Authorization and Getting User Group Memberships
It’s a pretty common occurrence where I have to help determine why a particular user or users are getting an access denied to a resource I know little about. One side of that equation is seeing the object permissions.
The other side of the equation for determining access for a user to a resource is determining what the user would have in their access token. If you are logged on as the user this is easily done by using “Whoami.exe”. If you are not logged on as that user or if the user is a service account this can be difficult and require changing user rights or overcoming other hurdles.
Viewing the authorization blocker is something which is made much easier with the advent of the Windows Server 2012 and later feature called Access Denied Assistance (ADA). ADA is makes the failure easy to discover for people who don’t necessarily know the ins an outs of how permissions are assessed and compared to allow or disallow access-and it’s a graphical user interface plugged into the object properties (file or folder). It’s also well documented on TechNet at this link and this link.
But what if you are not using Windows Server 2012 or later, or if the access denied or authorization failure you are looking into is not a file or folder object? In those cases you need to compare the identity that is requesting access to is an Active Directory, service control manager or other object?
For the user group membership side of the concern I’ve written a script to make life easier for those scenarios. You can download it from the TechNet Script Gallery here: https://gallery.technet.microsoft.com/Get-User-Group-Memberships-b5930288 . The script can be ran against any user in your domain and give you a result file which contains their group memberships and any SIDHistory memberships they have.
More info about this script:
- The script does not require the Active Directory PowerShell module
- The script can be ran as a non-Domain Admin
- The script is subjective to the domain where you run it. This is significant due to group scopes not traversing all boundaries.
- The script will place results in a text file at the location of the prompt. The text file will be named after the username.
- This script will simply obtain all of the Windows token related items which can be used for authorization decisions. This includes groups as well as SIDhistory entries on the user in AD or on the group the user is a member of.
- This script is not a substitute for the Server 2012 Access Denied Assistance feature. If you have it use that instead! It's awesome.
- Note: there is a known bug where local Administrators membership may appear as an incorrect group scope (shown below). The SID will be a local well known identifier however.
Here’s a sample command line result of running it
Getting group membership details for user tspring...
User group collection complete. Results are at C:\test\tspringGroupList.txt.
Here’s a sample result from that text file:
Friday, May 8, 2015 10:46:55 AM
Groups for user tspring
Domain\Name: NA\tspring
User SID: S-1-5-21-2255868-8675309-8675309-995152
Domain Name: northamerica.contoso.com
Forest Name: contoso.com
***************
Domain Users (Domain Global Group) : S-1-5-21-2255868-8675309-8675309-513
Administrators (Domain Local Group) : S-1-5-32-544
Read-OnlyNADFSGroup (Domain Global Group) : S-1-5-21-2255868-8675309-8675309-5555671
NA-BBGHT-445 (Domain Global Group) : S-1-5-21-2255868-8675309-8675309-5555671
Northamerica_PastaLovers (Domain Global Group) : S-1-5-21-2255868-8675309-8675309-5555671
SIDHistory Group Details
***************
[NONE FOUND]
User SIDHistory Details
***************
[NONE FOUND]