-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merged Active-Directory repo into Active-Directory folder.
- Loading branch information
Showing
51 changed files
with
10,561 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
# ============================================================ | ||
# Script Information | ||
# | ||
# Title: Obsolete AD Group Archiver | ||
# Author: Sam Erde | ||
# | ||
# Created: 11/04/2014 | ||
# Description: Read a list of obsolete groups from a text file, export the members to a separate text file for each group, | ||
# and then empty the obsolete groups. They can be deleted after a week or two to prove they are no longer used. | ||
# The empty groups are also moved to the "Obsolete Groups" OU. | ||
# | ||
# DO NOT RUN TWICE ON THE SAME FILE OR THE ARCHIVE WILL BE OVERWRITTEN! | ||
# | ||
# To Do: | ||
# Add error handling | ||
# Prompt for a job name at each run so their is a separate archive folder for each job to help prevent an archive from being overwritten. | ||
# Add handling of group names to it can discover DNs if needed. This may require a specific format within the input file, such as group DNs there. | ||
# | ||
# ============================================================ | ||
|
||
#Import the Active Directory module so we can work with AD groups. | ||
Import-Module ActiveDirectory | ||
|
||
#Set the Active Directory server name that will be used. Using a serverless domain name here may also work. | ||
$Domain = "" | ||
|
||
#Read in the CSV or text file of group names. | ||
$File = Get-Content -Path C:\Scripts\ObsoleteGroups\ObsoleteGroups.csv | ||
|
||
#Loop through each line of the text file and run the following commands for each line: | ||
Foreach ($Group in $File) | ||
{ | ||
#Get the members of each group (recursively in case groups are nested) in the specified domain or domain controller. | ||
#Select the name of each member within the group and then write each name to a CSV file. Each CSV file is named with the name of each security group. | ||
Get-ADGroupMember -Server $Domain -Identity $Group -Recursive | Export-Csv -Path "C:\Scripts\ObsoleteGroups\Archive\$group.csv" -NoTypeInformation | ||
|
||
<# * * * * * * * * * * | ||
This section will require special customization until we further develop the script to pull the full group DN. | ||
In the interest of time today, I have hard coded some of the information. | ||
* * * * * * * * * * | ||
/#> | ||
.\Remove-AllGroupMembers.ps1 -group "CN=$Group" -ou "OU=" -domain "DC=" | ||
Move-ADObject -Server $Domain -Identity "CN=ps,DC=" -TargetPath "" | ||
} | ||
|
||
#Copy and rename the CSV file with a timestamp to keep as a record of run history. | ||
$timeStamp = Get-Date -Format 'yyyy-MM-dd hh-m-ss' | ||
Copy-Item -Path C:\Scripts\ObsoleteGroups\ObsoleteGroups.csv -Destination "C:\Scripts\ObsoleteGroups\Run History\ObsoleteGroups $timeStamp.csv" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# This is ancient. I need to rewrite this, wherever it came from! | ||
Import-Module ActiveDirectory | ||
Get-AdGroupMember "SourceGroupA-sAMAccountName" | %{Add-ADGroupMember -Identity "DestinationGroupB-sAMAccountName" -Members $_} |
6 changes: 6 additions & 0 deletions
6
Active Directory/AD Groups/Get Foreign Security Principals in Groups.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
# List all foreign security principals in Active Directory that are a member of any group | ||
$FSPContainer = $Domain.ForeignSecurityPrincipalsContainer | ||
Get-ADObject -Filter 'ObjectClass -eq "foreignSecurityPrincipal"' -Properties 'msds-principalname','memberof' -SearchBase $FSPContainer -Server $GlobalCatalog | | ||
Where-Object { $_.memberof -ne $null } | ForEach-Object { | ||
$AllForeignSecurityPrincipalMembers.Add($_) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
Import-Module ActiveDirectory | ||
Get-ADGroup -Filter {GroupCategory -eq 'Security'} | Where-Object {@(Get-ADGroupMember $_).Length -eq 0} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
function Get-GroupFspMembers { | ||
<# | ||
.SYNOPSIS | ||
Check Active Directory groups for members that are foreign security principals from other domains or forests. | ||
#> | ||
#Requires -Modules 'ActiveDirectory' | ||
|
||
Import-Module ActiveDirectory | ||
$Domain = Get-ADDomain -Current LocalComputer | ||
$DomainSID = $Domain.DomainSID.Value | ||
# Using a global catalog may be required for some queries to be comprehensive, but need to update to | ||
# handle child domains that do not have a global catalog. | ||
# [string]$DomainController = (Get-ADDomainController -DomainName $Domain.DnsRoot -Discover).HostName | ||
|
||
# Get all groups that are capable of containing foreign security principals. Ignore empty groups and global groups, which cannot contain members from other domains or forests. | ||
$Groups = Get-ADGroup -Properties members, Description -Filter 'GroupCategory -eq "Security" -and (GroupScope -eq "Universal" -or GroupScope -eq "DomainLocal") -and Members -like "*"' | ||
|
||
$GroupsWithForeignMembers = New-Object System.Collections.Generic.List[System.Object] | ||
|
||
foreach ($group in $Groups) { | ||
$FspMembers = $group.members | Where-Object { $_ -like "CN=S-1-*" -and $_ -notlike "$DomainSID*" } | ||
if ($FspMembers.count -ne 0) { | ||
$tempgroup = New-Object -TypeName PSObject | ||
$tempgroup | Add-Member -MemberType NoteProperty -Name 'GroupDN' -Value $group.distinguishedName | ||
$tempgroup | Add-Member -MemberType NoteProperty -Name 'Description' -Value $group.Description | ||
$tempgroup | Add-Member -MemberType NoteProperty -Name 'FspMembers' -Value ($FspMembers -join (', ')) | ||
$GroupsWithForeignMembers.Add($tempgroup) | ||
} | ||
} | ||
$GroupsWithForeignMembers | ||
} |
Oops, something went wrong.