发表新帖
发表新帖

How to get all groups that a user is a member of?

后端 未结
关注
30 1639
攒了一身酷
攒了一身酷 2020-12-04 05:56

PowerShell\'s Get-ADGroupMember cmdlet returns members of a specific group. Is there a cmdlet or property to get all the groups that a particular user is a member of?

相关标签:
30条回答
  • 一向
    2020-12-04 06:32

    Use:

    Get-ADPrincipalGroupMembership username | select name | export-CSV username.csv

    This pipes output of the command into a CSV file.

    0 讨论(0)
  • 你的背包
    2020-12-04 06:34

    When you do not have privileges to consult other member groups but you do have the privilege to consult group members, you can do the following to build a map of which user has access to which groups.

    $groups = get-adgroup -Filter * | sort name | select Name
$users = @{}
foreach($group in $groups) {
    $groupUsers = @()
    $groupUsers = Get-ADGroupMember -Identity $group.Name | Select-Object SamAccountName
    $groupUsers | % {
        if(!$users.ContainsKey($_.SamAccountName)){
            $users[$_.SamAccountName] = @()
        }
        ($users[$_.SamAccountName]) += ($group.Name)
    }
}
    0 讨论(0)
  • 情话喂你
    2020-12-04 06:34

    Almost all above solutions used the ActiveDirecotry module which might not be available by default in most cases.

    I used below method. A bit indirect, but served my purpose.

    List all available groups

    Get-WmiObject -Class Win32_Group

    And then list the groups the user belongs to

    [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups

    Comparison can then be done via checking through the SIDs. This works for the logged in user. Please correct me if I am wrong. Completely new to PowerShell, but had to get this done for a work commitment.

    0 讨论(0)
  • 北荒
    2020-12-04 06:34

    Studying all comments presented gave me a starting point (thanks for such) but left me with several unresolved issues. As result here is my answer. The code snippet provided does a little more than what is asked for but it provides helpful debugging info.

    [array] $script:groupsdns = @()
function Get-ADPrincipalGroupMembershipRecursive() 
{
  Param( [string] $dn, [int] $level = 0, [array] $groups = @() )

  #if(($groupsdns | where { $_.DistinguishedName -eq $dn }).Count -ne 0 ) { return $groups } # dependency on next statement
  #$groupsdns += (Get-ADObject $dn -Properties MemberOf) # Get-ADObject cannot find an object with identity
  if ($script:groupsdns.Contains($dn)) { return $groups }
  $script:groupsdns += $dn
  $mo = $Null
  $mo = Get-ADObject $dn -Properties MemberOf # Get-ADObject cannot find an object with identity
  $group = ($dn + " (" + $level.ToString())
  if ($mo -eq $Null) { $group += "!" }
  $group += ")"
  $groups += $group
  foreach( $groupdn in $mo.MemberOf )
  {
    $groups = Get-ADPrincipalGroupMembershipRecursive -dn $groupdn -level ($level+1) -groups $groups
  }
  if ($level -le 0) 
  { 
    $primarygroupdn = (Get-ADUser -Identity $dn -Properties PrimaryGroup).PrimaryGroup 
    $groups = Get-ADPrincipalGroupMembershipRecursive -dn $primarygroupdn -level ($level+1) -groups $groups
  }
  return $groups
}
$adusergroups = Get-ADPrincipalGroupMembershipRecursive -dn $aduser.DistinguishedName
$adusergroups | ft -AutoSize | `
              Out-File -Width 512 Get-ADPrincipalGroupMembershipRecursive.txt #-Append #-Wrap # | Sort-Object -Property Name
    0 讨论(0)
  • 难免孤独
    2020-12-04 06:35

    I couldn't get the following to work for a particular user:

    Get-ADPrincipalGroupMembership username

    It threw an error that I was not willing to troubleshoot.

    I did however come up with a different solution using Get-ADUser. I like it a bit better because if you don't know the account name then you can get it based off of a wildcard on the user's actual name. Just fill in PartOfUsersName and away it goes.

    #Get the groups that list of users are the member of using a wildcard search

[string]$UserNameLike = "*PartOfUsersName*" #Use * for wildcards here
[array]$AccountNames = $(Get-ADUser -Filter {Name -like $UserNameLike}).SamAccountName

ForEach ($AccountName In $AccountNames) {
Write-Host "`nGETTING GROUPS FOR" $AccountName.ToUpper() ":"
(Get-ADUser -Identity $AccountName -Properties MemberOf|select MemberOf).MemberOf|
    Get-ADGroup|select Name|sort name
    }

    Huge props to schmeckendeugler and 8DH for getting me to this solution. +1 to both of you.

    0 讨论(0)
  • 我寻月下人不归
    2020-12-04 06:35

    With user input and fancy output formatting:

    [CmdletBinding(SupportsShouldProcess=$True)] 
Param( 
    [Parameter(Mandatory = $True)] 
    [String]$UserName 
) 
Import-Module ActiveDirectory 
If ($UserName) { 
    $UserName = $UserName.ToUpper().Trim() 
    $Res = (Get-ADPrincipalGroupMembership $UserName | Measure-Object).Count 
    If ($Res -GT 0) { 
        Write-Output "`n" 
        Write-Output "$UserName AD Group Membership:" 
        Write-Output "===========================================================" 
        Get-ADPrincipalGroupMembership $UserName | Select-Object -Property Name, GroupScope, GroupCategory | Sort-Object -Property Name | FT -A 
    } 
}
    0 讨论(0)
 看不清?
提交回复
热议问题