I want to discover the admincount attribute for all security groups that a user is a memberOf.
I have this so far:
Get-ADUser -Filter {displayName -LIKE “admin_User*”} -Credential $C -Properties * | % memberof
and I get the list of groups but how do I:
- get the admincount attribute from each of those groups?
- query across the domain from which these groups may be nested?
thank you
Something similar to this ?
For User
Get-ADuser -LDAPFilter “(admincount=1)” | select name
For Group
Get-ADgroup -LDAPFilter “(admincount=1)” | select name
Here is a one liner that will get you all the groups assigned to a user.
I am not too sure how you would get nested groups in groups.
You would have to do a check on the members of the group to see if any are groups and then iterate through it (loops within loops)
get-aduser ainnes -Properties * | select -ExpandProperty memberof | %{Get-ADGroup $_ | select name }
You can remove the “select name” at the end and it will pull back the default info on the group and then add a -properties * on the get-adgroup to return more info
I hope this helps.
Alex: This works for to some extent
get-aduser -filter {displayname -like “adminUser”} -credential $Cred -Properties * | select -ExpandProperty memberof | %{Get-ADGroup $_ -Properties * }
I don’t see admincoutn attribute in the list.
I know it exists as what Arie posted does work for querying admincount = 1 in general
So I tried this one liner:
get-aduser -filter {displayname -like “adminUser”} -credential $Cred -Properties * | select -ExpandProperty memberof | %{Get-ADgroup -LDAPFilter “(admincount=1)” | select name }
…and I get local domain results for admincount=1 on some groups however, my queried adminUser is not a member of any of them.