Managing a new app means documenting who has access. Let’s start with Active Directory groups, assuming the previous SysAdmin(s) consistently named AD groups for applications.
Get-ADGroup -filter {name -like "*foo*"}
This PowerShell command will return all the details for any AD groups containing the string “foo”. Replace foo with your app name.
Let’s break down the command:
Get-ADGroup
This is the module we’re using to connect to the current user’s domain controller.
-filter
Only return results matching what’s in the brackets after the flag.
{name -like "*foo*"}
Return only AD groups whose name property matches the regular expression “*foo*”.
Assuming your security team (or your SysAdmin predecessor) has applied some level of common sense to naming their AD groups and are using RBAC standards, you should find some preliminary results to dig into further.
You’ll probably find more than one result with almost identical members. Maybe one is a retired group; maybe it’s for a different environment. These sorts of questions lead to helpful discussions with security and business SMEs in your organization.
Use the results to begin creating documentation on your application’s security. Auditors will love you for this. And the boss always wants to know about the security of your app at the worst possible moment. Having these groups documented will make you the hero of your team at one point or another. I’ve included a sample table to get started.
Group | Description | Members | Last Certified |
app_x_admins | Adminstrators for app “X” | domain\larry, domain\curly, domain\moe | 2020-01-02 |
app_x_group_a_users | Users for feature “A” | domain\tom, domain\dick, domain\harry | Never |
app_x_group_b_users | Users for feature “B” | domain\jane, domain\john | 2020-01-02 |
Find more details on using this PowerShell module in Microsoft’s official documentation.