Continuing our look at users – do we know what groups they are in?
if (-not (Get-Module ActiveDirectory)){ Import-Module ActiveDirectory } "`nMicrosoft" Get-ADUser -Identity Richard -Properties * | select -ExpandProperty memberOf "`nAD provider" $dn = "CN=Richard,CN=Users,DC=Manticore,DC=org" Get-ItemProperty -Path AD:\$dn -Name memberof | select -ExpandProperty memberof "`nQuest" Get-QADUser -Identity Richard | Get-QADMemberOf | select name, Description "`nScript" $root = [ADSI]"" $search = [adsisearcher]$root $search.Filter = "(&(objectclass=user)(objectcategory=user)(cn=Richard))" $search.SizeLimit = 3000 $results = $search.FindOne() foreach ($result in $results){ $result.Properties.memberof }
The Microsoft cmdlet, AD provider and script are similar in that we get an object representing the user and read the memberof property. This is a backlink property that maintains a list of the distinguished names of the groups in which the user has membership. Every time you add or remove a user from a group this property will be automatically updated.
The Quest cmdlets give us the option of working like the Microsoft cmdlet or we can pipe into Get-QADMemberof which gives a few options for a better display.