0

I'm using Powershell 5.1 in constrained language mode with no access to additional modules.

I've created a script to return information from "net user query (username) /domain" that includes an If statement to return results if the end user I'm checking isn't a member of certain groups.

The If statement doesn't appear to be working correctly and I'm not sure where I'm going wrong.

1.

$enduser = read-host "please enter username"
Net user query $enduser /domain
$u = @{}; net user $enduser /domain | ConvertFrom-String -Delimiter '\s{2,}' -PropertyNames Name, 
Value | ForEach-Object { $u[$_.Name] = $_.Value }
$globalgroups = $u_.'global group memberships'


 if ($globalgroups) -inotlike '$_.EXAMPLEGROUPNAME'
    {
    write-output "user is not part of EXAMPLEGROUP"
    }

I have also tried

2.

if ($globalgroups) -inotlike '*EXAMPLEGROUPNAME*'
{
    write-output "user is not part of EXAMPLEGROUP"
}

3. as well as creating new variables

$EXAMPLEGROUP1 = { $u[$_.'global group memberships'] = $_.'EXAMPLEGROUPNAME' }
$EXAMPLEGROUPtest = { $u[$_.'global group memberships'] = $_.'value' }

and changing the if statement to;

if ($globalgroups) -inotlike '$examplegroup1'
{
write-output "user is not part of EXAMPLEGROUP"
}

the #2 snippet of code appears to work for one specific group which always appears as the first result in global group memberships, however if a different group name is added which appears later in the list of global group memberships, it always returns that the user isn't part of the group, even though I can see it there.

What can I change to make this work?

Mofi
  • 46,139
  • 17
  • 80
  • 143
helpdeskrat96
  • 1
  • 1
  • Can you add the raw output you're getting from ```net user $enduser /domain``` if you run it on the commandline (anonymised where appropriate). – mclayton Jul 20 '22 at 08:38
  • Also, your question says you're running ```net user query (username) /domain```, but you're actually invoking ```net user $enduser /domain``` (i,e, no ```query```) in your code - could you confirm which one is correct? – mclayton Jul 20 '22 at 08:40
  • Hey mclayton! Thanks for taking the time to reply, I'll post my raw output I get when I have access to my work computer tomorrow. I didn't actually realize it was missing the query from that invoking part, someone had supplied me with that line from my last question perhaps thats where I might be going wrong – helpdeskrat96 Jul 20 '22 at 09:09
  • Hey, I remember that code snippet. :P Unfortunately it won't work for group memberships and *can't* work for group memberships because of the way `NET USER` formats its output: it uses two columns, each no more than 21 characters wide. Even if you could parse the groups from this (which is doable, but not with `ConvertFrom-String`), it wouldn't work for any groups with names longer than 21 characters, which is extremely unreliable. At least on my local domain we certainly do have groups like that. – Jeroen Mostert Jul 20 '22 at 10:18
  • 1
    You may wish to consider ADSI instead, which seems to be available in constrained mode. See, e.g., [this](https://stackoverflow.com/q/45351476/4137916). While ADSI is vastly less friendly than the AD cmdlets, it still beats parsing `NET USER` output. – Jeroen Mostert Jul 20 '22 at 10:26
  • Powershell would be like `if ($globalgroups -inotlike "*groupname*")`. – js2010 Jul 20 '22 at 15:17
  • Hey Jeroen and Js2010! Thanks for replying :) So I was in bed last night feeling frustrated thinking about this issue and suddenly sprung up when I thought of something which I tried today and worked really well! I doubt many people will have to do the same as I did but what I came up with was to write the output of the net user query command to a text file, then get-content and find the group names from that then return the result through an if statement if it was or wasn't in there. It's a bit messy but works :P – helpdeskrat96 Jul 21 '22 at 06:53
  • as well as the select-string command, then I have remove-item to delete the text file at the end of the script – helpdeskrat96 Jul 21 '22 at 07:10

1 Answers1

0

I am not sure why exaclty you are using Net user query. But as far as i can see, you try to make an If statement to return results if the end user you are checking isn't a member of certain groups in Active Directory.

I would rather than using Net user query do something like this:

$enduser = "TestUser"
$examplesgroupname = "Test-Group"
$groupmembership = Get-ADPrincipalGroupMembership $enduser


foreach ($membership in $groupmembership.name) {
    if ($membership -ne $examplesgroupname) {
        $membership_validated = $true
        ##statement Is true when user is not member of the examplegroup
    } else {
        $membership_unvalidated = $false
        ##statement Is false when user is member of the examplegroup
    }
}

Write-Host $membership_validated

If you need to use Net user query for a certain reason, than give a short feedback and i will try to fix your script with Net user query included.

LKo.exp
  • 164
  • 7
  • Hey LKo.exp, thanks for replying. Unfortunately it's the only thing I have access to use on the help desk I'm in. We're not allowed to use any Powershell modules. Other staff use CMD for the command. I'm the only one who uses Powershell so I thought I'd make the process easier. I'm new to stackoverflow, by feedback do you mean raw output? If so, I'll comment tomorrow when I have access to my work laptop. I appreciate you taking the time to answer! – helpdeskrat96 Jul 20 '22 at 09:07
  • Thank you for your reply. Okay, you are just able to use net user query. Thats what i wanted to know. I will try to give you a solution with net user query. But it may take a while, i just have to get into net user query. Never used that before. I just thought powershell CMDLets would be a lot easier to use, faster and much better to handle within a script. – LKo.exp Jul 20 '22 at 09:11
  • Hi again LKo.exp! I ended up writing the output of the net user query command to a text file, then searching the file with get-content and creating if statements from those results :) It worked really well! – helpdeskrat96 Jul 21 '22 at 06:54
  • Glad to hear you found a solution that worked for you. However you should condsider using Powershell for this cases. It ist much more easier und reliable. Maybe your company could give the necessary permissions to do so – LKo.exp Jul 21 '22 at 07:20