How to check user credentials in Powershell, to find out if they belong to certain group?

Question

I am trying to implement Taskpads (MMC's) for remote admins. Since I dont want to keep them on their workstations I am keeping them on a file server and sharing them there. On the client side (i.e on remote admin's workstation), what I have is a Powershell script(exe) which accepts the users credentials, checks/verifies and after that it opens the remote MMC which is residing on the file server (on which the client only has a read permission).

My question is - since I don't want to make a script each for every admin, is there a way I could give them access to their task pads on the fly depending on the credentials they provided with a single script? For example if "admin_atlanta" logs in, then he will be provided access to "Taskpad_atlanta" and so on. All the admins belong their respective groups , such as admin_atlanta belongs to "admins_atlanta".

Sorry if the question is redundant and long but please feel free to shoot any questions/clarifications regarding my problem.

Answer 1

You could do something like that (if you have verified the user credentials already):

$user = get-adobject -ldapfilter "(samaccountname=$username)" -properties memberof

Now you can use $user.memberof to iterate through all groupmemberships.

$user.memberof | % { if ($_ -match "admin_" ) { write-host "Found Admin Group"; /* DO MORE STUFF */ } }

For the user input we use this:

# Input - Read User Credentials
$credentials = Get-Credential

# Split username & password
$username = $cred.username
$password = $cred.GetNetworkCredential().password

 # Get your Domain
 $Root = "LDAP://" + ([ADSI]"").distinguishedName
 $domain = New-Object System.DirectoryServices.DirectoryEntry($Root,$UserName,$Password)

if ($domain.name -ne $null)
{
    write-host "Authenticated"
}else{
    write-host "Not authenticated"
}

Hope that helps

Answer 2

not sure what you want exacty. If all you users are in the same format, you can extract part of their name using split for example :

says $c is your get-credential result you can do :

$name=$c.Username.split("admin_")[1] # will outupt atlanta for the user admin_atlanta

then do whaterver you want like "mmc Taskpad_$name.msc"

Answer 3

The PowerShell Community Extensions module has a command to help with this called Test-UserGroupMembership e.g:

C:\PS> Test-UserGroupMembership -GroupName Administrators -Identity joe
False