Find out if a Security Account Manager (SAM) name is a user or a group

Question 1

You can use a variavle using :

$sam = "My Users"
Get-ADObject -Filter {(SamAccountName -eq $sam)}

But I agree that using vars in -Filter sometimes results in strange behaviours with vars (see this question), so I prefer to use -LDAPFilter.

Get-ADObject -LDAPFilter "(SamAccountName =$user)"

Be careful the -LDAPFilter use polish notation for the filter, it's a bit disconcerting at the begining, but here, it's the natural way of filtering using the underlaying protocol LDAP.

You can get more information about this syntax in Search Filter Syntax, you can also get corresponding filters in About_ActiveDirectory_Filter.

Question 2

I am guessing you are getting an array of trustees. (i.e User,Group,user,user,Group). So if you get a group then you want to pull the members from it too?

So I would look to see if it is a group, like how you are doing first and then pulling those members out of it. Add it to an another array which will contain every single user for your NTFS permissions.

$arraytrustees

#Create a blank Array

$NTFSUsers =@()
for each ($object in $arraytrustees){

$ObjectClass = (Get-ADObject -filter {SamAccountName -eq $object}).ObjectClass

  If ($ObjectClass -eq "group"){
  $AdGroupUsers = (Get-ADGroupMember -identity $object).SamAccountName
  $NTFSUsers = $NTFSUsers + $AdGroupUsers
   }else{
    $NTFSUsers = $NTFSUsers + $ojbect
  }
}

Question 3

I was asked to list all members of the groups, along with their ID, Name, and Description as well, so I added a couple of lines.

cls
$Users = @()
$Groups = @()
$list = Get-Content z:\pcm2.txt
Foreach ($o in $list)
{
$ObjectClass = (Get-ADObject -Filter {SamAccountName -eq $o}).ObjectClass
  If ($ObjectClass -eq "User")
  {
  $U = Get-ADUser -Properties * -Identity $o
  $User = "" | Select FullUserName, LoginID, Description
  $User.FullUserName = $U.DisplayName
  $User.LoginID = $U.SamAccountName
  $User.Description = $U.description
  $Users += $User
  }
 Else
 {
 If ($ObjectClass -eq "Group")
 {
 $G = Get-ADGroup -Properties * -Identity $o
 $GM = Get-ADGroupMember -Identity $G.name -Recursive | Get-ADUser -Properties *
 Foreach ($gmember in $GM)
 {
 $Group = "" | Select GroupName, GroupDescription, GroupMemberName, GroupMemberLoginID, GroupMemberDesc
 $Group.GroupName = $G.Name
 $Group.GroupDescription = $G.Description
 $Group.GroupMemberName = $gmember.Name
 $Group.GroupMemberLoginID = $gmember.SamAccountName
 $Group.GroupMemberDesc = $gmember.Description
 $Groups += $Group
 }
}
}
}
$Users | Export-Csv z:\PCMUsers.csv -NoTypeInformation
$Groups | Export-Csv z:\PCMGroups.csv -NoTypeInformation

Question 4

I received a list and was asked to determine whether the objects were users or group, and I came up with this. It worked!

cls
$Users = @()
$Groups = @()
$list = Get-Content z:\pcm.txt
Foreach ($o in $list)
{
$ObjectClass = (Get-ADObject -Filter {SamAccountName -eq $o}).ObjectClass
  If ($ObjectClass -eq "User")
  {
  $U = Get-ADUser -Properties * -Identity $o
  $User = "" | Select FullUserName, LoginID, Description
  $User.FullUserName = $U.DisplayName
  $User.LoginID = $U.SamAccountName
  $User.Description = $U.description
  $Users += $User
  }
 Else
 {
 If ($ObjectClass -eq "Group")
 {
 $G = Get-ADGroup -Properties * -Identity $o
 $Group = "" | Select GroupName, Description
 $Group.GroupName = $G.Name
 $Group.Description = $G.Description
 $Groups += $Group
 }
}
}
$Users | Export-Csv z:\Users.csv -NoTypeInformation
$Groups | Export-Csv z:\Groups.csv -NoTypeInformation