How to use Get-NTFSACCESS and GET-ADGROUPMEMBER in the same script

Problem - Trying to create a script that searches multiple shares, and pulls access levels for users and group AND expands the first level group. Exporting to a file. For quarterly audits and the like

Using Get-NTFSACCESS, which gets the info I’m looking for. But also trying to output the membership of the group itself.

The first part works great, and I get a stored variable with the groups to look up, but then when i try to transfer that into the get-adgroup or get-adgroupmember command its unrecongized. The name and samaccountname are the same for the groups I’m testing with. It behaves the same if i define a variable directly as below or if i pipe it to a file then recall the file.

What am I missing to make that simple statement work? If i manually type get-adgroup “server administrators” it works as expected, but if i run it in a foreach loop from a variable or from a file it fails.

$groupnames = “Server Administrators”, “Domain Admins”
foreach ($group in $Groupnames){
Get-ADGroup “$groupname” | Select -ExpandProperty $_.SamAccountName}

PS C:\temp> $groupnames
Server Administrators
Domain Admins

I continue to get this error

Get-ADGroup : Cannot find an object with identity: ‘Server Administrators Domain Admins’ under: ‘DC=Domain,DC=com’.
At line:3 char:1

• Get-ADGroup “$groupname” | Select -ExpandProperty $_.SamAccountName}

•   + CategoryInfo          : ObjectNotFound: (Server Administrators Domain Admins:ADGroup) [Get-ADGroup], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup
  
  

Get-ADGroup : Cannot find an object with identity: ‘Server Administrators Domain Admins’ under: ‘DC=DOmain,DC=com’.
At line:3 char:1

• Get-ADGroup “$groupname” | Select -ExpandProperty $_.SamAccountName}

•   + CategoryInfo          : ObjectNotFound: (Server Administrators Domain Admins:ADGroup) [Get-ADGroup], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup

$groupnames = "Server Administrators", "Domain Admins"
foreach ($group in $Groupnames){
Get-ADGroup "$groupname" | Select -ExpandProperty $_.SamAccountName}

Your query is using $groupname, which you’ve not defined. I feel it should be $group, because that’s your enumerator in the ForEach, no?

$groupnames = “Server Administrators”, “Domain Admins”
foreach ($group in $Groupnames){
Get-ADGroup “$groupname” | Select -ExpandProperty $_.SamAccountName}

you use $groupnames for the list of groups; $group as the foreach variable but $groupname in get-adgroup

Also if you look at the help file for Get-ADGroup you’ll see a limited number of choices for identifying the group (the -Identity parameter which you are trying to access positionally)

Distinguished Name
Example: CN=saradavisreports,OU=europe,CN=users,DC=corp,DC=contoso,DC=com
GUID (objectGUID)
Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
Security Identifier (objectSid)
Example: S-1-5-21-3165297888-301567370-576410423-1103
Security Accounts Manager (SAM) Account Name (sAMAccountName)
Example: saradavisreports

You’ll have to rethink how you’re doing this

Sorry that was a typo obviously. That bit of code works fine. Though it doesnt output exactly as I would like, as It combines the data instead of separating it based on group name, but that i can deal with later. That same “logic” doesn’t when I combine with my Get-ntfsaccess code.

$ADgroups = “Server Administrators”, “Domain Admins”
foreach ($group in $ADgroups){
Get-ADGroupmember “$group”}

That works

This doesn’t

$ADgroups = Get-ntfsaccess |select * | where {$.AccountType -eq “Group” -and $.Account -like “Atricure*”} |select @{N=“Groups”; E={$_.Account -replace “Atricure\”,“”}} #| export-csv C:\temp\groups.csv -NoTypeInformation

foreach ($group in $ADgroups){
Get-ADGroupmember “$group”}

Results of the stored variable are

PS C:\temp> $ADgroups
Server Administrators
Domain Admins

The 1st that works

The one that doesn’t

Groups

Domain Admins
Server Administrators

What am I NOT calling for? lol Thanks!

That’s because of this:

select @{N=“Groups”; E={$_.Account -replace “Atricure\”,“”}}

You’re creating an object with a Groups property. Get-ADGroupMember has no interest in that. If you changed:

Get-ADGroupmember “$group”

To:

Get-ADGroupmember “$($group.Groups)”

E.g., so you’re passing a string to Get instead of an object having a Groups property, then it’ll work better, if I’m imagining the code correctly.

Thank you, I actually had tried $group.groups before but I did not include $( ) only $group.groups

Just tried that and it parsed through and I got the results I was expecting. Now I just have to separate them so everything outputs appropriately, but at least I have the data I was looking for now.

Thanks Again!