@@ -3217,155 +3217,156 @@ function Get-NetGroup {
3217
3217
# otherwise try to connect to the DC for the target domain
3218
3218
$GroupSearcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI ]" LDAP://$dn " )
3219
3219
}
3220
- # samAccountType=805306368 indicates user objects
3221
- $GroupSearcher.filter = " (&(objectClass=group)(name=$GroupName ))"
3220
+
3221
+ if ($Recurse ) {
3222
+ $GroupDN = (Get-NetGroups - GroupName $GroupName - Domain $Domain - FullData).distinguishedname
3223
+ if ($GroupDN ) {
3224
+ $GroupSearcher.filter = " (&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=$GroupDN ))"
3225
+ $GroupSearcher.PropertiesToLoad.AddRange ((' distinguishedName' , ' samaccounttype' , ' lastlogon' , ' lastlogontimestamp' , ' dscorepropagationdata' , ' objectsid' , ' whencreated' , ' badpasswordtime' , ' accountexpires' , ' iscriticalsystemobject' , ' name' , ' usnchanged' , ' objectcategory' , ' description' , ' codepage' , ' instancetype' , ' countrycode' , ' distinguishedname' , ' cn' , ' admincount' , ' logonhours' , ' objectclass' , ' logoncount' , ' usncreated' , ' useraccountcontrol' , ' objectguid' , ' primarygroupid' , ' lastlogoff' , ' samaccountname' , ' badpwdcount' , ' whenchanged' , ' memberof' , ' pwdlastset' , ' adspath' ))
3226
+ } else {
3227
+ Write-Error " Unable to find GroupName"
3228
+ }
3229
+ } else {
3230
+ $GroupSearcher.filter = " (&(objectClass=group)(name=$GroupName ))"
3231
+ }
3222
3232
}
3223
3233
catch {
3224
3234
Write-Warning " The specified domain $Domain does not exist, could not be contacted, or there isn't an existing trust."
3225
3235
}
3226
- }
3227
- else {
3228
- $Domain = (Get-NetDomain ).Name
3236
+ } else {
3237
+ $Domain = (Get-NetDomain ).Name
3229
3238
3230
- # otherwise, use the current domain
3239
+ if ($Recurse ) {
3240
+ $GroupDN = (Get-NetGroups - GroupName $GroupName - Domain $Domain - FullData).distinguishedname
3241
+ if ($GroupDN ) {
3242
+ $GroupSearcher = [adsisearcher ]" (&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=$GroupDN ))"
3243
+ $GroupSearcher.PropertiesToLoad.AddRange ((' distinguishedName' , ' samaccounttype' , ' lastlogon' , ' lastlogontimestamp' , ' dscorepropagationdata' , ' objectsid' , ' whencreated' , ' badpasswordtime' , ' accountexpires' , ' iscriticalsystemobject' , ' name' , ' usnchanged' , ' objectcategory' , ' description' , ' codepage' , ' instancetype' , ' countrycode' , ' distinguishedname' , ' cn' , ' admincount' , ' logonhours' , ' objectclass' , ' logoncount' , ' usncreated' , ' useraccountcontrol' , ' objectguid' , ' primarygroupid' , ' lastlogoff' , ' samaccountname' , ' badpwdcount' , ' whenchanged' , ' memberof' , ' pwdlastset' , ' adspath' ))
3244
+ } else {
3245
+ Write-Error " Unable to find GroupName"
3246
+ }
3247
+ } else {
3231
3248
$GroupSearcher = [adsisearcher ]" (&(objectClass=group)(name=$GroupName ))"
3249
+ }
3232
3250
}
3251
+ if ($GroupSearcher ) {
3233
3252
3234
- if ($GroupSearcher ){
3235
- $GroupSearcher.PageSize = 200
3253
+ $GroupSearcher.PageSize = 200
3254
+
3255
+ if ($Recurse ) {
3256
+ $members = $GroupSearcher.FindAll ()
3257
+ $GroupFoundName = $GroupName
3258
+ } else {
3236
3259
$GroupSearcher.FindAll () | % {
3237
- try {
3238
- if (! ($_ ) -or ! ($_.properties ) -or ! ($_.properties.name )) { continue }
3239
-
3240
- $GroupFoundName = $_.properties.name [0 ]
3241
- $members = @ ()
3242
-
3243
- if ($_.properties.member.Count -eq 0 ) {
3244
- $finished = $false
3245
- $bottom = 0
3246
- $top = 0
3247
- while (! $finished ) {
3248
- $top = $bottom + 1499
3249
