none
Confirming AD group membership using Powershell

    Question

  • Hello

    I have a list of AD objects (groups/users).

    User1
    User2
    User3
    Group1
    Group2

    I need to check that each object is a member of a correct group. This group membership is not the same per object. So, back to the example:

    User1 should be a member of DomainAdmins, Enterprise Admins
    User2 should be a member of SchemaAdmin
    User3 should be a member of FinanceAdmins

    and so on.

    I would like to run a script that checks that each object is a member of the correct groups. If it is a member of extra groups or missing a group, then the script would highlight it.

    Any idea how I can do this via Quest or Powershell v2? Doesn't have to be fancy, just works :-)

    Thursday, July 21, 2011 4:39 PM

Answers

  • I have an example PowerShell script demonstrating a function to check security group membership linked here:

    http://gallery.technet.microsoft.com/scriptcenter/5adf9ad0-1abf-4557-85cd-657da1cc7df4

    The function uses the tokenGroups attribute of the objects. The function will not check membership in distribution groups, but it reveals membership in all other groups, including direct membership, membership due to group nesting, and the "primary" group. The function can handle as many AD objects as desired, and only retrieves the memberships for each object being checked once.

     


    Richard Mueller - MVP Directory Services
    • Marked as answer by Tiger Li Friday, July 29, 2011 2:41 AM
    Thursday, July 21, 2011 5:06 PM
  • function Check-IsGroupMember{

    Param($user,$grp)

    $strFilter = "(&(objectClass=Group)(name=" + $grp +"))"

    $objDomain = New-Object System.DirectoryServices.DirectoryEntry

    $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
    $objSearcher.SearchRoot = $objDomain
    $objSearcher.PageSize = 1000
    $objSearcher.Filter = $strFilter
    $objSearcher.SearchScope = "Subtree"

    $colResults = $objSearcher.FindOne()

    $objItem = $colResults.Properties
    ([string]$objItem.member).contains($user)

    }

    Usage:

    Check-IsGroupMember "name of user" "DomainAdmins"

    This function uses the adsi to check if the member property of the group contains the name of the user. Returns true if the user is a member.

    It can be used for any groups not just security groups.
    • Marked as answer by Tiger Li Friday, July 29, 2011 2:41 AM
    Friday, July 22, 2011 6:45 AM

All replies

  • I have an example PowerShell script demonstrating a function to check security group membership linked here:

    http://gallery.technet.microsoft.com/scriptcenter/5adf9ad0-1abf-4557-85cd-657da1cc7df4

    The function uses the tokenGroups attribute of the objects. The function will not check membership in distribution groups, but it reveals membership in all other groups, including direct membership, membership due to group nesting, and the "primary" group. The function can handle as many AD objects as desired, and only retrieves the memberships for each object being checked once.

     


    Richard Mueller - MVP Directory Services
    • Marked as answer by Tiger Li Friday, July 29, 2011 2:41 AM
    Thursday, July 21, 2011 5:06 PM
  • function Check-IsGroupMember{

    Param($user,$grp)

    $strFilter = "(&(objectClass=Group)(name=" + $grp +"))"

    $objDomain = New-Object System.DirectoryServices.DirectoryEntry

    $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
    $objSearcher.SearchRoot = $objDomain
    $objSearcher.PageSize = 1000
    $objSearcher.Filter = $strFilter
    $objSearcher.SearchScope = "Subtree"

    $colResults = $objSearcher.FindOne()

    $objItem = $colResults.Properties
    ([string]$objItem.member).contains($user)

    }

    Usage:

    Check-IsGroupMember "name of user" "DomainAdmins"

    This function uses the adsi to check if the member property of the group contains the name of the user. Returns true if the user is a member.

    It can be used for any groups not just security groups.
    • Marked as answer by Tiger Li Friday, July 29, 2011 2:41 AM
    Friday, July 22, 2011 6:45 AM
  • you are making it much more complicated than it needs to be

    import-module activedirectory

    $user="something'

    [array]$grps=Get-ADUser $user -Property memberOf | Select -ExpandProperty memberOf | Get-ADGroup | Select Name

    foreach($grp in $grps){if($grp.Name -match "GroupName"){Do stuff here}}


    Probably want to add try/catch for error checking


    • Edited by EFD7887 Tuesday, August 20, 2013 12:57 PM
    Tuesday, August 20, 2013 12:55 PM