public/Get-ADGroupMembership.ps1
|
#Requires -Module ActiveDirectory <# .SYNOPSIS Module for performing recursive lookup of the groups to which an AD object belongs. .DESCRIPTION Use this module to perform a lookup of all global groups to which an object belongs, both direct and recursive. This requires the AtiveDirectory module .EXAMPLE Get-ADGroupMembership -Identity someName -Recursive .PARAMETER Identity This parameter is required and must be in the form of valid SAMAccountName. If you wish to search a computer account, use must use the SAMAccountName with the trailing '$' $Identity = 'someName' .PARAMETER PageSize This parameter is optional and sets the size of the search set and must be in the form of valid integer. The defualt is 1000. $PageSize = 1000 .PARAMETER Recursive This parameter is optional. It is a switch that will perform a recursive search of all global groups. The default returns only direct membership. .NOTES Project: https://github.com/tmknight/TMK-CoreModules #> Function Get-ADGroupMembership { [CmdletBinding()] Param( ## Identity, required. [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)] [string]$Identity, [Parameter(Mandatory = $false, Position = 1)] [int]$PageSize = 1000, ## Perform recursive search [Parameter(Mandatory = $false, Position = 2)] [switch]$Recursive ) Begin { ## Setup LDAP search $strDN = { SAMAccountName -like $Identity } $objDomain = New-Object System.DirectoryServices.DirectoryEntry $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objSearcher.SearchRoot = $objDomain $objSearcher.PageSize = $PageSize $objSearcher.SearchScope = 'Subtree' $objSearcher.Filter = $strDN $colProplistUsr = 'name' } Process { try { ## User or computer switch -RegEx ($Identity) { '\$$' { $usr = (Get-ADComputer -Filter $strDN).DistinguishedName } Default { $usr = (Get-ADUser -Filter $strDN).DistinguishedName } } ## Direct or recursive membership if ($Recursive.IsPresent) { $strGroup = "(&(objectCategory=group)(member:1.2.840.113556.1.4.1941:=$usr))" } else { $strGroup = "(&(objectCategory=group)(member=$usr))" } ForEach ($u in $colProplistUsr) { $objSearcher.PropertiesToLoad.Add($u) | Out-Null } $objSearcher.Filter = $strGroup $colProplistGrp = 'name' ForEach ($g in $colProplistGrp) { $objSearcher.PropertiesToLoad.Add($g) | Out-Null } $obj = @() $colResultsGrp = $objSearcher.FindAll() ForEach ($objResultGrp in $colResultsGrp) { $vars = 'objItemGrp', 'grpDN', 'name', 'sid' Remove-Variable $vars -ErrorAction SilentlyContinue $objItemGrp = $objResultGrp.Properties $grpDN = $objItemGrp.adspath -replace 'LDAP://' $name = $($objItemGrp.name) if ($grpDN -match 'OU=Mail') { $sid = 'Mail Group' } else { try { $sid = (Get-ADGroup "$name" -ErrorAction SilentlyContinue).SID if ($sid -notmatch 'S-1-5') { $sid = 'unknown' } } catch { $sid = 'unknown' } } $obj += [PSCustomObject] @{ Name = "$name" DN = "$grpDN" SID = $sid } } if (-not $obj) { Write-Warning "$Identity is not a member of any AD groups" } } catch { Return $_ } } End { Return $obj | Sort-Object Name } } |