Check If a SharePoint User is a Member of an AD Group using PowerShell
Requirement: Check If SharePoint User is a Member of an Active Directory Group using PowerShell
Solution: Although we can check if a particular user account is a member of an AD security group using AD PowerShell cmdlets such as Get-ADGroupMember, Here is the native method to find if a specific user account is a member of a given Active Directory group.
PowerShell to check if a SharePoint User is a Member of an Active Directory Group:
There are times when you may need to know if a particular SharePoint user is a member of an Active Directory group, as the Active Directory group is used as the security boundary for SharePoint in many organizations. This blog post will show you how to use PowerShell to check if a user is a member of an Active Directory group.
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
#Variables
$SiteURL="https://intranet.crescent.com"
$SearchUserAccount = "Crescent\salaudeen"
#Custom Function to Check if User is member of a Active Directory Group
Function Check-UserIsMemberOfADGroup($web,$SearchUserAccount,$GroupName)
{
Try {
#Resolve the AD Group & User in SharePoint
$ADGroup = $web.EnsureUser($GroupName)
$User = $web.EnsureUser($SearchUserAccount)
#Get All Users of the AD Group
$ReachedMax = $false
$Users = [Microsoft.SharePoint.Utilities.SPUtility]::GetPrincipalsInGroup($web, $ADGroup, ([Int]::MaxValue)-1, [ref]$ReachedMax)
#Check if user found in the members list
$SearchUser = $Users | Where {$_.PrincipalType -eq "User" -and $_.LoginName -eq $User.UserLogin}
If($SearchUser -ne $Null) { Return $True } else { Return $False }
}
Catch {
write-host -f Red "Error Checking User Membership!" $_.Exception.Message
}
}
#Get the Web
$Web = Get-SPWeb $SiteURL
#Get All AD Groups which has permission to the object such as Web, List, etc
$RoleAssignments = $Web.RoleAssignments | Where { $_.Member.IsDomainGroup}
#Iterate Through permissions of the web
Foreach($RoleAssignment in $RoleAssignments)
{
$IsMember = Check-UserIsMemberOfADGroup $Web $SearchUserAccount $RoleAssignment.Member.Name
If($IsMember)
{
Write-host -f Green $SearchUserAccount is member of the AD Group $RoleAssignment.Member.Name
}
Else
{
Write-host -f Red $SearchUserAccount is not a member of the AD Group $RoleAssignment.Member.Name
}
}
Please note, this script checks only the immediate membership – It doesn’t search for nested groups!
Check If a User is Member of an AD Group recursively:
This time, let’s use the Get-ADGroupMember cmdlet to check recursively if a given user is a member of an AD group. If you need to check if a SharePoint user is a member of an Active Directory (AD) group, you can use PowerShell to query the group membership information from the domain controller.
#Variables
$UserID = "Crescent\salaudeen"
$ADGroup = "Crescent\Palo Alto RAS"
#Extract SamAccountName and AD Group Name
$SamAccountName = $UserID.Substring($UserID.IndexOf("\") + 1)
$ADGroupName = $ADGroup.Substring($ADGroup.IndexOf("\") + 1)
#Get All Members of the AD Group
$GroupMembers = Get-ADGroupMember -identity $ADGroupName -Recursive | Select -ExpandProperty SamAccountName
If($GroupMembers -contains $SamAccountName)
{
Write-host -f Green "User '$UserID' is Member of the AD Group: $ADGroupName"
}
else
{
Write-host -f Red "User '$UserID' is Not a Member of the AD Group: $ADGroupName"
}