0

I have been tasked with making sure all admins have the correct permissions. We have a few admin groups so what I though I would do is use powershell and dsquery to pull all the users from these groups and put them in to an array. The user might be in more then one admin groupd so I only want one of each user. I would then use dsget to get more info on all users and output this to a css. Im stuck on the the fact that I cant get -contains to work right. After I have this list of users the reast should be strait forward.

$admingroups = @("Group 1","Group 2","Group 3","Group 4")
$adminnames = @()

foreach ($adming in $admingroups) { 
  $admin = (&dsquery group -samid $adming -limit 0 | dsget group -members -expand)
  if ($adminnames -contains $admin) {
    write-host "Dupes"
  }Else{
    $adminnames += $admin
  }
}
r5d
  • 579
  • 5
  • 24
Tombomb
  • 17
  • 5

2 Answers2

0

I keep looking at your logic and cant put my finger on what I think is exactly wrong. It mostly was the name of you varialble $admin. -contains is supposed to check if an element is part of an array. From about_Comparison_Operators

Description: Containment operator. Tells whether a collection of reference values includes a single test value

However you could have both $adminnames and $admin be arrays. First your dsquery would return and array of DistinguishedName's. For your logic to work your would have to loop through each one in order for -contains do what you expect it too.

Do you have to use dsquery for this information? Some of the built in cmdlets would handle this easily. 

$groups = @("group 1","group 2")
$groups | ForEach-Object{Get-ADGroupMember -Identity $_} | Sort-Object -Unique | Select -ExpandProperty DistinguishedName

If you want to use dsquery still I would still use Sort-Object.

foreach ($adming in $admingroups) { 
     $adminnames += (&dsquery group -samid $adming -limit 0 | dsget group -members -expand)
}
$adminnames | Sort-Object -Unique

If you cared to know about duplicates similar to what you already have you could just compare the counts.

$uniqueAdminNames = $adminnames | Sort-Object -Unique
Write-Host "Ignored $($adminnames.Count - $uniqueAdminNames.Count) duplicate(s)"
Matt
  • 45,022
  • 8
  • 78
  • 119
0

So, you want to see, for each admin user, what admin groups are they in?

But, your primary question is (correct me if I'm wrong):
Given that you're retrieving your overall list of admin users by querying each admin group, you may have duplicates, so how do you remove the duplicates?

In that case the issue is that you're missing a ForEach loop:

$AdminGroups = @("Group 1","Group 2","Group 3","Group 4")
$AdminNames = @()

ForEach ($Group in $AdminGroups) {
    $AdminsInGroup = @( dsquery group -samid $Group -limit 0 | dsget group -members -expand )

    ForEach( $Admin in $AdminsInGroup ) {
        if( $AdminNames -contains $Admin ) {
            Write-Host "Dupes"
        } else {
            $AdminNames += $Admin
        }
    }
}

Alternatively, Select-Object has a "-unique" parameter:

$AdminGroups = @("Group 1","Group 2","Group 3","Group 4")
$AdminNames = @()

ForEach ($Group in $AdminGroups) {
    $AdminsInGroup = @( dsquery group -samid $Group -limit 0 | dsget group -members -expand )

    $AdminNames += $AdminsInGroup
}

$AdminNames = @( $AdminNames | Select -Unique )
Sam Porch
  • 751
  • 5
  • 12
  • Also, consider installing the Remote Server Admin Tools, then you can import the ActiveDirectory module and really start getting things done. I'm also an IT guy and I use it every day. Links: [Download Link](http://www.microsoft.com/en-us/download/details.aspx?id=7887) [Info Link](http://technet.microsoft.com/en-us/library/ee449475%28v=WS.10%29.aspx) – Sam Porch Oct 09 '14 at 22:01
  • @Matt, my PowerShell 2.0 doesn't show any such requirement `Get-Help Select -Full`, nor is it in the 3.0 documentation here: [Technet](http://technet.microsoft.com/en-us/library/hh849895(v=wps.620).aspx). – Sam Porch Oct 12 '14 at 02:31