Report a user’s nested groupmembership

‘Sup PSHomies,

“The old RBAC…” Role Based Access Control. When done right, pretty awesome! Am I right??? Get it wrong and you’re in a world of pain!

With RBAC, a user is given access to multiple resources using group nesting. It also helps when revoking said access (just remove user from group). I’ve seen many RBAC implementations that started off good, only to be derailed by exceptions. RBAC is an all-or-nothing kinda deal.

There’s a catch to RBAC, while it is awesome, you won’t be able to derive how a user gained access to a resource just by looking at a user’s memberof AD property. Luckily for us there are ways to find out! 😉

Use LDAPFilter, specifically LDAP_MATCHING_RULE_IN_CHAIN

	<#
	Author: I.C.A. Strachan
	Version:
	Version History:
	Purpose: Get User nested group membership report
	#>
	[CmdletBinding()]
	param(
	[string]
	$Identity
	)
	Get-ADUser –Identity $Identity |
	ForEach-Object {
	$ldapFilter = '(member:1.2.840.113556.1.4.1941:={0})' -f $_.DistinguishedName
	Get-ADGroup –LDAPFilter $ldapFilter |
	Select-Object SamAccountName,DistinguishedName
	}

view raw

Get-ADUserGroups-LDAPFilter.ps1

hosted with ❤ by GitHub

If you need to do a quick assessment of all the resources a user has access to either direct or nested then this will get the job done! Another advantage or disadvantage depending on your perspective, is that this approach doesn’t suffer from circular group nesting, but it doesn’t report it either…

I did notice however that I couldn’t derive the relationship of the groups. Was the group directly linked or is it nested in another group? Using the LDAPFilter technique will get you all the unique groups the user is a member of, direct or nested.

This could lead to misinterpretations:

• Was the group a direct member?
• Was the group nested via another group?
• Was the group nested via multiple groups?

I decided to give it another try!

	<#
	Author: I.C.A. Strachan
	Version:
	Version History:
	Purpose: Get User nested group membership report
	#>
	[CmdletBinding()]
	param(
	[string]
	$Identity
	)
	function Get-ADUserGroups {
	param ($Group,$indent,$Parent)
	Get-ADGroup –Identity $Group –Properties MemberOf |
	Select-Object –ExpandProperty MemberOf |
	ForEach-Object {
	$GroupName = ($_).Split(',')[0].Split('=')[1]
	if(!(($Parent).Contains($GroupName))){
	$Newparent = "$Parent/$GroupName"
	[PSCustomObject]@{
	Group = $GroupName.PadLeft($GroupName.Length + ($indent*5),'_')
	Name = $GroupName
	NestedLevel = $indent
	InheritedFrom = $Parent
	}
	Get-ADUserGroups –Group $_ –indent ($indent+1) –Parent $Newparent
	}
	else{
	[PSCustomObject]@{
	Group = $GroupName.PadLeft($GroupName.Length + ($indent*5),'_')
	Name = $GroupName
	NestedLevel = $indent
	InheritedFrom = "$GroupName/Circulair. Please review"
	}
	}
	}
	}
	#region Main
	Get-ADUser –identity $Identity –Properties MemberOf |
	Select-Object –ExpandProperty MemberOf |
	ForEach-Object {
	$GroupName = ($_).Split(',')[0].Split('=')[1]
	[PSCustomObject]@{
	Group = $GroupName
	Name = $GroupName
	NestedLevel = 0
	InheritedFrom = $null
	}
	Get-ADUserGroups –Group $_ –indent 1 –Parent $GroupName
	} |
	Out-GridView
	#endregion

view raw

Get-ADUserGroups.ps1

hosted with ❤ by GitHub

This will get you all the groups, direct and nested, no filter!

The user has access to APL-FTP-Client twice! The user will still have access even if APL-FTP-Client is removed from ROL-Technisch Consultant. APL-FTP-Client is also nested via APL-Total-Commander.

Aha! So that’s why a user still has access…

Now you can do fun stuff like figuring out multiple entry points a user has access…

This is my take on how to get a report on a user’s nested group membership.

I don’t think I need to point out that the script does nothing for reporting where the user is granted access directly, eh? 😉 This is why you always manage resources using groups even for just one user…

Hope it’s worth something to you…

Ttyl,

Urv

 

Advertisement