Finding a users group membership

Continuing our look at users – do we know what groups they are in?

if (-not (Get-Module ActiveDirectory)){            
  Import-Module ActiveDirectory            
}            
            
"`nMicrosoft"            
Get-ADUser -Identity Richard -Properties * |             
select -ExpandProperty memberOf            
            
            
"`nAD provider"            
$dn = "CN=Richard,CN=Users,DC=Manticore,DC=org"            
Get-ItemProperty -Path AD:\$dn -Name memberof |             
select -ExpandProperty memberof            
            
"`nQuest"            
Get-QADUser -Identity Richard |             
Get-QADMemberOf |             
select name, Description            
            
"`nScript"            
$root = [ADSI]""            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=user)(objectcategory=user)(cn=Richard))"            
$search.SizeLimit = 3000            
$results = $search.FindOne()            
            
foreach ($result in $results){            
    $result.Properties.memberof             
}

The Microsoft cmdlet, AD provider and script are similar in that we get an object representing the user and read the memberof property. This is a backlink property that maintains a list of the distinguished names of the groups in which the user has membership. Every time you add or remove a user from a group this property will be automatically updated.

The Quest cmdlets give us the option of working like the Microsoft cmdlet or we can pipe into Get-QADMemberof which gives a few options for a better display.

Published Wed, Jan 25 2012 19:33 by RichardSiddaway
Filed under:

Leave a Comment

(required) 
(required) 
(optional)
(required) 
If you can't read this number refresh your screen
Enter the numbers above: