Public/Get-ADSITokenGroup.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
function Get-ADSITokenGroup
{
    <#
 .SYNOPSIS
  Retrieve the list of group present in the tokengroups of a user or computer object.
  
 .DESCRIPTION
  Retrieve the list of group present in the tokengroups of a user or computer object.
 
  TokenGroups attribute
  https://msdn.microsoft.com/en-us/library/ms680275%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
  
 .PARAMETER SamAccountName
  Specifies the SamAccountName to retrieve
  
 .PARAMETER Credential
  Specifies Credential to use
  
 .PARAMETER DomainDistinguishedName
  Specify the Domain or Domain DN path to use
  
 .PARAMETER SizeLimit
  Specify the number of item maximum to retrieve
  
 .NOTES
  Francois-Xavier Cat
  www.lazywinadmin.com
  @lazywinadm
 
  Version History
  1.0 2015/04/02 Initial Version
 #>

    [CmdletBinding()]
    param
    (
        [Parameter(ValueFromPipeline = $true)]
        [Alias('UserName', 'Identity')]
        [String]$SamAccountName,
        
        [Alias("RunAs")]
        [System.Management.Automation.PSCredential]
        [System.Management.Automation.Credential()]
        $Credential = [System.Management.Automation.PSCredential]::Empty,
        
        [Alias('DomainDN', 'Domain')]
        [String]$DomainDistinguishedName = $(([adsisearcher]"").Searchroot.path),
        
        [Alias('ResultLimit', 'Limit')]
        [int]$SizeLimit = '100'
    )
    
    PROCESS
    {
        TRY
        {
            # Building the basic search object with some parameters
            $Search = New-Object -TypeName System.DirectoryServices.DirectorySearcher -ErrorAction 'Stop'
            $Search.SizeLimit = $SizeLimit
            $Search.SearchRoot = $DomainDN
            #$Search.Filter = "(&(anr=$SamAccountName))"
            $Search.Filter = "(&((objectclass=user)(samaccountname=$SamAccountName)))"
            
            # Credential
            IF ($PSBoundParameters['Credential'])
            {
                $Cred = New-Object -TypeName System.DirectoryServices.DirectoryEntry -ArgumentList $DomainDistinguishedName, $($Credential.UserName), $($Credential.GetNetworkCredential().password)
                $Search.SearchRoot = $Cred
            }
            
            # Different Domain
            IF ($DomainDistinguishedName)
            {
                IF ($DomainDistinguishedName -notlike "LDAP://*") { $DomainDistinguishedName = "LDAP://$DomainDistinguishedName" }#IF
                Write-Verbose -Message "[PROCESS] Different Domain specified: $DomainDistinguishedName"
                $Search.SearchRoot = $DomainDistinguishedName
            }
            
            FOREACH ($Account in $Search.FindAll())
            {
                
                $AccountGetDirectory = $Account.GetDirectoryEntry();
                
                # Add the properties tokenGroups
                $AccountGetDirectory.GetInfoEx(@("tokenGroups"), 0)
                
                
                FOREACH ($Token in $($AccountGetDirectory.Get("tokenGroups")))
                {
                    # Create SecurityIdentifier to translate into group name
                    $Principal = New-Object System.Security.Principal.SecurityIdentifier($token, 0)
                    
                    # Prepare Output
                    $Properties = @{
                        SamAccountName = $Account.properties.samaccountname -as [string]
                        GroupName = $principal.Translate([System.Security.Principal.NTAccount])
                    }
                    
                    # Output Information
                    New-Object -TypeName PSObject -Property $Properties
                }
            }
            
        }
        
        CATCH
        {
            Write-Warning -Message "[PROCESS] Something wrong happened!"
            Write-Warning -Message $error[0].Exception.Message
        }
    }#PROCESS
    END { Write-Verbose -Message "[END] Function Get-ADSITokenGroup End." }
}#Function