Home > Software design >  Check ad group membership without RSAT
Check ad group membership without RSAT

Time:10-14

So this script is supposed to check the user's membership and configure the odbc connection if they are part of the group.This runs flawlessly on my azure device but I have ad tools installed. I want to push this down using intune to azure laptops. But it gives me an error on the device:

  Get-ADGroupMember : The term 'Get-ADGroupMember' is not recognized as the name of a cmdlet, 
  function, script file, or operable program. Check the spelling of the name, 
  or if a path was included, verify that the path is correct and try again.
  At line:16 char:20
             $members = Get-ADGroupMember -server pitt-drdc-01.univ.pitt.e ...
                       ~~~~~~~~~~~~~~~~~
  CategoryInfo          : ObjectNotFound: (Get-ADGroupMember:String) [], 
 CommandNotFoundException
  FullyQualifiedErrorId : CommandNotFoundException

ps I suck at this and these will run on azure enrolled devices if that helps.

###########################################################################################
# Createing ODBC Connection to FMTMA-BE02 for Jobs
###########################################################################################
$ChkFile = "C:\Windows\System32\msodbcsql17.dll"
$FileExists = Test-Path $ChkFile


If ($FileExists -eq $True) {
    # Configure Odbc connection for FMTMA-BE02
    
$user = "$env:UserName"
$groups = 'CN=FM-TMASQLUserAccess'

  #verify Group Membership 
foreach ($group in $groups) {

    $members = Get-ADGroupMember -server fsc-server-place.com -Identity $group - 
    Recursive | Select -ExpandProperty SamAccountName

    # If users in in Ad group Create ODBC connection.
    If ($members -contains $user) {
        Write-Host "Adding ODBC Connection FMTMA-BE02"
        Add-OdbcDsn -DriverName "ODBC Driver 17 for SQL Server" -DsnType User -Name fmTMA-BE02 
    -AsJob -SetPropertyValue ("Server=FSC-TMA-BE02.edu", "Trusted_Connection=Yes", 
     "Database=FM")
    }
    Else {
        Write-Host "$user is not a member of $group"
      }
   }
  
}
    else {

    Write-Host "$user is not a member of $group"
}

CodePudding user response:

Quick and dirty:

$Group = [ADSI]"CN=ODBCGroup,OU=Admin Groups,DC=Domain,DC=com"
if ($userDistinguishedName -match $Group.Member) {
    # do stuff
}

You can do a partial match of the group members, but remember they're distinguishedNames - in my environment, if we tried to match $env:username, it'd fail.

Alternatively, if your groups are huge and/or you have a lot of network latency, another way of doing this is to actually check the user's group memberships on the local machine, rather than parsing through all group members that you're dragging down from AD.

You can crack open the user's Kerberos token to list their AD group memberships with [System.Security.Principal.WindowsIdentity]::GetCurrent()

Then, you can embed your group's SID into your script to match with the token's group list or you could futureproof it by checking the group SID in ADSI.

$krbToken = [System.Security.Principal.WindowsIdentity]::GetCurrent()
# get group SID - you can use [adsisearcher] with an LDAP query if 
# you don't want to embed the group DN (e.g. for use in multiple domains)
$odbcSID = ([ADSI]("LDAP://CN=ODBCGroup,OU=Admin Groups,DC=Domain,DC=com")).objectSid.value
# convert to string for matching
$strOdbcSID = (New-Object System.Security.Principal.SecurityIdentifier($odbcSID,0)).Value
# $krbToken.Groups is a hashtable with lots and lots of domain and group SIDs
If ($krbToken.Groups.value -match $strOdbcSID) {
    # Do stuff
}

This is an excellent article that demonstrates this method to check group SIDs via the Kerberos token - since we have a known group, the scenario is a bit simpler: https://activedirectoryfaq.com/2016/08/read-kerberos-token-powershell/

It's worth trying both options with a Measure-Command to see which might be more efficient in your scenario.

CodePudding user response:

The question is what you really need. Using the PS module is probably the easiest. You could use a remote session for this as well (depending on what those notebooks can do and what access they got).

As far as I can see from your code you're really only interested in whenver a person is a member of a specific group. Depending on what you do you could use a LDAP query for the user itself rather than grabbing every user of those groups to do this.

There are other tools that can help you out as well, for instance whoami /groups. Another option might be to use net user username /DOMAIN. Using whoami is pretty easy from PS.

$lookupGroups = @("FM-TMASQLUserAccess")
$groups = whoami /groups /fo csv | ConvertFrom-Csv
$groups | Where-Object {$_.'Group Name' -in $lookupGroups} | ForEach-Object {Add-ODBC}

Page link:https//www.codepudding.com/Softwaredesign/151518.html

Prev:How to download a file from sourceforge using Powershell?
Next:Azure AD Empty Groups
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding