In my last post I shared a PowerShell function which provides a full list of an Active Directory user’s group memberships, including all of those inherited from other groups.
Having a massive list of groups in an array is useful, but you can use and abuse that data and convert into all sorts of interesting formats to simplify IT administration. In my case I can use the list to help me implement Role-Based Access Control.
I’ve been working on transitioning to Role-Based Access Control as described in the book Windows Administration Resource Kit: Productivity Solutions for IT Professionals. Without getting into too many details, the goal of RBAC is to provide single points of management for business roles and IT resources. I’ve been working on restructuring our Active Directory to implement RBAC by modifying group memberships and naming groups that have similar functions using common prefixes. For example:
- Groups that control access to a resource have the format ACL_Resource Name_Permission
- Groups that control access to a VDI pool have the format VDI_VDI Pool Name
- Groups that control deployment of a group policy have the format GPO_Policy Name
- Groups that control deployment of an application have the format APP_Application Name
- Groups that represent a Role or business logic responsibility have no prefix (such as “Administrative Director“)
As long as I stick to these standards, finding groups and using them to manage capabilities is simple.
Using a little PowerShell magic, I can generate pretty reports on-the-fly that show me the full story behind a user’s group memberships. My script separates types of groups based on their prefix and displays different information for different types of groups. Here’s an example report that I generated for my user account.
You might not find my script very useful to you as-is, unless of course you use the name naming scheme that I do. However it should serve as an example of how you can use Active Directory and PowerShell together to generate informative reports about the capabilities of your users.
Note: If you plan to use this script, you’ll also have to download my Get-AdPrincipalGroupMembershipRecursive module and put it at the proper place on PowerShell’s import path.