How to Check If SharePoint User is Member of a Active Directory Group using PowerShell?

Requirement: Check If SharePoint User is Member of a Active Directory Group using PowerShell

Solution: Although we can check if a particular user account is member of a AD security group using AD PowerShell cmdlets such as Get-ADGroupMember Here is the native method to find if a particular user account is a member of a given Active directory group.

PowerShell to Check if SharePoint User is Member of a Active Directory Group:

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
 
#Variables
$SiteURL="https://intranet.crescent.com/"
$SearchUserAccount = "Crescent\salaudeen"
  
#Custom Function to Check if User is member of a Active Directory Group
Function Check-UserIsMemberOfADGroup($web,$SearchUserAccount,$GroupName)
{
    Try {
        #Resolve the AD Group & User in SharePoint
        $ADGroup = $web.EnsureUser($GroupName)
        $User =  $web.EnsureUser($SearchUserAccount)

        #Get All Users of the AD Group
        $ReachedMax = $false
        $Users = [Microsoft.SharePoint.Utilities.SPUtility]::GetPrincipalsInGroup($web, $ADGroup,  ([Int]::MaxValue)-1, [ref]$ReachedMax) 
 
        #Check if user found in the members list
        $SearchUser = $Users | Where {$_.PrincipalType -eq "User" -and $_.LoginName -eq $User.UserLogin}
        If($SearchUser -ne $Null) { Return $True } else { Return $False }
    }
    Catch {
        write-host -f Red "Error Checking User Membership!" $_.Exception.Message
    }
}
 
#Get the Web
$Web = Get-SPWeb $SiteURL
 
#Get All AD Groups which has permission to the object such as Web, List, etc
$RoleAssignments = $Web.RoleAssignments | Where { $_.Member.IsDomainGroup}
     
#Iterate Through permissions of the web
Foreach($RoleAssignment in $RoleAssignments)
{
    $IsMember = Check-UserIsMemberOfADGroup $Web $SearchUserAccount $RoleAssignment.Member.Name
    If($IsMember)
    {
        Write-host -f Green $SearchUserAccount is member of the AD Group $RoleAssignment.Member.Name
    }
    Else
    {
        Write-host -f Red $SearchUserAccount is not a member of the AD Group $RoleAssignment.Member.Name
    }
}

Please note this script checks only the immediate membership - Doesn't do search on nested groups!

Check If Users is Member of a AD Group recursively:

#Variables
$UserID = "Crescent\salaudeen"
$ADGroup = "Crescent\Palo Alto RAS"

#Extract SamAccountName and AD Group Name
$SamAccountName = $UserID.Substring($UserID.IndexOf("\") + 1)
$ADGroupName = $ADGroup.Substring($ADGroup.IndexOf("\") + 1)

#Get All Members of the AD Group
$GroupMembers = Get-ADGroupMember -identity $ADGroupName -Recursive | Select -ExpandProperty SamAccountName

If($GroupMembers -contains $SamAccountName)
{
    Write-host -f Green "User '$UserID' is Member of the AD Group: $ADGroupName"
}
else
{
    Write-host -f Red "User '$UserID' is Not a Member of the AD Group: $ADGroupName"
}