Public/Verify-UserGroupMembership.ps1

<#
.SYNOPSIS
    Checks if a user or users from a specified file are members of a specified Active Directory group.
 
.DESCRIPTION
    The Check-UserGroupMembership function retrieves the local site's domain controller,
    discovers the target global catalog, and checks if a single user or users listed in a provided
    text or CSV file are members of a specified group.
 
.PARAMETER GroupName
    The name of the Active Directory group to check membership against.
 
.PARAMETER UserInput
    A single username (sAMAccountName) or a path to a file containing usernames. If a file, specify
    the type with UserInputType.
 
.PARAMETER UserInputType
    Specifies the type of UserInput: 'Single' for a single username, 'TextFile' for a plain text file,
    or 'CSV' for a CSV file. Default is 'Single'.
 
.EXAMPLE
    PS> Verify-UserGroupMembership -GroupName "ctx_xd7_win10_prod" -UserInput "jdoe"
 
    Checks if the user 'jdoe' is a member of the 'ctx_xd7_win10_prod' group.
 
.EXAMPLE
    PS> Verify-UserGroupMembership -GroupName "ctx_xd7_win10_prod" -UserInput "C:\Users\list.txt" -UserInputType "TextFile"
 
    Checks each user in 'list.txt' to see if they are a member of the 'ctx_xd7_win10_prod' group.
 
.EXAMPLE
    PS> Verify-UserGroupMembership -GroupName "ctx_xd7_win10_prod" -UserInput "C:\Users\list.csv" -UserInputType "CSV"
 
    Checks each user in 'list.csv' to see if they are a member of the 'ctx_xd7_win10_prod' group. Assumes usernames are listed under a column named 'Username'.
 
.NOTES
    Requires Active Directory module for PowerShell and appropriate permissions to query AD objects.
#>


Function Verify-UserGroupMembership {
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory = $true)]
        [string]$GroupName,

        [Parameter(Mandatory = $true)]
        [string]$UserInput,

        [Parameter(Mandatory = $false)]
        [ValidateSet("Single", "TextFile", "CSV")]
        [string]$UserInputType = "Single"
    )

    Begin {
        # Use the Global Catalog from the forest root domain
        try {
            $LocalSite = (Get-ADDomainController -Discover).Site
            $NewTargetGC = Get-ADDomainController -Discover -Service 6 -SiteName $LocalSite
            If (!$NewTargetGC) { $NewTargetGC = Get-ADDomainController -Discover -Service 6 -NextClosestSite }
            $GlobalCatalog = $($NewTargetGC.HostName) + ":3268"
            $Group = Get-ADGroup -Filter "Name -eq '$GroupName'" -Properties DistinguishedName, CanonicalName -Server $GlobalCatalog
            $GroupNameDN = $Group.DistinguishedName
        } catch {
            Write-Error "Failed to connect to the global catalog or retrieve group information: $_"
            return
        }
    }
    
    Process {
        switch ($UserInputType) {
            'Single' { $usernames = @($UserInput) }
            'TextFile' { $usernames = Get-Content -Path $UserInput }
            'CSV' { $usernames = Import-Csv -Path $UserInput | ForEach-Object { $_.Username } }
        }

        foreach ($username in $usernames) {
            try {
                $userDomain = (Get-ADUser -Filter {SamAccountName -eq $username} -Server $GlobalCatalog -Properties UserPrincipalName).DistinguishedName
                $userDC = ($userDomain -split ',' | Where-Object { $_ -like 'DC=*' } | ForEach-Object { $_.Substring(3) }) -join '.'

                $user = Get-ADUser -Identity $username -Properties MemberOf -Server $userDC
                $isMember = $user.MemberOf -contains $GroupNameDN
                Write-Output "$isMember"
            } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
                Write-Warning "User '$username' not found in any domain within the forest."
            } catch {
                Write-Error "An unexpected error occurred while checking membership for '$username': $_"
            }
        }
    }
}