powershellldapsidgroup-membership

Get user group memberships from SID


I'm querying AD groups outside our local domain. When searching for the groups in PS I've got all the members that are displayed with their SID and not with their User ID.

What I basically want is to enter the user ID and get all the group memberships the user's SID is linked with.

Below is what I've already tried but with no result...

Write-Host "enter user id" 
$user = Read-Host

# Forrest were groups are nested 
$LDAPServer = 'wwg00m.rootdom.net'

# Get SID from user 
$adUsr = Get-ADUser $user -Properties SID | Select-Object SID

# Get all groups from Query in AD 
$Groups = Get-ADObject -server $LDAPServer -LDAPFilter '(&(objectCategory=group)(name=*_EN))' | Select Name

# Get all Members from each group, replacing characters to get equal SID ID like $adUser
$Members = (Get-ADGroup -Identity $Groups -Server $LDAPServer -Properties Members).Members -Replace ("CN=", "") -Replace (",ForeignSecurityPrincipals,DC=wwg00m,DC=rootdom,DC=net", "") 

foreach ($adUsr in $members) {
    [pscustomobject]@{
        GroupName = $Members.Name
    }
}

Solution

  • Based on conversation in comments this might work. Basically, first we get the SID of the user in the Current Domain, then once we get it we can get the user's DistinguishedName on the Trusted Domain and finally with this information we can perform an LDAP Query searching for all Groups this DN is a member.

    try {
        # Get user input
        $user = Read-Host "Enter User ID"
        # Forrest were groups are nested 
        $LDAPServer = 'wwg00m.rootdom.net'
        # Get the SID of the user in the Current Domain
        $sid = Get-ADUser $user
        # Get the DistinguishedName of the user in the other Domain
        $dn = (Get-ADUser $sid.SID -Server $LDAPServer).DistinguishedName
        # Search for all groups where this DN is a member
        Get-ADGroup -LDAPFilter "(member=$dn)" -Server $LDAPServer | ForEach-Object {
            # here we can combine the user's data in the Current and Trusted Domain
            # change the output as needed
            [pscustomobject]@{
                GroupName             = $_.Name
                UserName              = $sid.Name
                UserDistinguishedName = $dn
            }
        }
    }
    catch {
        # Error handling here...
        Write-Error $_
    }