Sid translation of FSP's from group memberships

My apologies if this is a bit convoluted for my first post here but I’m at my wits end on this. I have a script which audits certain groups within a trusted domain for membership changes, adds, removes and the dates associated. For some group members who are cross domains I’m obviously getting the sid in place of the account name. I’m needing a way to translate these sids and keep the formatting provided in the script as this is for non-technical auditing types. My code is below and followed by this is the report formatting:

 

 

Support Services

S-1-5-21-1565465683-344022488-928725530-11781,03/05/2018 17:44:55 - needs translation

User Numberone ,11/03/2017 09:12:44

Enterprise Admins

$AZSYNC,11/30/2017 12:39:35

 

Operations-Admins

S-1-5-21-1565465683-344022488-928725530-339742,06/11/2018 16:47:29 - needs translation

S-1-5-21-1565465683-344022488-928725530-402282,06/01/2018 15:27:08 - " "

S-1-5-21-1565465683-344022488-928725530-84525,04/23/2018 10:17:04 - " "

$admin,03/23/2018 14:41:51

S-1-5-21-1565465683-344022488-928725530-347271,01/08/2018 13:32:46

S-1-5-21-1565465683-344022488-928725530-353447,01/05/2018 10:01:07

 

Not exactly sure what you’re after but have you tried and do e.g.

get-aduser -filter "SID -eq 'S-1-5-21-1565465683-344022488-928725530-353447'" -server 'dc in other domain'

If that works for you then it should be simple to add an IF statement if you have a SID for the account name and then make a seperate call to the other domain.

But again not sure if that is what you’re looking for.

This does seem to work, but I’m curious as to how the if statement would format the output. Its going to auditors so this needs to remain in the same format/place. I could probably make my life easier by just ouputting the group memberships after the initial report but I’d like to work through this first. Seems not many have come across this issue or have no need for it :confused:

Well I would refactor lines 21-24 to something like this:

foreach ($member in (Get-ADGroup -server $domain -Filter {Name -eq $group} -Properties Members).Members)
{
    $memberData = Get-ADObject $member -Properties whenCreated
    $name = ""

    if($memberData.Name -like "S-1-5-*")
    {
        $name = (Get-ADuser -filter "SID -eq '$memberData.Name'" -Server 'dc in other domain').Name
    }
    else
    {
        $name = $memberData.Name
    }

    "`t`t$($name),$($memberData.whenCreated)" | Out-File -FilePath $outputfile -Append
}

So first $memberData collects the necessary information in one call instead of two seperate calls.
Next the if-statement evaluates the name value, if it looks like a SID then check against the other domain.
If it doesn’t look like a SID, just grab the name as in your current code.
Last step, create the string you want using the $name variable and the whencreated from the $memberData variable.

So I hate that I wasted your time. It turns out I can accomplish this by querying the principal name instead of just name. So for instance:

 

"`t`t$((Get-ADObject $member).Name),$((Get-ADObject $member -Properties whenCreated).whenCreated)" | Out-File -FilePath $outputfile -Append

vs

"`t`t$((Get-ADObject $member -Properties "msDS-PrincipalName")."msDS-PrincipalName")),$((Get-ADObject $me

No problem, whatever works :slight_smile:

But you should probably look at the number of times you query the DC’s.
At least if there is a lot of users you look up.

Haven’t thought about this in the past but the domain its querying isnt large at all. I really appreciate your help however.