Looking up permissions with PowerShell

Most IT Support positions will require you to be able to assign and remove user permissions. Using PowerShell to do it can make your life easier.

Pictures of PowerShell are boring, so here’s a picture of my cat Chompers instead.

As an IT Support Specialist, a part of your daily work will most likely involve setting up users with the right permissions. If you’re not familiar with permissioning (or why it’s useful,) here’s a quick example:

Jack has been hired as a salesperson. To do his job, he’ll need access to various resources: the printer, email, a file server (but perhaps only certain folders on that server), and things of that nature. Permissions will control the kind of access Jack is able to get. This is usually done by using “groups.” The way this would work in this case would be that rather than adding Jack’s account individually to each resource, you add the “sales” group to those resources. Then, add Jack to that group to instantly give him access to everything he needs.

A nice thing about doing it this way is that every time someone gets hired as a salesperson, you simply add their account to that group and they automagically get access to all the relevant resources. Voila!

Windows uses something called “Active Directory” (frequently abbreviated to “AD” by IT professionals.) At some point in your first two or three years, you’ll want to read an Active Directory book to do a deep dive on this important topic. I like Active Directory in a Month of Lunches, (affiliate link) which is the one that I’m currently reading.

By the way, while important to learn, I don’t recommend starting with Active Directory first. That’s because the tasks you’ll likely be asked to complete in the beginning will be trivially easy to learn on the fly. That’s why, if you’re absolutely just starting off, I’d recommend that you first focus on PowerShell (affiliate link) because that will help you with a majority of systems out there (not just Microsoft products!)

Not surprisingly, there’s a PowerShell module for Active Directory. (They’re both Microsoft products, after all.) To install it, you’ll need to install RSAT tools. Once that’s installed, launch PowerShell by pressing start and typing “PowerShell ISE”. I like using the ISE instead of the command interface because the ISE allows you to type up scripts, but for this example, it doesn’t really matter which one you use.

Once you’ve got PowerShell launched, type: import-module ActiveDirectory in the blue screen portion and hit enter.

Now you’re all set to use PowerShell for all you AD needs!

I won’t delve too deep into how PowerShell works here (I suggest reading this book to get a strong background in PowerShell,) but basically PowerShell works with a verb-noun structure. If you want to get something, you’ll use the verb “get”. (No surprises there!) You’ll then provide the noun that you’d like to interact with. Here’s the example we’re working with today:


The uppercases don’t matter to PowerShell, but I’ve included them to make the words stand out. This PowerShell command in plain English would be: “Get me the Active Directory group membership of…”

Now, by itself, this would not be a very helpful command because we haven’t told PowerShell whose membership we want to look at. Try this instead:

Get-ADPrincipalGroupMembership JSmith

This will get you the groups that Jack Smith belongs to. You use the person’s username here, not their full name, which is why I used JSmith instead of Jack Smith.

This will bring up the groups that Jack Smith belongs to along with some other information that PowerShell thinks may be of interest to you. But really, we just want the group names, so let’s use this command:

Get-ADPrincipalGroupMembership JSmith | select name | sort-object name

In plain English, this would read: “Get me the Active Directory group membership of Jack Smith, only give me the names, and then sort the list alphabetically.”

This is really useful in cases where you don’t exactly know what groups someone should be in. Your boss might come to you and say something like: “We’ve got a new Finance person starting next week. Create their account and give them the same permissions that Mathilda has.” You can use the PowerShell command above to see exactly what permissions Mathilda has so you can assign groups to the incoming employee appropriately.

Another helpful use of this command is to determine what group membership you need. For example, if you’re asked to take over administration of the companies printers and print server, you may not know which group (or groups) control that. However, if you know that Jane is the current administrator, you can use the command above to list out her groups and see if there’s a likely candidate. If you see one called “PrinterAdministrator”, that’s probably the group you want to get added to.

You can do a lot more with PowerShell – to say that this is only scratching the surface is a huge understatement! I encourage you to learn as much as possible as soon as you can about this amazing tool, as it will pay dividends throughout your IT career!

With each post, I cover a new topic to help you get your start (or keep progressing) in your IT career. If it’s your first time visiting this blog, start here. Or, see all my posts about interview questions you should definitely be prepared for.

Author: Silicon Wanderer

I'm a merry wanderer on the path to financial independence through IT. I'm doing it, and I want to show you how you can to!

One thought on “Looking up permissions with PowerShell”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s