PoshTokenBloat: Difference between revisions

From WikiWiki
Jump to navigation Jump to search
No edit summary   (change visibility)
No edit summary   (change visibility)
(3 intermediate revisions by the same user not shown)
Line 99: Line 99:




#http://blogs.msdn.com/b/adpowershell/archive/2009/09/05/token-bloat-troubleshooting-by-analyzing-group-nesting-in-ad.aspx
#1. PS GC:\> Get-ADGroupNesting.ps1 CarAnnounce
#
#2. PS GC:\> Get-ADGroupNesting.ps1 CarAnnounce –ShowTree
#
#3. PS GC:\> Get-ADPrincipalGroupMembership "de swaef.l" | % {Get-ADGroupNestingTOP $_} | FT Name,GroupCategory,NestedGroupMembershipCount,MaxNestingLevel –A
#
#4. PS GC:\> Get-ADPrincipalGroupMembership "deswaef.l" | Where {$_.GroupCategory -eq "Security"} | % {Get-ADGroupNestingTOP $_ -ShowTree | FT Name,GroupCategory,NestedGroupMembershipCount,MaxNestingLevel -A}
#
#5. PS GC:\> (Get-ADUser DonFu -Properties MemberOf).MemberOf | % {Get-ADGroupNesting.ps1 $_ -ShowTree} | FL DistinguishedName,NestedGroupMembershipCount,MaxNestingLevel


</syntaxhighlight>
</syntaxhighlight>

Revision as of 11:33, 19 January 2016

http://blogs.msdn.com/b/adpowershell/archive/2009/09/05/token-bloat-troubleshooting-by-analyzing-group-nesting-in-ad.aspx


function Get-GroupNesting ([string] $identity, [int] $level, [hashtable] $groupsVisitedBeforeThisOne, [bool] $lastGroupOfTheLevel)
{
    $group = $null
    $group = Get-ADGroup -Identity $identity -Properties "memberOf"   
    if($lastGroupAtALevelFlags.Count -le $level)
    {
        $lastGroupAtALevelFlags = $lastGroupAtALevelFlags + 0
    }
    if($group -ne $null)
    {
        if($showTree)
        {
            for($i = 0; $i -lt $level - 1; $i++)
            {
                if($lastGroupAtALevelFlags[$i] -ne 0)
                {
                    Write-Host -ForegroundColor Yellow -NoNewline "  "
                }
                else
                {
                    Write-Host -ForegroundColor Yellow -NoNewline "│ "
                }
            }
            if($level -ne 0)
            {
                if($lastGroupOfTheLevel)
                {
                    Write-Host -ForegroundColor Yellow -NoNewline "└─"
                }
                else
                {
                    Write-Host -ForegroundColor Yellow -NoNewline "├─"
                }
            }
            Write-Host -ForegroundColor Yellow $group.Name
        }
        $groupsVisitedBeforeThisOne.Add($group.distinguishedName,$null)
        $global:numberOfRecursiveGroupMemberships ++
        $groupMemberShipCount = $group.memberOf.Count
        if ($groupMemberShipCount -gt 0)
        {
            $maxMemberGroupLevel = 0
            $count = 0
            foreach($groupDN in $group.memberOf)
            {
                $count++
                $lastGroupOfThisLevel = $false
                if($count -eq $groupMemberShipCount){$lastGroupOfThisLevel = $true; $lastGroupAtALevelFlags[$level] = 1}
                if(-not $groupsVisitedBeforeThisOne.Contains($groupDN)) #prevent cyclic dependancies
                {
                    $memberGroupLevel = Get-GroupNesting -Identity $groupDN -Level $($level+1) -GroupsVisitedBeforeThisOne $groupsVisitedBeforeThisOne -lastGroupOfTheLevel $lastGroupOfThisLevel
                    if ($memberGroupLevel -gt $maxMemberGroupLevel){$maxMemberGroupLevel = $memberGroupLevel}
                }
            }
            $level = $maxMemberGroupLevel
        }
        else 
        {
            	#we've reached the top level group, return it's height
		return $level
        }
        return $level
    }
}

function get-ADGroupNestingTOP {
[CmdletBinding()]
Param (
    [Parameter(Mandatory=$true,
        Position=0,
        ValueFromPipeline=$true,
        HelpMessage="DN or ObjectGUID of the AD Group."
    )]
    [string]$groupIdentity,
    [switch]$showTree
    )

$global:numberOfRecursiveGroupMemberships = 0
$lastGroupAtALevelFlags = @()


$global:numberOfRecursiveGroupMemberships = 0
$groupObj = $null
$groupObj = Get-ADGroup -Identity $groupIdentity
if($groupObj)
{
    [int]$maxNestingLevel = Get-GroupNesting -Identity $groupIdentity -Level 0 -GroupsVisitedBeforeThisOne @{} -lastGroupOfTheLevel $false
    Add-Member -InputObject $groupObj -MemberType NoteProperty  -Name MaxNestingLevel -Value $maxNestingLevel -Force
    Add-Member -InputObject $groupObj -MemberType NoteProperty  -Name NestedGroupMembershipCount -Value $($global:numberOfRecursiveGroupMemberships - 1) -Force
    $groupObj
}
}



#http://blogs.msdn.com/b/adpowershell/archive/2009/09/05/token-bloat-troubleshooting-by-analyzing-group-nesting-in-ad.aspx
#1. PS GC:\> Get-ADGroupNesting.ps1 CarAnnounce
#
#2. PS GC:\> Get-ADGroupNesting.ps1 CarAnnounce –ShowTree
#
#3. PS GC:\> Get-ADPrincipalGroupMembership "de swaef.l" | % {Get-ADGroupNestingTOP $_} | FT Name,GroupCategory,NestedGroupMembershipCount,MaxNestingLevel –A
#
#4. PS GC:\> Get-ADPrincipalGroupMembership "deswaef.l" | Where {$_.GroupCategory -eq "Security"} | % {Get-ADGroupNestingTOP $_ -ShowTree | FT Name,GroupCategory,NestedGroupMembershipCount,MaxNestingLevel -A}
#
#5. PS GC:\> (Get-ADUser DonFu -Properties MemberOf).MemberOf | % {Get-ADGroupNesting.ps1 $_ -ShowTree} | FL DistinguishedName,NestedGroupMembershipCount,MaxNestingLevel