Forum Discussion
Get Privileged User Accounts and then associate those names to their AD Groups.... ???
Hello,
I have a Windows 2016 Domain and, for an audit, I need to display users who have elevated permissions and the group(s) they belong to. This includes service accounts.
This is getting close but doesn't enumerate the users groups:
Get-ADObject -LDAPFilter “(adminCount=1)”
This works for finding the users group members but will take me a LONG time of cut-n-paste of the group memberships I'm afraid: Get-ADPrincipalGroupMembership
If anyone could help me with a formula I would be really thankful...
Scott in AZ
- LainRobertsonSilver Contributor
Hi, Scott.
Using "adminCount = 1" is unreliable since the SDProp process sets this value when someone is added to a privileged group (directly or indirectly) but it does not clear it again if the person is later removed.
Using adminCount will only result in your audit becoming less trustworthy over time.
The only way to accurately perform this kind of audit is to enumerate the transitive memberships of the groups you're interested in, and after that do other follow-on tasks such as looking up the users and their group memberships.
Cheers,
Lain
- Scott_AZCopper Contributor
Hi Lain,
I actually don't have the Group Names. I need to know elevated privilege accounts and then associate those users to groups....I'm not a Powershell expert so I am not sure what the string would look like. Would you be so kind as to let me know? Much appreciated your answer previously.
Scott- LainRobertsonSilver Contributor
Hi, Scott.
The privileged groups can be found listed here:
Have you started writing your script, or are you looking for someone in here to write it for you?
Cheers,
Lain