How to Use PowerShell to Display the FIM Security Groups
FIM ScriptBox Item
Summary
This script displays the security group associated with all of the FIM security groups and whether they are domain groups or local groups. By default these groups are local and called: FIMSyncAdmins, FIMSyncOperators, FIMSyncJoiners, FIMSyncBrowse and FIMSyncPasswordSet however the names can be changed during setup.
Script Code
| 001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 |
Function GroupLookup ($group_objSID) { $group_temp = new-object system.security.principal.securityidentifier($group_objSID,0) $group_SID = New-Object System.Security.Principal.SecurityIdentifier $group_temp.value $group_GroupName = $group_SID.Translate( [System.Security.Principal.NTAccount]) $dName = $group_GroupName.value.SubString(0,($group_GroupName.Value.IndexOf("\"))) $cName = $group_GroupName.Value.SubString($group_GroupName.Value.IndexOf("\") + 1) if ((Get-WMIObject -Class Win32_ComputerSystem).Name -eq $dName) # this is a local group { "local group " + $dName + "\" + $cName } else # this is domain group { $root = [ADSI]'' $searcher = new-object System.DirectoryServices.DirectorySearcher($root) $searcher.filter = "(&(objectClass=group)(CN=$cName))" $adfind = $searcher.findone() $DN = $adfind.path "domain group " + $DN.SubString(7) } } $FIMSyncDBServer = Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\FIMSynchronizationService\Parameters -name Server | select-object Server | format-table -hidetableheaders | where {$_ -ne ""} | Out-String -stream | select-object -skip 1 $SQLServer = $FIMSyncDBServer[0] $FIMSyncDBName = Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\FIMSynchronizationService\Parameters -name DBName | select-object DBName | format-table -hidetableheaders | where {$_ -ne ""} | Out-String -stream | select-object -skip 1 $SQLDBName = $FIMSyncDBName[0] $FIMSyncSQLInstance = Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\FIMSynchronizationService\Parameters -name SQLInstance | select-object SQLInstance | format-table -hidetableheaders | where {$_ -ne ""} | Out-String -stream | select-object -skip 1 $SQLInstance = $FIMSyncSQLInstance[0] $SQLServer = $SQLServer.tostring().trim() $SQLDBName = $SQLDBName.tostring().trim() $SQLInstance = $SQLInstance.tostring().trim() if (($SQLServer -eq "") -or ($SQLServer -eq $null)) {$SQLServer = "localhost"} else {$SQLServer = $SQLServer} if (($SQLInstance -eq "") -or ($SQLInstance -eq $null)) {$SQLInstance = $null} else {$SQLServer = "$SQLServer\$SQLInstance"} $conn = New-Object System.Data.SqlClient.SqlConnection $conn.ConnectionString = "server=$SQLServer;database=$SQLDBName;Integrated Security=sspi" $conn.Open() $sql = "SELECT * FROM [" + $SQLDBName + "].[dbo].[mms_server_configuration]" $cmd = New-Object System.Data.SqlClient.SqlCommand($sql,$conn) $rdr = $cmd.ExecuteReader() while($rdr.Read()) { $groupa_objSID = $rdr["administrators_sid"] $groupo_objSID = $rdr["operators_sid"] $groupj_objSID = $rdr["account_joiners_sid"] $groupb_objSID = $rdr["browse_sid"] $groupp_objSID = $rdr["passwordset_sid"] } $FIMSyncAdmins = GroupLookup $groupa_objSID $FIMSyncOperators = GroupLookup $groupo_objSID $FIMSyncJoiners = GroupLookup $groupj_objSID $FIMSyncBrowse = GroupLookup $groupb_objSID $FIMSyncPasswordSet = GroupLookup $groupp_objSID "FIMSyncAdmins group is " + $FIMSyncAdmins "FIMSyncOperators group is " + $FIMSyncOperators "FIMSyncJoiners group is " + $FIMSyncJoiners "FIMSyncBrowse group is "+ $FIMSyncBrowse "FIMSyncPasswordSet group is " + $FIMSyncPasswordSet |
Note
To provide feedback about this article, create a post on the FIM TechNet Forum.
For more FIM related Windows PowerShell scripts, see the FIM ScriptBox 