Public/Get-MDSForestADGroupMember.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
Function Get-MDSForestADGroupMember {
    <#
    .SYNOPSIS
    Get AD Group Membership for any group you have read access to in the forest

    .DESCRIPTION
    Get AD Group Membership for any group you have read access to in the forest. Requires the PDC Emulator to be able to respond to PowerShell requests. Use the FQDN of the domain for best results.

    .EXAMPLE
    Get-MDSForestADGroupMember -Identity 'AD Group'

    Searches the domain you're in for 'AD Group'

    .EXAMPLE
    Get-MDSForestADGroupMember -Identity 'AD Group' -Domain contoso.com

    Searches the contoso.com domain for 'AD Group'
    .NOTES
    Written by Rick A, August 2017

    #>


    #Requires -Module ActiveDirectory

    [CmdletBinding(
        SupportsShouldProcess,
        DefaultParameterSetName="MDSCredential"
    )]
    param(
        # Pipeline variable
        [parameter(Mandatory=$True,ValueFromPipeline)]
        [ValidateNotNullOrEmpty()]
        [string]$Identity,

        [parameter()]
        [ValidateNotNullOrEmpty()]
        [string]$Domain
    )

    begin {}
    process    {
        Try {
            # Get domain information
            $getADDomainSplat = @{
                ErrorAction = 'Stop'
            }
            If ($null -ne $PSBoundParameters.Domain) {
                Write-Verbose "Querying for domain $Domain"
                $getADDomainSplat.Add('Identity',$Domain)
            }
            $ADDomain = Get-ADDomain @getADDomainSplat

            # Set the server to query
            $Server = $ADDomain.PDCEmulator
            Write-Verbose "Found server $Server in domain $($ADDomain.domain)"

            # Select the object type to query based on the identity provided
                <#
                Distinguished Name
                    Example: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com
                GUID (objectGUID)
                    Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
                Security Identifier (objectSid)
                    Example: S-1-5-21-3165297888-301567370-576410423-1103
                Security Accounts Manager (SAM) Account Name (sAMAccountName)
                    Example: saradavisreports
                #>

            $FilterProperty = Switch -Regex ($Identity) {
                'CN=.*DC='  {'DistinguishedName'}
                'S-1-5-.*'  {'ObjectSID'}
                default {
                    $isGUID =   Try {[System.Guid]::Parse($Identity) | Out-Null;$True}
                                Catch {$False}
                    If ($isGUID -eq $True) {
                        'objectGUID'
                    }
                    Else {
                        'name'
                    }
                }
            }

            # Query AD for the group
            Write-Verbose "Get-ADUser: Querying server $($Server) where $($FilterProperty) equals $($Identity)"
            $getADGroupSplat = @{
                Filter      = {$FilterProperty -eq $Identity}
                Server      = $Server
                ErrorAction = 'Stop'
            }
            $ADGroup = Get-ADGroup @getADGroupSplat

            # If the group wasn't found throw an error
            If ($null -eq $ADGroup) {
                Throw "$Identity not found in $($ADDomain.distinguishedname)"
            }

            # Query the group for group members & return the group members
            $getADGroupMemberSplat = @{
                Identity    = $ADGroup.DistinguishedName
                Server      = $Server
                Recursive   = $true
                ErrorAction = 'Stop'
            }

            $ShouldProcessTarget = $ADGroup.DistinguishedName
            If ($PSCmdlet.ShouldProcess($ShouldProcessTarget,$MyInvocation.MyCommand)) {
                Get-ADGroupMember @getADGroupMemberSplat | Sort-Object Name
            }
        }
        Catch {
            Write-Error $PSItem
        }
    }
    end {}
}