How to get all groups that a user is a member of?

Question

PowerShell\'s Get-ADGroupMember cmdlet returns members of a specific group. Is there a cmdlet or property to get all the groups that a particular user is a member of?

Answer 1

I wrote a PowerShell function called Get-ADPrincipalGroupMembershipRecursive. It accepts the DSN of a user, computer, group, or service account. It retrieves an initial list of groups from the account's memberOf attribute, then recursively checks those group's memberships. Abbreviated code is below. Full source code with comments can be found here.

function Get-ADPrincipalGroupMembershipRecursive( ) {

    Param(
        [string] $dsn,
        [array]$groups = @()
    )

    $obj = Get-ADObject $dsn -Properties memberOf

    foreach( $groupDsn in $obj.memberOf ) {

        $tmpGrp = Get-ADObject $groupDsn -Properties memberOf

        if( ($groups | where { $_.DistinguishedName -eq $groupDsn }).Count -eq 0 ) {
            $groups +=  $tmpGrp           
            $groups = Get-ADPrincipalGroupMembershipRecursive $groupDsn $groups
        }
    }

    return $groups
}

# Simple Example of how to use the function
$username = Read-Host -Prompt "Enter a username"
$groups   = Get-ADPrincipalGroupMembershipRecursive (Get-ADUser $username).DistinguishedName
$groups | Sort-Object -Property name | Format-Table

Answer 2

Import-Module ActiveDirectory
Get-ADUser -SearchBase "OU=Users,DC=domain,DC=local" -Filter * | foreach-object {
write-host "User:" $_.Name -foreground green
    Get-ADPrincipalGroupMembership $_.SamAccountName | foreach-object {
        write-host "Member Of:" $_.name
    }
}

Change the value of -SearchBase to reflect the OU you need to list the users from :)

This will list all of the users in that OU and show you which groups they are a member of.

Answer 3

No need for long scripts when it is a simple one liner..

QUEST Command

(Get-QADUser -Identity john -IncludedProperties MemberOf | Select-Object MemberOf).MemberOf

MS AD Command

(GET-ADUSER –Identity john –Properties MemberOf | Select-Object MemberOf).MemberOf

I find the MS AD cmd is faster but some people like the Quest ones better..

Steve

Answer 4

It is just one line:

(get-aduser joe.bloggs -properties *).memberof

end of :)

Answer 5

I use this simple oneliner to recursively search all the groups a user is member of:

Get-ADPrincipalGroupMembership $UserName | foreach-object { Get-ADPrincipalGroupMembership $_.SamAccountName | select SamAccountName }

To filter the groups to find out if user is member of a specific group i use this:

if ( Get-ADPrincipalGroupMembership $UserName | foreach-object { Get-ADPrincipalGroupMembership $_.SamAccountName | select SamAccountName } | where-object {$_.SamAccountName -like "*$Groupname*"} ) { write-host "Found" } else { write-host "not a member of group $Groupname" }

Answer 6

A more concise alternative to the one posted by Canoas, to get group membership for the currently-logged-on user.

I came across this method in this blog post: http://www.travisrunyard.com/2013/03/26/auto-create-outlook-mapi-user-profiles/

([ADSISEARCHER]"samaccountname=$($env:USERNAME)").Findone().Properties.memberof

An even better version which uses a regex to strip the LDAP guff and leaves the group names only:

([ADSISEARCHER]"samaccountname=$($env:USERNAME)").Findone().Properties.memberof -replace '^CN=([^,]+).+$','$1'

More details about using the [ADSISEARCHER] type accelerator can be found on the scripting guy blog: http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/24/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory.aspx