Get-Acl: Show Users Who Are Member Of (Nested) Groups, #PowerShell

Get-Acl: Show Users Who Are Member Of (Nested) Groups, #PowerShell

From time to time, customers charge me to report about file access rights from the user account perspective, meaning a summary regarding the allowed and the denied file system accesses per user. Typically, administrators implement role-based access control (RBAC) using nested groups. Nested groups simplify the management of file system access and security audits. Individual user account only acquire access through group memberships that correspond with their business role (see also AGDLP). So much for theory! Over time, more and more exceptions prove the rule, and user accounts acquire access to file system ressources out of the RBAC concept. A few lines of PowerShell can help to distinguish between the good and bad apples.

The function below, Get-ResolvedAcl, leverages the ActiveDirectory module’s Cmdlets Get-Acl (to list explicit allow/deny access), Get-ADObject (to identify the objectClass of an Access Control Entry), and Get-ADGroupMember (to list the members of a group). Furthermore, a sub function called Get-ADNestedGroupMember calls Get-ADGroupMember recursively in order to identify user accounts in nested groups.

Disclaimer: I hope that the information in this post is valuable to you. Your use of the information contained in this post, however, is at your sole risk. All information on this post is provided “as is”, without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by me. Further, I shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Active Directory Login Script Template #VBScript

The login script template provided in this article maps network drives and printers based on the user’s membership in so-called “map groups”. Since a map group delivers the information which resource should be mapped for its members, you hardly ever need to modify this script due to changes in the drive or printer mappings.

For each drive and printer mapping you need to create an according AD group that follows an naming convention. By default, a map group for a network drive begins with “MAP-DRV-“, and the prefix for a network printer map group is “MAP-PRN-“. (Both prefixes can be customized by changing the constants MAP_DRIVE_GROUP_PREFIX and MAP_PRINTER_GROUP_PREFIX in this script.)

In addition to follow the naming convention you have to specify the network resources that should be mapped in the description field of a map group. In case of the map group for a network drive you must specify the drive letter followed by the unc path (seperated by a space character). In case of the printer map group you must specify the network printer’s unc path.

Since the script recognized indirect or nested group memberships you are able to add users as well as groups to the map groups. The LoadGroups function contains slightly modified code that I found on Richard L. Mueller’s website (, Thanks.

How To Determine an AD User’s GUID? #VBScript

The VBScript file below, ShowGUID.vbs, shows the current user’s GUID.

ShowGUID.vbs shows how to use ADSI‘s NameTranslate object.

More info on NameTranslate: NameTranslate FAQ

How To Map Drives Based On an Active Directory Site? #VBSCript

You can use the ADSystemInfo object to determine the site name of the local computer: