I’m currently working at a customer where group membership in AD is organized and maintained by another team (silo).
Naturally, they tend not to communicate very well, as it is with most companies where silos are applied.
So, I needed a way to figure out if they had done their job correctly, without having access to the remote admin tooling from AD.
I also didn’t have PowerShell Remoting permissions to a domain controller.
I could imagine two ways to accomplish what I needed: Write an LDAP query, or use the native .NET stuff.
So, here’s the .NET stuff:
([System.Security.Principal.WindowsIdentity]::GetCurrent()).Groups | Foreach-Object {
$_.Translate([System.Security.Principal.NTAccount])
}
…and if you don’t want duplicates in there, just do it the PowerShell way:
([System.Security.Principal.WindowsIdentity]::GetCurrent()).Groups | Foreach-Object {
$_.Translate([System.Security.Principal.NTAccount])
} | Sort-Object -Unique