Ever needed to get all nested groups a user belongs in Active Directory?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
#Get all recursive groups a user belongs. Function Get-ADUserNestedGroups { Param ( [string]$DistinguishedName, [array]$Groups = @() ) #Get the AD object, and get group membership. $ADObject = Get-ADObject -Filter "DistinguishedName -eq '$DistinguishedName'" -Properties memberOf, DistinguishedName; #If object exists. If($ADObject) { #Enummurate through each of the groups. Foreach($GroupDistinguishedName in $ADObject.memberOf) { #Get member of groups from the enummerated group. $CurrentGroup = Get-ADObject -Filter "DistinguishedName -eq '$GroupDistinguishedName'" -Properties memberOf, DistinguishedName; #Check if the group is already in the array. If(($Groups | Where-Object {$_.DistinguishedName -eq $GroupDistinguishedName}).Count -eq 0) { #Add group to array. $Groups += $CurrentGroup; #Get recursive groups. $Groups = Get-ADUserNestedGroups -DistinguishedName $GroupDistinguishedName -Groups $Groups; } } } #Return groups. Return $Groups; } #The user to check. $User = "<SamAccountName/DN/UserPrincipal>"; #Get all groups. $Groups = Get-ADUserNestedGroups -DistinguishedName (Get-ADUser -Identity $User).DistinguishedName; #Output all groups. $Groups | Select-Object Name | Sort-Object -Property Name; |
Thank you very much. The script really helped me a lot.
very nice presentation and good DFS implementation
I encountered the need as well because of RBAC and external trusts.
I developped as well a powershell function but based on a BFS and set parameters to take into account the scope search forest, domain, domain trusts forest trusts or explicit domains. I used the.net classes so no need for the RSAT and activedirectory module. I shared the function on my github for anyone who might have some interest as well
https://github.com/criffo/getADObjectMEmberOfCustom
Criffo, your script is wonderful, big thanks
What is the need for the line : If($ADObject) ?
Because if the value is $null the foreach loop does not iterate. That is okay.
you are forgetting the PrimaryGroup – it is not always domain users.
Hi Henrik,
What are you referring to?
What Henrik is referring to is that the memberof attribute does not contain the Primary Group. Most often this is Domain Users but it cannot be assumed. Compare output from get-adprincipalgroupmembership versus the contents of the memberof attribute and you can see the discrepancy.
This function doesn’t work for Irish people 🙂
If the DistinguishedName has a ‘ in the person’s name (like O’Reilly) then it will not work.
I had a similar problem to what Perica describes, but for the names of OUs. Some of our OUs have ‘single quote’ characters in their names. This script does not like them.
Great job otherwise. Thanks.
Thank you for sharing your function, it helped me out!
Pingback: AD Nested User Permissions – ? About Tech