Forum Discussion
Get Privileged User Accounts and then associate those names to their AD Groups.... ???
Hi, Scott.
Using "adminCount = 1" is unreliable since the SDProp process sets this value when someone is added to a privileged group (directly or indirectly) but it does not clear it again if the person is later removed.
Using adminCount will only result in your audit becoming less trustworthy over time.
The only way to accurately perform this kind of audit is to enumerate the transitive memberships of the groups you're interested in, and after that do other follow-on tasks such as looking up the users and their group memberships.
Cheers,
Lain
Hi Lain,
I actually don't have the Group Names. I need to know elevated privilege accounts and then associate those users to groups....I'm not a Powershell expert so I am not sure what the string would look like. Would you be so kind as to let me know? Much appreciated your answer previously.
ScottHi, Scott.
The privileged groups can be found listed here:
Have you started writing your script, or are you looking for someone in here to write it for you?
Cheers,
Lain
Hello Lain,
First, thank you for your reply. Although I do know a fairly easy way to find the groups a user belongs to in the script below (though there is a slight hiccup with two word service accounts) it does suit my needs. However..... if I could pull everything together in a script (Privileged Accounts and the accounts group memberships in csv format....) that would be perfect.
So that is where I am lost right now and yes, I could use help with writing the script.
Scott
PS -- I found the following script that give me the memberships of a given user....Add-Type -AssemblyName System.DirectoryServices.AccountManagement $username = read-host -prompt "Enter a username" $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain $user = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($ct, $username) $groups = $user.GetGroups() foreach($i in $groups){ $i.SamAccountName }
