Public/Get-MDSForestADGroupMember.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
Function Get-MDSForestADGroupMember {
    <#
    .SYNOPSIS
    Get AD Group Membership for any group you have read access to in the forest

    .DESCRIPTION
    Get AD Group Membership for any group you have read access to in the forest. Requires the PDC Emulator to be able to respond to PowerShell requests. Use the FQDN of the domain for best results.

    .EXAMPLE
    Get-MDSForestADGroupMember -Identity 'AD Group'

    Searches the domain you're in for 'AD Group'

    .EXAMPLE
    Get-MDSForestADGroupMember -Identity 'AD Group' -Domain contoso.com

    Searches the contoso.com domain for 'AD Group'
    .NOTES
    Written by Rick A, August 2017

    #>


    #Requires -Module ActiveDirectory

    [CmdletBinding(
        SupportsShouldProcess,
        DefaultParameterSetName="MDSCredential"
    )]
    param(
        # Pipeline variable
        [parameter(Mandatory=$True,ValueFromPipeline)]
        [ValidateNotNullOrEmpty()]
        [string]$Identity,

        [parameter()]
        [ValidateNotNullOrEmpty()]
        [string]$Domain
    )

    begin {}
    process    {
        Try {
            # Get domain information
            If ($null -ne $PSBoundParameters.Domain) {

                $DomainType     = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain
                $DomainContext  = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext($DomainType, $Domain)
                $Server = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext).PdcRoleOwner.Name
            }
            Else {
                $Server = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
            }

            # Select the object type to query based on the identity provided
                <#
                    Distinguished Name
                        Example: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com
                    GUID (objectGUID)
                        Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
                    Security Identifier (objectSid)
                        Example: S-1-5-21-3165297888-301567370-576410423-1103
                    Security Accounts Manager (SAM) Account Name (sAMAccountName)
                        Example: saradavisreports
                #>

            $FilterProperty = Switch -Regex ($Identity) {
                'CN=.*DC='  {'DistinguishedName'}
                'S-1-5-.*'  {'ObjectSID'}
                default {
                    $isGUID =   Try {[System.Guid]::Parse($Identity) | Out-Null;$True}
                                Catch {$False}
                    If ($isGUID -eq $True) {
                        'objectGUID'
                    }
                    Else {
                        'name'
                    }
                }
            }

            # Query AD for the group
            Write-Verbose "Get-ADGroup: Querying server $($Server) where $($FilterProperty) equals $($Identity)"
            #TODO: Replace Get-ADGroup
            $getADGroupSplat = @{
                Filter      = "$FilterProperty -eq '$Identity'"
                Server      = $Server
                ErrorAction = 'Stop'
            }
            $ADGroup = Get-ADGroup @getADGroupSplat

            # If the group wasn't found throw an error
            If ($null -eq $ADGroup) {
                Throw "$Identity not found in $($ADDomain.distinguishedname)"
            }

            # Query the group for group members & return the group members
            $getADGroupMemberSplat = @{
                Identity    = $ADGroup.DistinguishedName
                Server      = $Server
                Recursive   = $true
                ErrorAction = 'Stop'
            }

            $ShouldProcessTarget = $ADGroup.DistinguishedName
            If ($PSCmdlet.ShouldProcess($ShouldProcessTarget,$MyInvocation.MyCommand)) {
                #TODO: Replace Get-ADGroupMember
                Get-ADGroupMember @getADGroupMemberSplat | Sort-Object Name
            }
        }
        Catch {
            Write-Error $PSItem
        }
    }
    end {}
}