Membership Has Its Privileges
It's getting harder and harder to track who belongs to what group. Mr. Roboto's Group Auditor can help make membership management easier.
- By Jeffery Hicks
Keeping track of group membership wasn't especially difficult in the old days.
Groups were relatively simple. Windows NT didn't even allow for nested groups.
These days, we have a greater task with group management in Active Directory.
Knowing who belongs to a particular group is extremely important, especially
when it's a security-sensitive group like Domain Administrators or the local
Administrators group on a critical server.
I've come up with a simple graphical tool that will help you get a handle on
the reach of any group's membership. Like most of Mr. Roboto's tricks, the Group
Auditor is an HTML Application (HTA). It uses ADSI to query local computer groups
and AD groups, including nested groups.
After you launch the HTA, select either Local Computer or Active Directory
from the drop-down list. If you select Local Computer, the selection field will
be automatically populated with the local computer name. However, you can always
enter the name of any computer for which you have administrative credentials.
Click the Get Groups button and the Group Auditor will query the computer and
return a list of all local groups. Select a group and click Get Members. After
a moment, you'll see a list of all members. The list uses the ADSI path of each
member so you can easily differentiate between a local user account or group
and a domain user account or group.
Getting group information for an AD group is just as easy. Select Active Directory
from the drop-down list. The distinguished name of your AD domain will be pre-populated
in the list. Assuming you have adequate credentials, you can then edit this
field to find groups in a specific organizational unit, container or another
By default, the Group Auditor will only search for groups in the root of the
specified AD container. However, you can check the Recurse box if you want to
search for groups in all child containers as well. Use this feature with caution
if you have a large number of groups or child containers to search. By default,
it will return all selected groups, but you can opt to return only security-enabled
groups or distribution groups.
The query will populate the selection drop-down of discovered groups. You'll
have several options with AD groups. First, you can return a simple list of
all immediate group members. If you use nested groups, you can also instruct
the Group Auditor to expand group membership to cover any nested groups. This
will give you a more accurate representation of who belongs to a group.
The last option is to force user expansion by the primary group. Here's where
this may be important. If you select Domain Users, you probably won't get any
members. When you choose the Force Expansion option, the Group Auditor searches
for every user account whose primary group ID matches the primary group token
of the selected group. Use this one with caution as well.
Roboto's Group Auditor at: www.jdhitsolutions.com/scripts.
Extract the .ZIP file to any directory you want and add a
shortcut to the HTA to your desktop or start menu.
What Windows admin task would you like Mr. Roboto to automate
next? Send your suggestions to email@example.com.
Unless you've modified a user's primary group, you shouldn't need to worry about
this. If you check Domain Users and actually do see someone listed, you'll know
that user account has been modified. If you check the account's primary group,
however, you won't see the user listed when you query that group.
The group membership query will also return additional information about the
group, such as the group description, its manager, its e-mail address, when
it was created and when it was last modified. Once you've queried for a list
of group members, you can print a report that will include the group name, details
and membership. You can also query another group.
Now you have a tool to easily check group membership. If this is something
you're trying to bring under control, I'd recommend you start with mission-critical
and sensitive groups to ensure that they're appropriately populated. As those
American Express ads say, "Membership has its privileges."
Jeffery Hicks is a Microsoft MVP in Windows PowerShell, Microsoft Certified Trainer and an IT veteran with over 20 years of experience, much of it spent as an IT consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He works today as an independent author, trainer and consultant. Jeff writes the popular Prof. PowerShell column for MPCMag.com and is a regular contributor to the Petri IT Knowledgebase and 4SysOps. If he isn't writing, then he's most likely recording training videos for companies like TrainSignal or hanging out in the forums at PowerShell.org.
Jeff's latest books are Learn PowerShell 3 in a Month of Lunches, Learn PowerShell Toolmaking in a Month of Lunches and PowerShell in Depth: An Administrators Guide.
You can keep up with Jeff at his blog http://jdhitsolutions.com/blog, on Twitter at twitter.com/jeffhicks and on Google Plus (http:/gplus.to/JeffHicks)