Archive for November 19th, 2008

Mapping AD Group Relationships with PowerShell

Scripting November 19th, 2008

A while back, I had restructured my AD groups to match the AGUDLP (Accounts go into Global Groups go into Universal Groups go into DomainLocal Groups where they are applied as Permission) best practice. 

Now, I’m working to align my domain groups with the permissions structure in other applications, so I can create some scripts to automate people changing roles, gaining new responsibilities, and other functions.

I used the Show-NetMap script from Doug Finke, which uses a Microsoft Research project called NetMap, to map out the nested groups in my Active Directory. 

I’d love any feedback or suggestions for using this script.

  1. # Author: Steven Murawski http://www.mindofroot.com

  2. # This script requires the Show-NetMap script from Doug Finke and the NetMap files

  3. # These can be found at http://dougfinke.com/blog/?p=465

  4. #

  5. # Also required are the Quest AD Cmdlets.

  6. #requires -pssnapin Quest.ActiveRoles.ADManagement

  7. param([string]$SearchRoot= ‘yourdomain.local/usersOU’)

  8. Function New-SourceTarget ($s,$t) {

  9.         New-Object PSObject |

  10.                 Add-Member -pass noteproperty source $s |

  11.                 Add-Member -pass noteproperty target $t

  12. }

  13. $groups = Get-QADGroup -GroupType Security -SearchRoot $SearchRoot

  14. [string[]]$GroupNames = $groups | foreach {$_.name}

  15. $sources = @()

  16. foreach ($group in $groups)

  17. {

  18.         $name = $group.name

  19.         foreach ($member in $group.members)

  20.         {

  21.                 $SubGroupName = $member -replace ‘^CN=(.+?),OU=.*’, ‘$1’

  22.                 if ($GroupNames -contains $SubGroupName)

  23.                 {

  24.                         $sources += New-SourceTarget $SubGroupName $name

  25.                 }

  26.         }

  27.        

  28. }

  29. . c:\scripts\powershell\Show-NetMap

  30. $sources | Show-NetMap

downloadThis Script brought to you by PoshCode

blank