Using Vbscript/PowerShell How to check if an AD user account has permissions to modify AD group membership?

Question

I have a custom Operating System deployment solution (OSD Upgrade) which as part of the process has to first modify a few associated AD group memberships using the user account of the person who triggers the OSD.

I need to programmatically check (using preferably Vbscript or even PowerShell) if that user has the necessary permissions to modify the group first. If not, I would like to display a message and terminate the OSD process.

Could you please help?

Steve

It would probably be easier and faster to just attempt the operation and catch the error if it happens. — Ryan Bolger, Oct 16 '19 at 21:02

score 2 · Answer 1 · answered Oct 19 '19 at 03:03

I can't comment yet, but I agree with Ryan Boldger. I did find someone who wrote a module to do just this, but it's quite old. Here's the link if you want to look: https://stackoverflow.com/questions/27069043/how-to-get-effective-permissions-with-powershell-for-an-attribute-on-the-ad-user

It would be far easier to use something like:

try {
  Add-ADGroupMember -Identity <Group Name> -Member <Dummy User> -ErrorAction Stop
  Remove-ADGroupMember -Identity <Group Name> -Member <Dummy User> -ErrorAction Stop
  Write-Host "User has permissions to group <Group Name>"
}
catch {
  throw "User does not have the required access to group <Group Name>"
}

Thank you, PowerShell Try Catch did the trick for me. – Steve Oct 25 '19 at 09:13 — Steve, Oct 25 '19 at 09:13

Using Vbscript/PowerShell How to check if an AD user account has permissions to modify AD group membership?

1 Answers1