header image

Finding a users group membership

Posted by: | January 25, 2012 | No Comment |

Continuing our look at users – do we know what groups they are in?

if (-not (Get-Module ActiveDirectory)){            
  Import-Module ActiveDirectory            
Get-ADUser -Identity Richard -Properties * |             
select -ExpandProperty memberOf            
"`nAD provider"            
$dn = "CN=Richard,CN=Users,DC=Manticore,DC=org"            
Get-ItemProperty -Path AD:\$dn -Name memberof |             
select -ExpandProperty memberof            
Get-QADUser -Identity Richard |             
Get-QADMemberOf |             
select name, Description            
$root = [ADSI]""            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=user)(objectcategory=user)(cn=Richard))"            
$search.SizeLimit = 3000            
$results = $search.FindOne()            
foreach ($result in $results){            

The Microsoft cmdlet, AD provider and script are similar in that we get an object representing the user and read the memberof property. This is a backlink property that maintains a list of the distinguished names of the groups in which the user has membership. Every time you add or remove a user from a group this property will be automatically updated.

The Quest cmdlets give us the option of working like the Microsoft cmdlet or we can pipe into Get-QADMemberof which gives a few options for a better display.

under: PowerShell and Active Directory