I recently had an interesting request at work:Finding a way to list all the groups a specific user was managing.
If you look into the properties of an Active Directory group object, you will find under the tab "ManagedBy" the name of a user or group who is managing the group and possibly its members if the "Manager can update membership list" is checked.
 |
| Group object properties / Managed By tab |
This is nice for one group.... what if the user manage tons of them ?
Using the Active Directory Module and some LDAP Filtering
Using the PowerShell Cmdlet Get-ADGroup (from the Active Directory Module), I am using a LDAP filter to find groups that contain the user DistinguishedName in the ManagedBy attribute.
# Retrieve the groups managed by the current user
Get-ADGroup -LDAPFilter "(ManagedBy=$((Get-ADuser -Identity $env:username).distinguishedname))"
For better performance and depending on the size of your Active Directory, I would also recommend to use the -SearchBase to better scope the search range of your query... and possibly use the -ResultSize if you expect a long list of groups.
Example:
# Retrieve the groups managed by the current user
# and only search from "OU=Groups,DC=FX,DC=Lab"
Get-ADGroup -LDAPFilter "(ManagedBy=$((Get-ADuser -Identity $env:username).distinguishedname))" -SearchBase "OU=Groups,DC=FX,DC=Lab" -ResultSetSize 50
Using ADSI/LDAP
If you don't want to rely on the Active Directory Module, you can also use ADSI.Using the same above LDAP filter, we can query Active Directory this way:
# Distinguished Name of the user
$DN = "CN=TestUser,OU=User,DC=FX,DC=Lab"
# Retrieve the groups managed by this user
([ADSISearcher]"(&(objectCategory=group)(ManagedBy=$DN))").findall()
You will then need to select the properties that you want to output.
For example:
([ADSISearcher]"(&(objectCategory=group)(ManagedBy=$DN))").findall().properties |
ForEach-Object -Process {
# Output the current object with only Name, DN and ManagedBy properties
[pscustomobject][ordered]@{
GroupName = $Psitem.name -as [string]
GroupDistinguishedName = $Psitem.distinguishedname -as [string]
GroupManagedby = $Psitem.managedby -as [string]
}
}
Extra: Get all the groups that contains a manager
# Retrieve the groups managed by the current user
Get-ADGroup -LDAPFilter "(ManagedBy=*)" -SearchBase "OU=Groups,DC=FX,DC=Lab" -Properties ManagedBy
Other Resources
- about_ActiveDirectory_Filter
- Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell.
Thanks for reading! If you have any questions, leave a comment or send me an email at fxcat@lazywinadmin.com. I invite you to follow me on Twitter @lazywinadm / Google+ / LinkedIn. You can also follow the LazyWinAdmin Blog on Facebook Page and Google+ Page.
this is a fucking awesome tuto! Thanks Bro!! It's Veryusefull
ReplyDeleteThanks for your comment Diego, appreciated!
ReplyDeleteIts possible, after created pool, transform one of disks in a Spare Disk? Regards!
ReplyDeleteNever tried, but I believe you have to remove the disk from the Pool to convert it to a spare disk.
ReplyDeleteFrom what i see online, if you can't remove the disk this mean you have simple virtual disk(s) that use the storage pool, then you cannot remove the physical disk from the storage pool until the virtual disk has been deleted. A simple virtual disk is a striped virtual disk that does not use parity for redundancy.
Hum...but when you mount the pool by GUI(graphical interface) you have the possibility to choose one of than has spare disk, im trying to figure this out an im keep you in touch.
ReplyDeleteRegards
Very informative. I am experiencing an issue. I have run Sydi-wrapper and created xml files for multiple computers. Now I am trying to write the multiple xml files to word, by using your script.
ReplyDeletecscript ss-xml2word.vbs -xc:\sydi-server-2.4\Outputfiles\%1.xml -lC:\sydi-server-2.4\language\lang_english.xml -sC:\sydi-server-2.4\Worddocs\Server1_docs.xml -oC:\sydi-server-2.4\Worddocs\Server-%1.doc -d
But I get an error that %1.xml cannot be found. "c:\sydi-server-2.4\Outputfiles" is where all my xml files are.
Any suggestions?
Great script Francois
ReplyDeleteI found few bugs
when importing-csv - there is no parameter -Encoding, when Exported file is hard coded to Unicode (in History Added users have national characters but in "removed" section none) lines 606 nad 616 - when I added Encoding problem with users Removed/Added disapeared
also several times date format is not used from variable (I had to change it to be consistent with my locale setings)
Hi Michal, Thanks for your comment!
ReplyDeletePlease give a try to the last version on github
https://github.com/lazywinadmin/PowerShell/blob/master/AD-GROUP-Monitor_MemberShip/AD-GROUP-Monitor_MemberShip.ps1
It contains a -EmailEncoding parameter.
Let me know that you think
I had done just that - when csv was imported/exported there was a difference in local characters so script reported at first run that all users where removed and all the same time were added, I had added parametrer -Encoding in lines 606 and 616 and that fixed issue - for English/US users should be fine - problem occurs with national characters in usernames
ReplyDelete