Categories

Finding a users group membership

Continuing our look at users – do we know what groups they are in?

if (-not (Get-Module ActiveDirectory)){            
  Import-Module ActiveDirectory            
}            
            
"`nMicrosoft"            
Get-ADUser -Identity Richard -Properties * |             
select -ExpandProperty memberOf            
            
            
"`nAD provider"            
$dn = "CN=Richard,CN=Users,DC=Manticore,DC=org"            
Get-ItemProperty -Path AD:\$dn -Name memberof |             
select -ExpandProperty memberof            
            
"`nQuest"            
Get-QADUser -Identity Richard |             
Get-QADMemberOf |             
select name, Description            
            
"`nScript"            
$root = [ADSI]""            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=user)(objectcategory=user)(cn=Richard))"            
$search.SizeLimit = 3000            
$results = $search.FindOne()            
            
foreach ($result in $results){            
    $result.Properties.memberof             
}


The Microsoft cmdlet, AD provider and script are similar in that we get an object representing the user and read the memberof property. This is a backlink property that maintains a list of the distinguished names of the groups in which the user has membership. Every time you add or remove a user from a group this property will be automatically updated.



The Quest cmdlets give us the option of working like the Microsoft cmdlet or we can pipe into Get-QADMemberof which gives a few options for a better display.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>