Active Directory | Alex Ø. T. Hansen

Alex Ø. T. Hansen

20/11/2018

PowerShell – Get all nested groups for a user in Active Directory

Ever needed to get all nested groups a user belongs in Active Directory?

#Get all recursive groups a user belongs.
Function Get-ADUserNestedGroups
{
    Param
    (
        [string]$DistinguishedName,
        [array]$Groups = @()
    )

    #Get the AD object, and get group membership.
    $ADObject = Get-ADObject -Filter "DistinguishedName -eq '$DistinguishedName'" -Properties memberOf, DistinguishedName;
    
    #If object exists.
    If($ADObject)
    {
        #Enummurate through each of the groups.
        Foreach($GroupDistinguishedName in $ADObject.memberOf)
        {
            #Get member of groups from the enummerated group.
            $CurrentGroup = Get-ADObject -Filter "DistinguishedName -eq '$GroupDistinguishedName'" -Properties memberOf, DistinguishedName;
       
            #Check if the group is already in the array.
            If(($Groups | Where-Object {$_.DistinguishedName -eq $GroupDistinguishedName}).Count -eq 0)
            {
                #Add group to array.
                $Groups +=  $CurrentGroup;

                #Get recursive groups.      
                $Groups = Get-ADUserNestedGroups -DistinguishedName $GroupDistinguishedName -Groups $Groups;
            }
        }
    }

    #Return groups.
    Return $Groups;
}
 
#The user to check.
$User = "<SamAccountName/DN/UserPrincipal>";

#Get all groups.
$Groups = Get-ADUserNestedGroups -DistinguishedName (Get-ADUser -Identity $User).DistinguishedName;

#Output all groups.
$Groups | Select-Object Name | Sort-Object -Property Name;

#Get all recursive groups a user belongs.

Function Get-ADUserNestedGroups

{

Param

(

[string]$DistinguishedName,

[array]$Groups = @()

)

#Get the AD object, and get group membership.

$ADObject = Get-ADObject -Filter "DistinguishedName -eq '$DistinguishedName'" -Properties memberOf, DistinguishedName;

#If object exists.

If($ADObject)

{

#Enummurate through each of the groups.

Foreach($GroupDistinguishedName in $ADObject.memberOf)

{

#Get member of groups from the enummerated group.

$CurrentGroup = Get-ADObject -Filter "DistinguishedName -eq '$GroupDistinguishedName'" -Properties memberOf, DistinguishedName;

#Check if the group is already in the array.

If(($Groups | Where-Object {$_.DistinguishedName -eq $GroupDistinguishedName}).Count -eq 0)

{

#Add group to array.

$Groups += $CurrentGroup;

#Get recursive groups.

$Groups = Get-ADUserNestedGroups -DistinguishedName $GroupDistinguishedName -Groups $Groups;

}

#Return groups.

Return $Groups;

}

#The user to check.

$User = "<SamAccountName/DN/UserPrincipal>";

#Get all groups.

$Groups = Get-ADUserNestedGroups -DistinguishedName (Get-ADUser -Identity $User).DistinguishedName;

#Output all groups.

$Groups | Select-Object Name | Sort-Object -Property Name;

Alex Ø. T. Hansen

19/09/2018

Exchange – Add nested group recipients to parent resources

Do you have nested groups within Exchange resources such as distribution groups, shared mailboxes, rooms or equipment?

If you have, you have come to the right place. I have created a script that extracts all nested group members of a resource, and add it directly to the resource instead.

The script works in both on-premise and Exchange Online.

Before you can run the script, you need to have access to the following:

Access to on-premise and/or Office 365 environment as a administrator.
Have the AzureAD and Active Directory PowerShell module installed.

Alex Ø. T. Hansen

16/09/2018

Tutorial – Deploy Always On VPN

Always On VPN provides a single, cohesive solution for remote access and supports domain-joined, non-domain-joined (workgroup), or Azure AD–joined devices, even personally owned devices. With Always On VPN, the connection type does not have to be exclusively user or device but can be a combination of both. For example, you could enable device authentication for remote device management, and then enable user authentication for connectivity to internal company sites and services.

