Open kadmos36 opened 1 week ago
Using $env:COMPUTERNAME
should not be causing a problem.
The reason being is because we are inside a ScriptBlock
that will execute on the $Server
variable. So, the $env:ComputerName
is the remote server.
But if we are having issues with running that cmdlet in locked down environments, we will need to attempt to add in a catch for this as well. This would be similar to issue #2110 where the other cmdlet is also failing in some environments.
Thank you for your quick response, David.
Okay, I haven't thinked of the ScriptBlock behaviour. Sorry. Looks like it must be wrong.
I would suggest to check if it might be possible to modify it for hardened environments
try { $ADGroupMembership = (Get-ADPrincipalGroupMembership (Get-ADComputer $env:COMPUTERNAME).DistinguishedName -ErrorAction Stop) } catch { $ADGroupMembership = Get-ADComputer $env:COMPUTERNAME -Properties MemberOf | Select-Object -ExpandProperty MemberOf | Get-ADObject }
This might fix it. The only Group missing in $ADGroupMembership would be Domain Computers if the catch block is hit.
That is interesting that Domain Computers
doesn't show up in the other cmdlet.
We are going to need to do a little more than just what you provided, as we need to be able to get the SID and should really try to make sure we get all the same properties that we would have gotten from Get-ADPrincipalGroupMembership
. I will have to look at this some more when I am back in the office.
The thing with Domain Computers could be because of AD hardening.
I compared the output of the Get-ADPrincipalGroupMembership variants. The output of Get-ADcomputer has the properties GroupCategory and GroupScope missing. If replaced with Get-ADGroup the Output properties are the same.
Provide Version Number 24.06.24.2018
Describe the issue New Group Membership check uses $env:computername instead of $server, and suggestion for hardened ADs
Expected behavior Get Membership of wanted server
Script Output Membership of computer executing the script to check remote server
Additional context Look at code starting in line 13480. I would suggest to replace $env:computername with $server. In Addition, in our hardened Activ Directory the cmdlet Get-ADPrincipalGroupMembership dos not work. i would suggest using Get-ADComputer $server -Properties memberof | select -ExpandProperty memberof which works if global group membership search is prohibited in the Active Directory