Once in a while someone at your company asks you if you can deliver a list of users who are member of administration groups within your Active Directory environment. We want to restrict admin access to a minimum so it’s good to know who are the lucky ones and who are slipped through. 😉
All our admin accounts have a number set as prefix so it is relatively easy to search for. With this script we use the SamAccountName attribute to search for user logon names that start of end with a number/letter, then it will process for every user the group membership and output this to a csv file with some extra attributes you might need. See the Quest documentation for all possibilities.
This script is a combination of Powershell and Quest ActiveRoles Management Shell for Active Directory. The ActiveRoles addon is used to query Active Directory, Powershell is used to combine the user and group search, add the attributes and export it to a csv.
Here is the link to the Quest admin guide and here is the link for the freeware PowerShell commands for Active Directory.
if (! (get-pssnapin quest.activeroles.admanagement -ea "silentlycontinue")) {Add-pssnapin quest.activeroles.admanagement} $objects = @() $datetime = get-date -uformat "%m-%d-%Y-%H_%M" $Admin_Users = get-qaduser -service your_domain_name -SamAccountName "prefix, eg *1000" -sizelimit 0 Foreach($user in $Admin_Users) { $groups = $User.memberof foreach($group in $groups) { $obj = new-object psobject $obj | add-member noteproperty "username" "$($user.SamAccountName)" $obj | add-member noteproperty "AccountIsDisabled" "$($user.AccountIsDisabled)" $obj | add-member noteproperty "AccountIsLockedOUt" "$($user.AccountIsLockedOut)" $obj | add-member noteproperty "AccountIsExpired" "$($user.AccountIsExpired)" $group = get-qadobject "$group" -service your_domain_name -sizelimit 0 $obj | add-member noteproperty "group" "$($group.name)" $obj | add-member noteproperty "description" "$($group.description)" $obj | add-member noteproperty "Afdeling" "$($user.department)" $obj | add-member noteproperty "Office" "$($user.physicalDeliveryOfficeName)" $objects +=$obj $obj $obj = "" $group = "" } } $objects | export-csv -del ";" -notypeinformation "C:Export$datetime.csv"
If you have any questions, feel free to post a comment!