | |
| $dn = $([adsi]$("LDAP://$m")).DistinguishedName | |
| $ado = Get-ADObject -Identity $($dn) | |
| Write-Verbose "Function Get-AdGroupForeignMembers working on $ado." | |
| if($ado.Name -match "^S-\d-\d-\d\d") { | |
| Write-Debug 'Matched SID layout.' | |
| try { | |
| $name = ([System.Security.Principal.SecurityIdentifier] $ado.Name).Translate([System.Security.Principal.NTAccount]).Value | |
| Write-Debug 'Trying.' | |
| Write-Debug "`$name: $name" | |
| $DomainIndex = [array]::indexof($ADForestDomains.DomainSID,([System.Security.Principal.SecurityIdentifier] $ado.Name).AccountDomainSid.Value) | |
| $DisplayName = (Get-ADUser -Server $($ADForestDomains[$DomainIndex].Name) -Properties * -Identity $($name.split('\'))[1]).DisplayName | |
| $fsp = $true | |
| } catch { | |
| $name = $ado.Name | |
| Write-Debug 'Catching.' | |
| Write-Debug "`$name: $name" | |
| if ($name -match "^S-\d-\d-\d\d") { | |
| $DisplayName = 'NA' | |
| } else { | |
| $DomainIndex = [array]::indexof($ADForestDomains.DomainSID,([System.Security.Principal.SecurityIdentifier] $ado.Name).AccountDomainSid.Value) | |
| $DisplayName = (Get-ADUser -Server $($ADForestDomains[$DomainIndex].Name) -Properties * -Identity $($name.split('\'))[1]).DisplayName | |
| } | |
| $orphan = $true | |
| $fsp = $true | |
| } | |
| } else { | |
| $name = (Get-ADUser -Identity "$($ado.Name)" -Properties msDS-PrincipalName)."msDS-PrincipalName" | |
| Write-Debug 'Did not matched SID layout.' | |
| Write-Debug "`$name: $name" | |
| $DisplayName = (Get-ADUser -Properties * -Identity $($name.split('\'))[1]).DisplayName | |
| $orphan = 'NA' | |
| $fsp = $false | |
| } | |
| $translatedMembers += [PSCustomObject] @{ | |
| LogonName = $name | |
| DisplayName = $DisplayName | |
| Orphaned = $orphan | |
| FSP = $fsp | |
| } | |
| } | |
| $translatedMembers | Sort-Object -Property 'LogonName' | |
| } #End function Get-AdGroupForeignMembers | |
| #<<< End Of Function List >>> | |
| # Setting up housekeeping ######################################################################### | |
| $DebugPreference = 'SilentlyContinue' #SilentlyContinue|Continue | |
| $VerbosePreference = 'SilentlyContinue' #SilentlyContinue|Continue | |
| #<<< End of Setting up housekeeping >>> | |
| # Start of script work ############################################################################ | |
| Get-AdGroupForeignMembers -Group 'ActiveDirectoryGroupName' | |
| #<<< End of script work >>> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment