Monday, November 16, 2015

List recursive group memberships


This script prompts for the username and returns a recursive list of the users group memberships.  It uses the Object Identifier (OID) 1.2.840.113556.1.4.1941 to call the extensible match matching rule LDAP_MATCHING_RULE_IN_CHAIN.  See the links below for further information on how this query operates.

http://ldapwiki.willeke.com/wiki/1.2.840.113556.1.4.1941

https://msdn.microsoft.com/en-us/library/aa746475%28v=vs.85%29.aspx


param (
    [Parameter (ValueFromPipeline=$true, Mandatory=$true)]
    [string]$username = $null
       )

$dn = (Get-ADUser $username).DistinguishedName
Get-ADGroup -LDAPFilter ("(member:1.2.840.113556.1.4.1941:={0})" -f $dn) | select -expand Name | sort name


replace sort name with measure to return the number of groups.  This script can be modified to apply to machine names by the use of the Get-ADComputer cmdlet

Consider expanding this to compare recursive group memberships of two users.

The above is also an example of an argument/parameter prompt.  To produces multiple prompts for augments to turn in to variables try 

param (
    [Parameter (ValueFromPipeline=$true, Mandatory=$true)]
    [string]$username = $null,
    [Parameter (ValueFromPipeline=$true, Mandatory=$true)]
    [string]$PartialGroupName = $null
      )

Posted by at