Get-ACL and nested groups

Question

I've seen some code here related to formatting get-acl output and since by the look of it it's not recommended to answer with a question I'm starting a new thread. I have a couple of AD groups nested in some local security groups which names include tom and dom. I'd like to expand the locals to show me their member groups. I'm not concerned with users within the groups. Can someone suggest a way of doing this? I thought of using get-CimInstance but this seems to be filtering only by giving a specific group name where in my case I'd rather use what comes back from what I've got so far

$folders = dir c:\drv -recurse | where {$_.psiscontainer -eq $true}
$folders |
foreach-object{  
Get-Acl | Select-Object -ExpandProperty Access | where {$_.identityreference -match "tom|dom"} |
  Select-Object @{n="object";e={ $folder.fullname }}, 
    @{n="security_principal";e={ $_.identityreference }},
    @{n="type";e={ $_.accesscontroltype }},
    @{n="rights";e={ $_.filesystemrights }}
} | ft -AutoSize

so ideally if what comes out as security_principal was split into members of my groups and even better if it displayed only member groups that contain certain wildcards. It'll probably be easier to get the 2 groups and list their members before the rest of the code runs which is fine but again I'm having trouble with getting that to work using get-CimInstance and don't know other way.

Answer 1

You could view local group membership as follows using Powershell and ADSI.

$Server = 'server1'
$LocalGroup = 'Administrators'
$Group= [ADSI]"WinNT://$Server/$LocalGroup,group"
$Members = @($Group.psbase.Invoke("Members"))
Foreach($Member in $Members){
    $Member.GetType().InvokeMember("Name", 'GetProperty', $null, $Member, $null)
}