Check If a SharePoint User is a Member of an AD Group using PowerShell

Requirement: Check If SharePoint User is a Member of an Active Directory Group using PowerShell

Solution: Although we can check if a particular user account is a member of an AD security group using AD PowerShell cmdlets such as Get-ADGroupMember, Here is the native method to find if a specific user account is a member of a given Active Directory group.

PowerShell to check if a SharePoint User is a Member of an Active Directory Group:

There are times when you may need to know if a particular SharePoint user is a member of an Active Directory group, as the Active Directory group is used as the security boundary for SharePoint in many organizations. This blog post will show you how to use PowerShell to check if a user is a member of an Active Directory group.

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
 
#Variables
$SiteURL="https://intranet.crescent.com"
$SearchUserAccount = "Crescent\salaudeen"
  
#Custom Function to Check if User is member of a Active Directory Group
Function Check-UserIsMemberOfADGroup($web,$SearchUserAccount,$GroupName)
{
    Try {
        #Resolve the AD Group & User in SharePoint
        $ADGroup = $web.EnsureUser($GroupName)
        $User =  $web.EnsureUser($SearchUserAccount)

        #Get All Users of the AD Group
        $ReachedMax = $false
        $Users = [Microsoft.SharePoint.Utilities.SPUtility]::GetPrincipalsInGroup($web, $ADGroup,  ([Int]::MaxValue)-1, [ref]$ReachedMax) 
 
        #Check if user found in the members list
        $SearchUser = $Users | Where {$_.PrincipalType -eq "User" -and $_.LoginName -eq $User.UserLogin}
        If($SearchUser -ne $Null) { Return $True } else { Return $False }
    }
    Catch {
        write-host -f Red "Error Checking User Membership!" $_.Exception.Message
    }
}
 
#Get the Web
$Web = Get-SPWeb $SiteURL
 
#Get All AD Groups which has permission to the object such as Web, List, etc
$RoleAssignments = $Web.RoleAssignments | Where { $_.Member.IsDomainGroup}
     
#Iterate Through permissions of the web
Foreach($RoleAssignment in $RoleAssignments)
{
    $IsMember = Check-UserIsMemberOfADGroup $Web $SearchUserAccount $RoleAssignment.Member.Name
    If($IsMember)
    {
        Write-host -f Green $SearchUserAccount is member of the AD Group $RoleAssignment.Member.Name
    }
    Else
    {
        Write-host -f Red $SearchUserAccount is not a member of the AD Group $RoleAssignment.Member.Name
    }
}

Please note, this script checks only the immediate membership – It doesn’t search for nested groups!

Check If a User is Member of an AD Group recursively:

This time, let’s use the Get-ADGroupMember cmdlet to check recursively if a given user is a member of an AD group. If you need to check if a SharePoint user is a member of an Active Directory (AD) group, you can use PowerShell to query the group membership information from the domain controller.

#Variables
$UserID = "Crescent\salaudeen"
$ADGroup = "Crescent\Palo Alto RAS"

#Extract SamAccountName and AD Group Name
$SamAccountName = $UserID.Substring($UserID.IndexOf("\") + 1)
$ADGroupName = $ADGroup.Substring($ADGroup.IndexOf("\") + 1)

#Get All Members of the AD Group
$GroupMembers = Get-ADGroupMember -identity $ADGroupName -Recursive | Select -ExpandProperty SamAccountName

If($GroupMembers -contains $SamAccountName)
{
    Write-host -f Green "User '$UserID' is Member of the AD Group: $ADGroupName"
}
else
{
    Write-host -f Red "User '$UserID' is Not a Member of the AD Group: $ADGroupName"
}

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles!

Leave a Reply

Your email address will not be published. Required fields are marked *