- $memberRange = " member;range=$bottom -$top "
3250
- $bottom += 1500
3251
- $GroupSearcher.PropertiesToLoad.Clear ()
3252
- [void ]$GroupSearcher.PropertiesToLoad.Add (" $memberRange " )
3253
- try {
3254
- $result = $GroupSearcher.FindOne ()
3255
- if ($result ) {
3256
- $rangedProperty = $_.Properties.PropertyNames -like " member;range=*"
3257
- $results = $_.Properties.item ($rangedProperty )
3258
- if ($results.count -eq 0 ) {
3259
- $finished = $true
3260
- } else {
3261
- $results | % {
3262
- $members += $_
3263
- }
3264
- }
3265
- } else {
3260
+ try {
3261
+ if (! ($_ ) -or ! ($_.properties ) -or ! ($_.properties.name )) { continue }
3262
+
3263
+ $GroupFoundName = $_.properties.name [0 ]
3264
+ $members = @ ()
3265
+
3266
+ if ($_.properties.member.Count -eq 0 ) {
3267
+ $finished = $false
3268
+ $bottom = 0
3269
+ $top = 0
3270
+ while (! $finished ) {
3271
+ $top = $bottom + 1499
3272
+ $memberRange = " member;range=$bottom -$top "
3273
+ $bottom += 1500
3274
+ $GroupSearcher.PropertiesToLoad.Clear ()
3275
+ [void ]$GroupSearcher.PropertiesToLoad.Add (" $memberRange " )
3276
+ try {
3277
+ $result = $GroupSearcher.FindOne ()
3278
+ if ($result ) {
3279
+ $rangedProperty = $_.Properties.PropertyNames -like " member;range=*"
3280
+ $results = $_.Properties.item ($rangedProperty )
3281
+ if ($results.count -eq 0 ) {
3266
3282
$finished = $true
3283
+ } else {
3284
+ $results | % {
3285
+ $members += $_
3267
3286
}
3268
- } catch [System.Management.Automation.MethodInvocationException ] {
3269
- $finished = $true
3270
3287
}
3288
+ } else {
3289
+ $finished = $true
3271
3290
}
3272
- } else {
3273
- $members = $_ .properties.member
3291
+ } catch [ System.Management.Automation.MethodInvocationException ] {
3292
+ $finished = $true
3274
3293
}
3294
+ }
3295
+ } else {
3296
+ $members = $_.properties.member
3297
+ }
3298
+ } catch {
3299
+ write-verbose $_
3300
+ }
3301
+ }
3302
+ }
3275
3303
3276
- $members | ForEach-Object {
3277
- # for each user/member, do a quick adsi object grab
3278
- if ($PrimaryDC ){
3279
- $properties = ([adsi ]" LDAP://$PrimaryDC /$_ " ).Properties
3280
- }
3281
- else {
3282
- $properties = ([adsi ]" LDAP://$_ " ).Properties
3283
- }
3284
-
3285
- # check if the result is a user account- if not assume it's a group
3286
- if ($properties.samAccountType -ne " 805306368" ){
3287
- $isGroup = $True
3288
- }
3289
- else {
3290
- $isGroup = $False
3291
- }
3292
-
3293
- $out = New-Object psobject
3294
- $out | add-member Noteproperty ' GroupDomain' $Domain
3295
- $out | Add-Member Noteproperty ' GroupName' $GroupFoundName
3296
-
3297
- if ($FullData ){
3298
- $properties.PropertyNames | % {
3299
- # TODO: errors on cross-domain users?
3300
- if ($_ -eq " objectsid" ){
3301
- # convert the SID to a string
3302
- $out | Add-Member Noteproperty $_ ((New-Object System.Security.Principal.SecurityIdentifier($properties [$_ ][0 ], 0 )).Value)
3303
- }
3304
- elseif ($_ -eq " objectguid" ){
3305
- # convert the GUID to a string
3306
- $out | Add-Member Noteproperty $_ (New-Object Guid (, $properties [$_ ][0 ])).Guid
3307
- }
3308
- else {
3309
- if ($properties [$_ ].count -eq 1 ) {
3310
- $out | Add-Member Noteproperty $_ $properties [$_ ][0 ]
3311
- }
3312
- else {
3313
- $out | Add-Member Noteproperty $_ $properties [$_ ]
3314
- }
3315
- }
3316
- }
3317
- }
3318
- else {
3319
- $MemberDN = $properties.distinguishedName [0 ]
3320
- # extract the FQDN from the Distinguished Name
3321
- $MemberDomain = $MemberDN.subString ($MemberDN.IndexOf (" DC=" )) -replace ' DC=' , ' ' -replace ' ,' , ' .'
