Powershell exit "if not member" of a domain security group - possible?

Hi guys,

We have a domain with 250 users.

I have written a very simple PS script - The script runs at login (as a Group policy login script - bit its only aimed at two departments only) the script checks for the existence of a “flag file” in a user share - if it doesn’t exist, then it copies some files and folders from an “application” share down to the users local drive, and then creates a flag file into the users network share)

It all works fine, but the only snag is, it runs for everyone, and if the person doesn’t have permission to the network share (not in the right security group, it still runs the script, and creates the flag file - but cant copy the files.

Now, although its not a massive problem, it would be great if the script could do a check as it launches, checking the users security group permission, to dictate if the script runs or not, something like, IF NOT MEMBER OF “domain\tax” then QUIT else proceed…

Is this easily achievable?

Many thanks for reading.

Not terribly easily, no, but not impossible. You need a command that’s going to be readily accessible on every client computer (which lets out the AD cmdlets, so probably the [ADSI] provider), query the group members, and see if the user is a member of the group or not. Frankly, it’d probably be easier to modify the permissions on the GPO so that only the correct people receive that GPO in the first place.

Either that, or implement some error handling. Catch the DENIED error and quietly move on. See “The Big Book of PowerShell Error Handling” on our ebooks menu.

Could shift this to server side if it’s just for two departments (Depending on how big they are I guess)? Why does it need to be via a logon script each time they logon? If it’s just two departments why not just schedule a script to get a list of all users in the AD group and copy it to their share without the need for a logon event to trigger it?

Don’s suggestions will work (and there’s plenty of info on the web for more details), but to expand on his suggestion regarding Group Policy, the Group Policy Preferences File Item would be a perfect solution for this. It offers “item level targeting” which you can use to specify filters (eg. Your group membership requirement) for each item. I do this in my environment (files, registry entries, printers, drive mappings, etc) and GPP has 100% replaced my login scripts.

$da = [ADSI]"LDAP://CN=Domain Admins,OU=...,DC=somewhere,DC=com"
$searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]'')
$searcher.Filter = "(&(objectClass=User)(samAccountName=$env:username))"
$result = $searcher.FindOne()
$userdn = $result.GetDirectoryEntry().DistinguishedName
if ($da.member -match $userdn) { }
if ($da.member -contains $userdn) { }
if ($userdn -in $da.member) { }