How to Check If SharePoint User is Member of a Active Directory Group using PowerShell?
Requirement: Check If SharePoint User is Member of a Active Directory Group using PowerShell
Solution: Although we can check if a particular user account is member of a AD security group using AD PowerShell cmdlets such as Get-ADGroupMember Here is the native method to find if a particular user account is a member of a given Active directory group.
PowerShell to Check if SharePoint User is Member of a Active Directory Group:
Check If Users is Member of a AD Group recursively:
Solution: Although we can check if a particular user account is member of a AD security group using AD PowerShell cmdlets such as Get-ADGroupMember Here is the native method to find if a particular user account is a member of a given Active directory group.
PowerShell to Check if SharePoint User is Member of a Active Directory Group:
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue #Variables $SiteURL="https://intranet.crescent.com/" $SearchUserAccount = "Crescent\salaudeen" #Custom Function to Check if User is member of a Active Directory Group Function Check-UserIsMemberOfADGroup($web,$SearchUserAccount,$GroupName) { Try { #Resolve the AD Group & User in SharePoint $ADGroup = $web.EnsureUser($GroupName) $User = $web.EnsureUser($SearchUserAccount) #Get All Users of the AD Group $ReachedMax = $false $Users = [Microsoft.SharePoint.Utilities.SPUtility]::GetPrincipalsInGroup($web, $ADGroup, ([Int]::MaxValue)-1, [ref]$ReachedMax) #Check if user found in the members list $SearchUser = $Users | Where {$_.PrincipalType -eq "User" -and $_.LoginName -eq $User.UserLogin} If($SearchUser -ne $Null) { Return $True } else { Return $False } } Catch { write-host -f Red "Error Checking User Membership!" $_.Exception.Message } } #Get the Web $Web = Get-SPWeb $SiteURL #Get All AD Groups which has permission to the object such as Web, List, etc $RoleAssignments = $Web.RoleAssignments | Where { $_.Member.IsDomainGroup} #Iterate Through permissions of the web Foreach($RoleAssignment in $RoleAssignments) { $IsMember = Check-UserIsMemberOfADGroup $Web $SearchUserAccount $RoleAssignment.Member.Name If($IsMember) { Write-host -f Green $SearchUserAccount is member of the AD Group $RoleAssignment.Member.Name } Else { Write-host -f Red $SearchUserAccount is not a member of the AD Group $RoleAssignment.Member.Name } }Please note this script checks only the immediate membership - Doesn't do search on nested groups!
Check If Users is Member of a AD Group recursively:
#Variables $UserID = "Crescent\salaudeen" $ADGroup = "Crescent\Palo Alto RAS" #Extract SamAccountName and AD Group Name $SamAccountName = $UserID.Substring($UserID.IndexOf("\") + 1) $ADGroupName = $ADGroup.Substring($ADGroup.IndexOf("\") + 1) #Get All Members of the AD Group $GroupMembers = Get-ADGroupMember -identity $ADGroupName -Recursive | Select -ExpandProperty SamAccountName If($GroupMembers -contains $SamAccountName) { Write-host -f Green "User '$UserID' is Member of the AD Group: $ADGroupName" } else { Write-host -f Red "User '$UserID' is Not a Member of the AD Group: $ADGroupName" }
No comments:
Please Login and comment to get your questions answered!