public/Get-ADGroupMembership.ps1
|
#Requires -Module ActiveDirectory <# .SYNOPSIS Module for performing recursive lookup of the groups to which an AD object belongs. .DESCRIPTION Use this module to perform a lookup of all global groups to which an object belongs, both direct and recursive. This requires the AtiveDirectory module .EXAMPLE Get-ADGroupMembership -Identity someName -Recursive .PARAMETER Identity This parameter is required and must be in the form of valid SAMAccountName. If you wish to search a computer account, use must use the SAMAccountName with the trailing '$' $Identity = 'someName' .PARAMETER PageSize This parameter is optional and sets the size of the search set and must be in the form of valid integer. The defualt is 1000. $PageSize = 1000 .PARAMETER Recursive This parameter is optional. It is a switch that will perform a recursive search of all global groups. The default returns only direct membership. .NOTES Project: https://github.com/tmknight/TMK-CoreModules #> Function Get-ADGroupMembership { [CmdletBinding()] Param( ## Identity, required. [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [string]$Identity, [Parameter(Mandatory = $false, Position = 1)] [int]$PageSize = 1000, ## Perform recursive search [Parameter(Mandatory = $false, Position = 2)] [switch]$Recursive ) Begin { ## Setup LDAP search $strDN = { SAMAccountName -like $Identity } $objDomain = New-Object System.DirectoryServices.DirectoryEntry $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objSearcher.SearchRoot = $objDomain $objSearcher.PageSize = $PageSize $objSearcher.SearchScope = "Subtree" $objSearcher.Filter = $strDN $colProplistUsr = "name" } Process { try { ## User or computer switch -RegEx ($Identity) { '\$$' { $usr = (Get-ADComputer -Filter $strDN).DistinguishedName } Default { $usr = (Get-ADUser -Filter $strDN).DistinguishedName } } ## Direct or recursive membership if ($Recursive.IsPresent) { $strGroup = "(&(objectCategory=group)(member:1.2.840.113556.1.4.1941:=$usr))" } else { $strGroup = "(&(objectCategory=group)(member=$usr))" } ForEach ($u in $colProplistUsr) { $objSearcher.PropertiesToLoad.Add($u) | Out-Null } $objSearcher.Filter = $strGroup $colProplistGrp = "name" ForEach ($g in $colProplistGrp) { $objSearcher.PropertiesToLoad.Add($g) | Out-Null } $obj = @() $colResultsGrp = $objSearcher.FindAll() ForEach ($objResultGrp in $colResultsGrp) { $vars = "objItemGrp", "grpDN", "name", "sid" Remove-Variable $vars -ErrorAction SilentlyContinue $objItemGrp = $objResultGrp.Properties $grpDN = $objItemGrp.adspath -replace "LDAP://" $name = $($objItemGrp.name) if ($grpDN -match "OU=Mail") { $sid = "Mail Group" } else { try { $sid = (Get-ADGroup "$name" -ErrorAction SilentlyContinue).SID if ($sid -notmatch "S-1-5") { $sid = "unknown" } } catch { $sid = "unknown" } } $obj += [PSCustomObject] @{ Name = "$name" DN = "$grpDN" SID = $sid } } if (-not $obj) { Write-Warning "$Identity is not a member of any AD groups" } } catch { Return $_ } } End { Return $obj | Sort-Object Name } } |