3322
-
3323
- if ($properties.samAccountType -ne " 805306368" ){
3324
- $isGroup = $True
3325
- }
3326
- else {
3327
- $isGroup = $False
3328
- }
3304
+ $members | ForEach-Object {
3305
+ # for each user/member, do a quick adsi object grab
3306
+ if ($Recurse ) {
3307
+ $properties = $_.Properties
3308
+ } else {
3309
+ if ($PrimaryDC ){
3310
+ $properties = ([adsi ]" LDAP://$PrimaryDC /$_ " ).Properties
3311
+ }
3312
+ else {
3313
+ $properties = ([adsi ]" LDAP://$_ " ).Properties
3314
+ }
3315
+ }
3329
3316
3330
- if ($properties.samAccountName ){
3331
- # forest users have the samAccountName set
3332
- $MemberName = $properties.samAccountName [0 ]
3333
- }
3334
- else {
3335
- # external trust users have a SID, so convert it
3336
- try {
3337
- $MemberName = Convert-SidToName $properties.cn [0 ]
3338
- }
3339
- catch {
3340
- # if there's a problem contacting the domain to resolve the SID
3341
- $MemberName = $properties.cn
3342
- }
3343
- }
3344
- $out | add-member Noteproperty ' MemberDomain' $MemberDomain
3345
- $out | add-member Noteproperty ' MemberName' $MemberName
3346
- $out | add-member Noteproperty ' IsGroup' $IsGroup
3347
- $out | add-member Noteproperty ' MemberDN' $MemberDN
3348
- }
3317
+ # check if the result is a user account- if not assume it's a group
3318
+ $isGroup = $properties.samaccounttype [0 ] -ne " 805306368"
3349
3319
3350
- $out
3320
+ $out = New-Object psobject
3321
+ $out | add-member Noteproperty ' GroupDomain' $Domain
3322
+ $out | Add-Member Noteproperty ' GroupName' $GroupFoundName
3351
3323
3352
- if ($Recurse ) {
3353
- # if we're recursiving and the returned value isn't a user account, assume it's a group
3354
- if ($IsGroup ){
3355
- if ($FullData ){
3356
- Get-NetGroup - Domain $Domain - PrimaryDC $PrimaryDC - FullData - Recurse - GroupName $properties.SamAccountName [0 ]
3357
- }
3358
- else {
3359
- Get-NetGroup - Domain $Domain - PrimaryDC $PrimaryDC - Recurse - GroupName $properties.SamAccountName [0 ]
3360
- }
3361
- }
3362
- }
3363
- }
3324
+ if ($FullData ){
3325
+ $properties.PropertyNames | % {
3326
+ # TODO: errors on cross-domain users?
3327
+ if ($_ -eq " objectsid" ){
3328
+ # convert the SID to a string
3329
+ $out | Add-Member Noteproperty $_ ((New-Object System.Security.Principal.SecurityIdentifier($properties [$_ ][0 ], 0 )).Value)
3330
+ }
3331
+ elseif ($_ -eq " objectguid" ){
3332
+ # convert the GUID to a string
3333
+ $out | Add-Member Noteproperty $_ (New-Object Guid (, $properties [$_ ][0 ])).Guid
3334
+ }
3335
+ else {
3336
+ if ($properties [$_ ].count -eq 1 ) {
3337
+ $out | Add-Member Noteproperty $_ $properties [$_ ][0 ]
3338
+ }
3339
+ else {
3340
+ $out | Add-Member Noteproperty $_ $properties [$_ ]
3341
+ }
3342
+ }
3343
+ }
3344
+ }
3345
+ else {
3346
+ $MemberDN = $properties.distinguishedname [0 ]
3347
+ # extract the FQDN from the Distinguished Name
3348
+ $MemberDomain = $MemberDN.subString ($MemberDN.IndexOf (" DC=" )) -replace ' DC=' , ' ' -replace ' ,' , ' .'
3349
+ if ($properties.samaccountname ) {
3350
+ # forest users have the samAccountName set
3351
+ $MemberName = $properties.samaccountname [0 ]
3352
+ } else {
3353
+ # external trust users have a SID, so convert it
3354
+ try {
3355
+ $MemberName = Convert-SidToName $properties.cn [0 ]
3364
3356
}
3365
3357
catch {
3366
- write-verbose $_
3358
+ # if there's a problem contacting the domain to resolve the SID
3359
+ $MemberName = $properties.cn
3367
3360
}
3361
+ }
3362
+ $out | add-member Noteproperty ' MemberDomain' $MemberDomain
3363
+ $out | add-member Noteproperty ' MemberName' $MemberName
3364
+ $out | add-member Noteproperty ' IsGroup' $IsGroup
3365
+ $out | add-member Noteproperty ' MemberDN' $MemberDN
3368
3366
}
3367
+
3368
+ $out
3369
+ }
3369
3370
}
3370
3371
}
3371
3372
}
0 commit comments