The purpose for this guide is to demonstrate how to deploy the Always On feature easily. In this guide we will deploy the following platforms primarily using PowerShell where possible:

Active Directory (AD DS)
DNS
Certificate Authority (AD CS)
DHCP
Routing and Remote Access Service (RRAS)
Network Policy Server (RADIUS)

It will not be demonstrated how to install Windows Server or Windows 10 operating system.

Do not attempt to deploy Remote Access on a virtual machine (VM) in Microsoft Azure. Using Remote Access in Microsoft Azure is not supported, including both Remote Access VPN and DirectAccess.

Alex Ø. T. Hansen

05/07/2018

SCCM – Create Device Collections Based On Security Groups

I’m back again, with a quick how-to on SCCM.

Have you ever needed to create device collections based on security groups (user accounts) in Active Directory? -Well look no further!
You can use the following WQL in a collection.
Only thing you need to change is the SMS_R_User.UserGroupName=”CONTOSO\\mysecuritygroup”.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client
from SMS_R_System
JOIN SMS_UserMachineRelationship ON  SMS_R_System.Name=SMS_UserMachineRelationship.ResourceName
JOIN SMS_R_User ON  SMS_UserMachineRelationship.UniqueUserName = SMS_R_User.UniqueUserName
WHERE   SMS_UserMachineRelationship.Types=1  AND   SMS_R_User.UserGroupName="CONTOSO\\mysecuritygroup"

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client

from SMS_R_System

JOIN SMS_UserMachineRelationship ON SMS_R_System.Name=SMS_UserMachineRelationship.ResourceName

JOIN SMS_R_User ON SMS_UserMachineRelationship.UniqueUserName = SMS_R_User.UniqueUserName

WHERE SMS_UserMachineRelationship.Types=1 AND SMS_R_User.UserGroupName="CONTOSO\\mysecuritygroup"

Alex Ø. T. Hansen

08/06/2017

PowerShell – Find nested Active Directory members of a group

Lately I found out that the following doesn’t always work, I had problem with returning all users in a group.

Get-ADGroupMember -Recursive

1	Get-ADGroupMember -Recursive

So I have created a small PowerShell function that basically does the same thing. Use it free of charge!

Function Get-ADNestedGroups
{
    [cmdletbinding()]

    Param
    (
        [Parameter(Mandatory=$true, HelpMessage="Please provide a valid identity.")]$Identity
    )

    #Get all groups/users of the root group.
    $Members = Get-ADGroupMember -Identity $Identity;

    #Foreach member in the group.
    Foreach($Member in $Members)
    {
        #If the member is a group.
        If($Member.ObjectClass -eq "group")
        {
            #Run the function again against the group.
            $Users += Get-ADNestedGroups -Identity $Member.distinguishedName;
        }
        Else
        {
            #Add the user to the object array.
            $Users += @($Member);
        }
    }

    #Return the users
    Return ,$Users;
}

$Users = Get-ADNestedGroups -Identity "Domain Users";

Function Get-ADNestedGroups

{

[cmdletbinding()]

Param

(

[Parameter(Mandatory=$true, HelpMessage="Please provide a valid identity.")]$Identity

)

#Get all groups/users of the root group.

$Members = Get-ADGroupMember -Identity $Identity;

#Foreach member in the group.

Foreach($Member in $Members)

{

#If the member is a group.

If($Member.ObjectClass -eq "group")

{

#Run the function again against the group.

$Users += Get-ADNestedGroups -Identity $Member.distinguishedName;

}

Else

{

#Add the user to the object array.

$Users += @($Member);

}

#Return the users

Return ,$Users;

}

$Users = Get-ADNestedGroups -Identity "Domain Users";

Alex Ø. T. Hansen

11/01/2016

“Network Path Not Found” while joining server to the domain

Recently I had a problem, where I couldn’t join a Windows Server to the domain. It displayed the following error.

Network Path Not Found

1	Network Path Not Found

There can be various reasons why this errors shows.

Mistype DNS configuration.
Firewall issues.
Wrong domain typed.

Even though I had all above correct, I still had the problem.

So I used the following commands in a cmd.exe to resolve the issue.