Powershell - AD permissions all users



  • Team Good Afternoon from London :),

    I have been tasked with an AD issue, which needs a powershell written.

    the script needs to output all users from out AD and there membership access. BUT the catch is that the csv will need to match against the line above, so for example, a user who has access to HR Folders, and the user below has access to it, they need to fall in the same row for easy filtering. if the group does not match a blank space can be added.

    Not sure if the above makes sense sorry.

    again thanks in advanced.



  • this is the code I have got so far, but the output for all the groups is mixed up, can the CSV be tweaked a bit? does anyone know?

    # Imports Active Directory information 
    Import-Module Activedirectory
    $credentials = Get-Credential
    # Prompts for user credentials default user is “   ”, enter an administrator account in the form of “domain-name\administrator-account”
    Get-ADUser -Credential $credentials  -Filter * -Properties DisplayName,EmailAddress,memberof,DistinguishedName,Enabled |  %  {
      New-Object PSObject -Property  @{
    	UserName = $_.DisplayName 
    	EmailAddress = $_.EmailAddress
    	DistinguishedName = $_.DistinguishedName
    	Enabled = $_.Enabled
    # Deliminates the document for easy copy and paste using ";" as the delimiter. Incredibly useful for Copy & Paste of group memberships to new hire employees.
    	Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -join ";"
    	}
    # The export path is variable change to desired location on domain controller or end user computer. 
    } | Select UserName,EmailAddress,@{l='OU';e={$_.DistinguishedName.split(',')[1].split('=')[1]}},Groups,Enabled | Sort-Object Username | Export-Csv C:\users\Desktop\AD1.csv –NTI
    

    any help would be really appreciated 🙂



  • Do you just need the Folder-Level permissions or do you have to get permissions on each file?



  • only folder level, but the extract of the permissions need to match up. does that make sense when I say "Match up". not really sure how to explain it. all the same permission need to be in the same column, AD seems to just throw groups all over the show when extracted. I need them to all sync up in the CSV so its easy to filter for certain access and who has it. hope that makes sense 🙂 thanks for the reply @dafyre



  • I'm going to take the two scripts you've posted and see if I can make them into one working script. It may take me a bit.

    Have you looked at Netwrix Effective Permissions Reporting Tool (http://www.netwrix.com/netwrix_effective_permissions_reporting_tool.html) ?



  • really appreciated the help @dafyre. unfortunately 3rd party tools are a no no, already asked that question and been shot down :(.

    This is a single script and just need help cleaning the CSV output into a more easily filtered search. For example, the below is how it comes out,

    TEST.USER1 HR TRUE Blank Space Group 1 Group 2 Group 3
    TEST.USER HR TRUE Group 1 Group 2 Group 4 Group 2

    I would like it to appear like below, all matching the above row where possible, if it does not match put a blank space move to the next cell

    TEST.USER1 HR TRUE Blank Space Group 2 Group 4 Group 3
    TEST.USER HR TRUE Group 1 Group 2 Group 4 Blank space



  • @pally I am assuming that HR is the name of the share... what is the TRUE column? True or False if they have access to it or not?



  • @pally said:

    really appreciated the help @dafyre. unfortunately 3rd party tools are a no no, already asked that question and been shot down :(.

    Why, because of costs?
    There are several tools out there that are free or shareware.



  • @pally -- The tool I linked to above is free if cost is the concern.



  • Not really cost related, think they want me to go through all these issues cus they hate me lol.

    think I may have explained it incorrectly ...sorry

    this script needs to only show what permissions every user has, but the permissions need to be outputted in a easy filter way. having all the same Group memberships in the same like the example. when someone filters for Group1 all group1 appears in one column.

    sorry I explained it wrong. hope this makes better sense.



  • @pally said:

    Not really cost related, think they want me to go through all these issues cus they hate me lol.

    think I may have explained it incorrectly ...sorry

    this script needs to only show what permissions every user has, but the permissions need to be outputted in a easy filter way. having all the same Group memberships in the same like the example. when someone filters for Group1 all group1 appears in one column.

    sorry I explained it wrong. hope this makes better sense.

    OK Pally.

    Let me stop you there.

    Use the "Text To Columns" functions in excel my script here generates the data so you can sort it out into individual columns. You filter for all users who are in File Group 1.
    No reason to try and come up with a way to do this via PowerShell. Excel is perfectly suited for this.



  • @DustinB3403 the script works fine, I have separated using excel, but the groups do not match up. I have Group 1 in cell 5 and I have the same Group in cell 23 so the filter does not see that. its very hard to explain, some people have more groups and some have less, the output cannot match them to be in the same column.



  • OK So you want the Groups sorted alphabetically?



  • Or you need a header with each group name, and who's in that group under it?



  • alphabetically would be ideal, but group headers would work too.



  • So rather than the 5 header columns that are in the existing report of Username, Email Address, DistinguishedName, Enabled and Groups.

    You want as many columns as you have permission groups, and the member users under each.

    Is that correct?



  • correct, the user, and all the groups they are a member of in alphabetical order, so they line up with the same groups for the next user if this is the case, if not it would leave a blank space so we can filter only with the same group.

    I swear there must be an easier way to explain this lol 🙂

    again thank you



  • @pally said:

    correct, the user, and all the groups they are a member of in alphabetical order, so they line up with the same groups for the next user if this is the case, if not it would leave a blank space so we can filter only with the same group.

    I swear there must be an easier way to explain this lol 🙂

    again thank you

    You could actually write an example up in Excel of what you want the report to look like.



  • He's attempting to sort it so all group members are in the same column of excel.

    This isn't possible since not every member has the same permissions.

    IE

    User1 might have Share_Bananas_RW and Share_Beans_RW
    
    But User2 only has Share_Bananas_RW
    
    And User3 has Share_Beans_RW and Share_Apples_RO
    

    Well in the Excel document, that's trying to sort by data that isn't there. It can't be done, to have all of the Share_Bananas_RW groups in column E for example.

    Well Share_Apples_RO will always be in Column E (or whatever is open first) and everything else will be further down the sheet.



  • Below you'll find a hand crafted version of what he's looking for.

    UserName	         OU	            Enabled	     Groups	                                        Groups	                          Groups
    ELAS Support	    ELAS	        TRUE	     AnyConnect Remote Access	Remote Desktop Users	
    QTS Support	        QTS	            TRUE	     AnyConnect Remote Access	Remote Desktop Users	
    Roshan Azeez	    NetCrowd	    TRUE	    AnyConnect Remote Access	Remote Desktop Users	
    

    The above is an example of a hand crafted version.

    But if ELAS Support has Administrators in it, AnyConnect Remote Access wouldn't be the first group.

    it would instead be

    UserName	         OU	            Enabled	     Groups	                                        Groups	                          Groups
    ELAS Support	    ELAS	        TRUE	    Administrators                                 AnyConnect Remote Access	Remote Desktop Users	
    QTS Support	        QTS	            TRUE	                                                               AnyConnect Remote Access	Remote Desktop Users	
    Roshan Azeez	    NetCrowd	    TRUE	                                                               AnyConnect Remote Access	Remote Desktop Users


  • Sounds like something like this would suit him

    snip.PNG

    This would be very involved though. You'd need to enumerate every group for each user, creating an x or o based upon if they are or are not a member.

    then you could short this by username and see what they are and aren't members of.

    Good luck.



  • Thanks @DustinB3403 that is exactly what I am trying to do, if anyone @DustinB3403 has tried and said it cannot be done, if it can be done and someone can shed some light I would be very grateful.

    Thanks



  • Is this what you want?

    snip.PNG



  • @Dashrender that is exactly what I need. is it possible to do?



  • Adding the Administrator group to a new user would change it to look like this
    snip.PNG



  • that would be ideal, if this is possible please let me know how 🙂 @Dashrender



  • @pally said:

    @Dashrender that is exactly what I need. is it possible to do?

    Sure, it's possible, don't ask me how I'm not a scripter, but I do understand the basic logic now.

    you create a loop that reads in the first user, then looks a list of known groups and sees if it's a member or not, if not, you leave a blank (for the cell) and the close marker for that cell, then check against the next group.

    So you end up with two nested loops, the outer loop is going through all users, the inner loop goes through all groups.



  • if anyone thanks to @Dashrender and of course @DustinB3403 can make this happen, you will make me a happy guy :).



  • Here is a very rudimentary sudo code
    snip.PNG



  • Pally, if you understand the scripts you have in front of you, you might be able to change them yourself to follow the logic I wrote up.


 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.