Private/Check-UserGroupMembershipByEmail.ps1
|
function Check-UserGroupMembershipByEmail { <# .SYNOPSIS Checks if a user (by email) is a member of a specified group across multiple AD domains using ADSISearcher. .PARAMETER Email User email (matches `mail` attribute). .PARAMETER GroupCN Common name (CN) of the group to check (e.g., "test-token"). .PARAMETER Domains Array of domain DNS names to search, e.g., @("lab.company.com", "test.company.com"). .OUTPUTS $true if user is in the group, $false otherwise. #> [CmdletBinding()] param( [Parameter(Mandatory)][string] $Email, [Parameter(Mandatory)][string] $GroupCN, [Parameter(Mandatory)][string[]] $Domains ) # Escape email for LDAP filter $safeMail = $Email -replace '([\\*()\0])', { '\{0:x2}' -f [byte][char]$args[0].Value } # LDAP filter for enabled user by mail $ldapFilter = "(&(objectCategory=person)(objectClass=user)(mail=$safeMail)" + "(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" foreach ($dnsDomain in $Domains) { # Convert DNS domain to DC= notation $dcParts = $dnsDomain -split '\.' | ForEach-Object { "DC=$_" } $nc = $dcParts -join ',' try { $searchRoot = [ADSI]"GC://$nc" $searcher = New-Object DirectoryServices.DirectorySearcher $searcher.SearchRoot = $searchRoot $searcher.SearchScope = 'Subtree' $searcher.PageSize = 100 $searcher.Filter = $ldapFilter $null = $searcher.PropertiesToLoad.Clear() $null = $searcher.PropertiesToLoad.AddRange(@("memberOf", "samAccountName", "distinguishedName")) $result = $searcher.FindOne() if ($result) { $memberof = $result.Properties["memberOf"] if ($memberof) { foreach ($groupDN in $memberof) { if ($groupDN -like "CN=$GroupCN,*") { return $true } } } return $false } } catch { Write-Warning "Error searching domain $dnsDomain : $_" } } Write-Verbose "User not found in any supplied domain." return $false } |