How to Check If SharePoint User is Member of a Active Directory Group using PowerShell?
Requirement: Check If SharePoint User is Member of a Active Directory Group using PowerShell
Solution: Although we can check if a particular user account is member of a AD security group using AD PowerShell cmdlets such as Get-ADGroupMember Here is the native method to find if a particular user account is a member of a given Active directory group.
PowerShell to Check if SharePoint User is Member of a Active Directory Group:
Check If Users is Member of a AD Group recursively:
Solution: Although we can check if a particular user account is member of a AD security group using AD PowerShell cmdlets such as Get-ADGroupMember Here is the native method to find if a particular user account is a member of a given Active directory group.
PowerShell to Check if SharePoint User is Member of a Active Directory Group:
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
#Variables
$SiteURL="https://intranet.crescent.com/"
$SearchUserAccount = "Crescent\salaudeen"
#Custom Function to Check if User is member of a Active Directory Group
Function Check-UserIsMemberOfADGroup($web,$SearchUserAccount,$GroupName)
{
Try {
#Resolve the AD Group & User in SharePoint
$ADGroup = $web.EnsureUser($GroupName)
$User = $web.EnsureUser($SearchUserAccount)
#Get All Users of the AD Group
$ReachedMax = $false
$Users = [Microsoft.SharePoint.Utilities.SPUtility]::GetPrincipalsInGroup($web, $ADGroup, ([Int]::MaxValue)-1, [ref]$ReachedMax)
#Check if user found in the members list
$SearchUser = $Users | Where {$_.PrincipalType -eq "User" -and $_.LoginName -eq $User.UserLogin}
If($SearchUser -ne $Null) { Return $True } else { Return $False }
}
Catch {
write-host -f Red "Error Checking User Membership!" $_.Exception.Message
}
}
#Get the Web
$Web = Get-SPWeb $SiteURL
#Get All AD Groups which has permission to the object such as Web, List, etc
$RoleAssignments = $Web.RoleAssignments | Where { $_.Member.IsDomainGroup}
#Iterate Through permissions of the web
Foreach($RoleAssignment in $RoleAssignments)
{
$IsMember = Check-UserIsMemberOfADGroup $Web $SearchUserAccount $RoleAssignment.Member.Name
If($IsMember)
{
Write-host -f Green $SearchUserAccount is member of the AD Group $RoleAssignment.Member.Name
}
Else
{
Write-host -f Red $SearchUserAccount is not a member of the AD Group $RoleAssignment.Member.Name
}
}
Please note this script checks only the immediate membership - Doesn't do search on nested groups!Check If Users is Member of a AD Group recursively:
#Variables
$UserID = "Crescent\salaudeen"
$ADGroup = "Crescent\Palo Alto RAS"
#Extract SamAccountName and AD Group Name
$SamAccountName = $UserID.Substring($UserID.IndexOf("\") + 1)
$ADGroupName = $ADGroup.Substring($ADGroup.IndexOf("\") + 1)
#Get All Members of the AD Group
$GroupMembers = Get-ADGroupMember -identity $ADGroupName -Recursive | Select -ExpandProperty SamAccountName
If($GroupMembers -contains $SamAccountName)
{
Write-host -f Green "User '$UserID' is Member of the AD Group: $ADGroupName"
}
else
{
Write-host -f Red "User '$UserID' is Not a Member of the AD Group: $ADGroupName"
}
No comments:
Please Login and comment to get your questions answered!