Use PowerShell to generate token bloat report

Today you will find out how to create token bloat report and send it to specified email address. If you are working in large scale environment you may find this useful. There is often a situation when some user is complaining that he is unable to access some corporate applications. After short investigation you can find that one of the reason for that might be large number of group membership. …

Check when user was added to AD group

Today I will show you script to check when user was added to AD group. Script is using functionality of repadmin tool to check when users were modified inside the group. Showobjmeta displays the replication metadata for a specified object stored in Active Directory, so it can be used not only for group membership checking. You can find other functionalities of this tool on TechNet site. Output from repadmin tool …

PowerShell one-liner: Get AD user groups

Starting from today we will add new series of articles describing one-liner scripts. In this post I would like to show you how to get group names that user is a member of using just one-liner script. Get-ADUser allows you to list all information for Active Directory user account. This command is a part of ActiveDirectory module where you can also see other commands. Check available modules on your PC: …

Get members from all groups starting/ending or contains with search phrase

In this article you will find script for getting members from groups based on keyword. If your environment contains thousands of groups it might be difficult to find quickly specific groups and get their direct members. To do this you can use function pasted below. To find group members we can just use Get-ADGroup command: Apart from that script will check also members details like emailaddress and WhenChanged date: Usage: …

Get group membership details using PowerShell

As an administrator you often need to check user group membership. Today I want to show you simple function which will help you to get that information for specific user. On the beginning of function we can check if Active Directory module is installed and validate user name: For checking user group membership we can use the following Get-ADUser commands. Unfortunately they will return just group names: Our function helps …

Add AD group to local administrators of the server

Today post will help you to understand how add AD group to local administrators. Below script in first way is searching Active Directory for servers with Windows Server OS (this can be filtered deeper with LDAP filter adjustment). Once all computers objects are gathered script create AD group. Name of the AD group uses pattern ADMComputerName. When AD group is created it’s added to local administrators group of the server. …

How to copy groups membership from reference account?

Recently I received task to copy groups membership from reference account. Function which I’ve prepared is not very complicated. To create this I used Active Directory module. In first step function gather memebrship of the reference user and save them in groups array. Once array is completed AD module function Add-ADGroupMember is used (for details check https://technet.microsoft.com/pl-pl/library/ee617210.aspx). Usage: Copy-GroupMemebrship -ReferenceAccount “SANofRefAccount” -ReferenceAccountServer “RefAccountServer” -AccountToChange “SANofAccToCahnge” -DomainAccountToChange “DomainofAccToChange” I hope it …

Get total number of group membership for specific user

This time I want to show you how to get number of direct and indirect(nested) group membership for specific user. Please note that once user is a member of about 1000 groups, some SIDs can’t be added to the token. This will cause an access failure when trying to use a resource that requires that token. As we all know error handling is very important so I added Try/Catch block …