ADSync Deny Group Comparison Powershell Script

in #adsync8 years ago

ADSync is used to sync Active Directory (AD) information from one domain to another, it is an asynchronous transfer. From time to time clients have had issues with users not being able to sync their passwords to the remote AD. This script will check the ADSync config for the deny groups and the user’s member groups. You should be able to do a visual comparison to check if a user is a member of a deny group.

Import-Module ActiveDirectory #import AD module for PS

#get AD Sync config file from default location
[xml]$xml = Get-Content "C:\Program Files\AD Sync\ADSync.exe.config"

#Get the distinguished name of the groups in the excluded group list in the AD Sync config and convert to a string
$excludeList = "$($xml.configuration.applicationSettings."EMS.Cortex.Sync.Service.My.MySettings".setting | ? {$_.name -eq "ExcludeGroups"} | Select-Object -Property value)"
 
#set the delimiter of the crap part of the string
$trim = $excludeList.IndexOf("=")
 
#Remove the crap part of the xml that was converted to a string and the last junk charactor
$excludeList = $excludeList.Substring($trim+1)
$excludeList = $excludeList.Replace("}","")
 
#Get the user name
$userName = Read-Host 'what is the username in question? '
 
#spit out the garbage for excluded ad groups
write-host "`n`nThe following are the Excluded Groups for AD Sync`n----------------------------------"
foreach ( $i in $excludeList.split("|") ) { Get-ADGroup -Identity $i | Select-Object DistinguishedName }
 
#spit out the garbage for user group mimberships
Write-Host "`nThe following are the groups that '$userName' is part of"
(Get-ADUser $userName -properties MemberOf | Select-Object MemberOf).MemberOf