Home > Software design >  Get user group memberships from SID
Get user group memberships from SID

Time:08-24

I'm querying AD groups outside our local domain. When searching for the groups in PS I've got all the members that are displayed with their SID and not with their User ID.

What I basically want is to enter the user ID and get all the group memberships the user's SID is linked with.

Below is what I've already tried but with no result...

Write-Host "enter user id" 
$user = Read-Host

# Forrest were groups are nested 
$LDAPServer = 'wwg00m.rootdom.net'

# Get SID from user 
$adUsr = Get-ADUser $user -Properties SID | Select-Object SID

# Get all groups from Query in AD 
$Groups = Get-ADObject -server $LDAPServer -LDAPFilter '(&(objectCategory=group)(name=*_EN))' | Select Name

# Get all Members from each group, replacing characters to get equal SID ID like $adUser
$Members = (Get-ADGroup -Identity $Groups -Server $LDAPServer -Properties Members).Members -Replace ("CN=", "") -Replace (",ForeignSecurityPrincipals,DC=wwg00m,DC=rootdom,DC=net", "") 

foreach ($adUsr in $members) {
    [pscustomobject]@{
        GroupName = $Members.Name
    }
}

CodePudding user response:

Based on conversation in comments this might work. Basically, first we get the SID of the user in the Current Domain, then once we get it we can get the user's DistinguishedName on the Trusted Domain and finally with this information we can perform an LDAP Query searching for all Groups this DN is a member.

try {
    # Get user input
    $user = Read-Host "Enter User ID"
    # Forrest were groups are nested 
    $LDAPServer = 'wwg00m.rootdom.net'
    # Get the SID of the user in the Current Domain
    $sid = Get-ADUser $user
    # Get the DistinguishedName of the user in the other Domain
    $dn = (Get-ADUser $sid.SID -Server $LDAPServer).DistinguishedName
    # Search for all groups where this DN is a member
    Get-ADGroup -LDAPFilter "(member=$dn)" -Server $LDAPServer | ForEach-Object {
        # here we can combine the user's data in the Current and Trusted Domain
        # change the output as needed
        [pscustomobject]@{
            GroupName             = $_.Name
            UserName              = $sid.Name
            UserDistinguishedName = $dn
        }
    }
}
catch {
    # Error handling here...
    Write-Error $_
}
  • Related