none
Check if specific user is member of specific group RRS feed

  • Question

  • Hello everyone,

    I'm trying to find out if a specific users is member of a specific group in the Active Directory. Google shows me a lot of examples for loginscripts, Quest's tool and local groups. I don't need local groups but domain groups that are located in the Active Directory and that Quest tool needs installment which i can't do unfortunately. 

    I don't really have much to start with although I know how to add a specific user to a specific group. I need this to know if he already is member of that group or not.

    I'm hoping for a simple solution.

    This is what I have now:

    $Group = [ADSI]"LDAP://localhost:389/CN=ICT,OU=ICT,DC=oxl,DC=local"
    $Group.IsMember("LDAP://localhost:389/CN=Nathan,OU=ICT,DC=oxl,DC=local")
    But it keeps saying FALSE


    Tuesday, May 17, 2011 1:18 PM

Answers

  • function Get-GroupMembership($DN,$group){
    	$objEntry = [adsi]("LDAP://"+$DN)
    	$objEntry.memberOf | where { $_ -match $group}
    }
    
    Get-GroupMembership "Cn=kazun,dc=contoso,dc=com" "Backup Operators"
    
    


    Tuesday, May 17, 2011 1:26 PM
  • Hey Kazun,

    Your script worked like a charm! Thank you for helping me again. I also found out that you need to use the CN name which was different than the login name from the Active Directory. When I changed Nathan with the real CN it worked.

    Thank you again for helping so fast!

     

    Tuesday, May 17, 2011 1:30 PM

All replies

  • function Get-GroupMembership($DN,$group){
    	$objEntry = [adsi]("LDAP://"+$DN)
    	$objEntry.memberOf | where { $_ -match $group}
    }
    
    Get-GroupMembership "Cn=kazun,dc=contoso,dc=com" "Backup Operators"
    
    


    Tuesday, May 17, 2011 1:26 PM
  • Hey Kazun,

    Your script worked like a charm! Thank you for helping me again. I also found out that you need to use the CN name which was different than the login name from the Active Directory. When I changed Nathan with the real CN it worked.

    Thank you again for helping so fast!

     

    Tuesday, May 17, 2011 1:30 PM
  • I would only point out that the Common Name of the group (the value of the cn attribute) may not uniquely identify the group. The cn need only be unique in the OU or container. Also, the string $Group could match another group Common Name, or even another part of the Distinguished Name of another group. For example, if $Group is "West", it would match "cn=Western,ou=East,dc=domain,dc=com", as well as "cn=Sales,ou=West,dc=domain,dc=com", when neither is intended. However, these problems can be avoided by specifying the full Distinguished Name of the group, or at least enough of it to ensure uniqueness, like "cn=West,ou=Engr".

    Also, I get your original code to work if I bind to the user object and pass the ADsPath of the user to the group object. For example, the following returns either True or False:

     

    $Group = [ADSI]"LDAP://cn=Sales,ou=West,dc=MyDomain,dc=com"
    $User = [ADSI]"LDAP://cn=Jim Smith,ou=East,dc=MyDomain,dc=com"
    
    $Group.IsMember($User.ADsPath)


    Richard Mueller - MVP Directory Services
    Wednesday, May 18, 2011 10:17 PM
  • Hey Richard,

     

    What you are saying is true and as you can see in the code below I already did that. But it's nice that you point this out because this is good advise! 

    Finished code:

    $Informatie=Import-Csv “Buser.csv”
    
    foreach ($GI in $Informatie)
    {
      $nummer="1"
      $cn=$GI.CN
      $ou=$GI.ou
      $Groep=$GI."Group$nummer"
      $GroepOU=$GI."GroupOU$nummer"
    
      while ($Groep -ne $null)
      {
        $Group = [ADSI]"LDAP://localhost:389/cn=$Groep,ou=$GroepOU,dc=oxl,dc=local"
        if ($Group.IsMember("LDAP://localhost:389/CN=$cn,ou=$ou,dc=oxl,dc=local") -ne "True")
        {
          $Connectie = "LDAP://localhost:389/cn=$Groep,ou=$GroepOU,dc=oxl,dc=local"
          $ConGroep = [adsi] $Connectie
          $User = "LDAP://localhost:389/CN=$cn,ou=$ou,dc=oxl,dc=local"
          $ConGroep.Add($User)
          
          $nummer=[int]$nummer
          $nummer=$nummer+1
          $nummer=$nummer.ToString()
          $Groep=$GI."Group$nummer"
          $GroepOU=$GI."GroupOU$nummer"
        }
        else
        {
          $nummer=[int]$nummer
          $nummer=$nummer+1
          $nummer=$nummer.ToString()
          $Groep=$GI."Group$nummer"
          $GroepOU=$GI."GroupOU$nummer"
        }
      }
    }
    write-host "Groepen updated"
    

    I translated most of it to Dutch because I come from The Netherlands.

    I tested this part of my script and it worked great. I have a CSV file which has a Group1 - GroupOU1 - Group2 - GroupOU2 and people can add 3,4,5 and more to it so that they can add as much groups as they want. This may look like a beginner made this because I am a beginner.

    Hope that this can help others too.

    Thursday, May 19, 2011 8:02 AM
  • Kazun,

    I know this is an old thread and I'm going to prove my ignorance here... but, how would I use this? I need to supply a single user name and I just need to know if it's a member of a specific ad group.


    Andy

    Thursday, August 22, 2013 1:19 PM
  • Have a look at this powershell scripts...

    http://stackoverflow.com/questions/3026909/determine-if-a-user-belongs-to-a-particular-ad-group-using-net

    Moreover as you said about the quest tool yes, installation takes time but it would easy for you as script are not in deed not mentioned that it is for which server.

    Thursday, August 22, 2013 2:02 PM
  • simple function to check the req

    function memberof($user,$group){
     $member = (Get-ADGroupMember -Identity $group).name -contains "$user"
        if ($member) {"$user is member of the $group"} else {"$user is not the member of $group"}
    }


    Thanks Azam When you see answers please Mark as Answer if Helpful..vote as helpful.

    Thursday, August 22, 2013 2:37 PM
  • Thank you, mohdazam! It's really simpler than I expected.

    Andy

    Thursday, August 22, 2013 3:24 PM
  • simple function to check the req

    function memberof($user,$group){
     $member = (Get-ADGroupMember -Identity $group).name -contains "$user"
        if ($member) {"$user is member of the $group"} else {"$user is not the member of $group"}

    I couldn't get this to work. However a little research turned up a simpler (and more recent) function from the Hey, Scripting Guy! Blog that does a recursive search through the account's Group membership, so that if the user is a member of a downlevel nested group a $True result is returned.

    My slightly rewritten, cleaned-up version:

    Function Test-ADGroupMember($User,$Group) {
     Trap { Return "error" }
     If (Get-ADUser -Filter "memberOf -RecursiveMatch '$((Get-ADGroup $Group).DistinguishedName)'" -SearchBase $((Get-ADUser $User).DistinguishedName)) { $true }
        Else { $false }
    }

    I haven't seen any false positives with this one, which I was getting occasionally with other methods if the Group names were similar.

    Wednesday, April 13, 2016 3:58 PM
  • Do you have a source for the original "Hey, Scripting Guy!" article?
    Friday, December 15, 2017 5:31 PM
  • For a simple check, that is not a nested group search this solution may be helpful:

    function Check-AccountGrpMember {
    Param(
    [Parameter(Mandatory=$true, Position = 0)]
    [String]$ADGroupName,
    [Parameter(Mandatory=$true, Position = 1)]
    [String]$UserAccountName
    )
    # Load Active Directory Module    
    If (!(Get-Module -name ActiveDirectory)) {
        try {Import-Module -Name ActiveDirectory} 
        catch [System.IO.FileNotFoundException] {
            $Err = $_
            Throw (Write-Error "The ActiveDirectory module is not installed on this system. Install Module before proceeding." -ErrorCategory NotInstalled )
        }
        catch {
            $Err = $_
            Throw (Write-Error "Failed while loading the ActiveDirectory module with unexpected error message. Investigate problem before proceeding." -Exception $Err) 
        }
    }
    $UserADObject = Get-ADUser -Identity $UserAccountName
    If((get-adgroupmember -identity $ADGroupName).Sid.Contains($UserADObject.Sid)) {Write-Output ("{0} is already a member of the {1} domain group" -f $UserAccountName, $ADGroupName) }
    else { Add-ADGroupMember -Identity $ADGroupName -Member $UserAccountName 
    Write-Output ("{0} has been add to the {1} domain group" -f $UserAccountName, $ADGroupName)
    }
    
    
    }
    

    If the User account is not a member it is automatically added.

    Usage: Check-AccountGrpMembert -ADGroupName "SharePoint.Readers" -UserAccountName "Fred.Flinstone"

    As an after thought this probably could be extended for piping accounts or/and groups.

    Have fun,

    Thursday, March 8, 2018 1:55 PM
  • This rewritten version is awesome!  Thank you!
    Friday, July 10, 2020 3:23 PM