How to Check If a SharePoint User is a Member of an Active Directory Group using PowerShell?

Requirement: Check If SharePoint User is Member of an Active Directory Group using PowerShell

Solution: Although we can check if a particular user account is a member of an AD security group using AD PowerShell cmdlets such as Get-ADGroupMember, Here is the native method to find if a specific user account is a member of a given Active Directory group.

PowerShell to check if a SharePoint User is a Member of an Active Directory Group:

There are times when you may need to know if a particular SharePoint user is a member of an Active Directory group, as the Active Directory group is used as the security boundary for SharePoint in many organizations. This blog post will show you how to use PowerShell to check if a user is a member of an Active Directory group.

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
 
#Variables
$SiteURL="https://intranet.crescent.com/"
$SearchUserAccount = "Crescent\salaudeen"
  
#Custom Function to Check if User is member of a Active Directory Group
Function Check-UserIsMemberOfADGroup($web,$SearchUserAccount,$GroupName)
{
    Try {
        #Resolve the AD Group & User in SharePoint
        $ADGroup = $web.EnsureUser($GroupName)
        $User =  $web.EnsureUser($SearchUserAccount)

        #Get All Users of the AD Group
        $ReachedMax = $false
        $Users = [Microsoft.SharePoint.Utilities.SPUtility]::GetPrincipalsInGroup($web, $ADGroup,  ([Int]::MaxValue)-1, [ref]$ReachedMax) 
 
        #Check if user found in the members list
        $SearchUser = $Users | Where {$_.PrincipalType -eq "User" -and $_.LoginName -eq $User.UserLogin}
        If($SearchUser -ne $Null) { Return $True } else { Return $False }
    }
    Catch {
        write-host -f Red "Error Checking User Membership!" $_.Exception.Message
    }
}
 
#Get the Web
$Web = Get-SPWeb $SiteURL
 
#Get All AD Groups which has permission to the object such as Web, List, etc
$RoleAssignments = $Web.RoleAssignments | Where { $_.Member.IsDomainGroup}
     
#Iterate Through permissions of the web
Foreach($RoleAssignment in $RoleAssignments)
{
    $IsMember = Check-UserIsMemberOfADGroup $Web $SearchUserAccount $RoleAssignment.Member.Name
    If($IsMember)
    {
        Write-host -f Green $SearchUserAccount is member of the AD Group $RoleAssignment.Member.Name
    }
    Else
    {
        Write-host -f Red $SearchUserAccount is not a member of the AD Group $RoleAssignment.Member.Name
    }
}

Please note, this script checks only the immediate membership – It doesn’t search for nested groups!

Check If Users is Member of an AD Group recursively:

This time, let’s use the Get-ADGroupMember cmdlet to check if a given user is a member of an AD group recursively.

#Variables
$UserID = "Crescent\salaudeen"
$ADGroup = "Crescent\Palo Alto RAS"

#Extract SamAccountName and AD Group Name
$SamAccountName = $UserID.Substring($UserID.IndexOf("\") + 1)
$ADGroupName = $ADGroup.Substring($ADGroup.IndexOf("\") + 1)

#Get All Members of the AD Group
$GroupMembers = Get-ADGroupMember -identity $ADGroupName -Recursive | Select -ExpandProperty SamAccountName

If($GroupMembers -contains $SamAccountName)
{
    Write-host -f Green "User '$UserID' is Member of the AD Group: $ADGroupName"
}
else
{
    Write-host -f Red "User '$UserID' is Not a Member of the AD Group: $ADGroupName"
}

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

Leave a Reply

Your email address will not be published. Required fields are marked *