June 2013 - The Practical Administrator

Another PowerShell function to help identify user/group/computer information from Active Directory. This one will recursively show group membership for an Active Directory object.

function Get-GroupsForObject {
    [cmdletbinding()]
    param(
        [string]$Object = "", 
        [int]$Level = 0
    )
 
    $indent = "-" * $Level
 
    $d = Get-ADObject -Identity $Object -Properties SamAccountName
 
    if ($Level -eq 0) {
        Write-Host "$indent# $($d.SamAccountName)"
    }
 
    if ($d.ObjectClass -eq "user" -and $Level -eq 0) {
        $e = Get-ADUser -Identity $d.DistinguishedName -Properties MemberOf
 
    } elseif ($d.ObjectClass -eq "group") {
        if ($Level -gt 0) {
            Write-Host "$indent-&gt; $($d.SamAccountName)"
        }
 
        $e = Get-ADGroup -Identity $d.DistinguishedName -Properties MemberOf
 
    }
 
    $e.MemberOf | Sort-Object | %{
        # prevent a loop if the group is a member of itself
        if ( $_ -ne $e.DistinguishedName ) {
            Get-GroupsForObject -Object $_  -Level($Level + 1)
        }
    }
}

function Get-GroupsForObject {

[cmdletbinding()]

param(

[string]$Object = "",

[int]$Level = 0

)

$indent = "-" * $Level

$d = Get-ADObject -Identity $Object -Properties SamAccountName

if ($Level -eq 0) {

Write-Host "$indent# $($d.SamAccountName)"

}

if ($d.ObjectClass -eq "user" -and $Level -eq 0) {

$e = Get-ADUser -Identity $d.DistinguishedName -Properties MemberOf

} elseif ($d.ObjectClass -eq "group") {

if ($Level -gt 0) {

Write-Host "$indent-> $($d.SamAccountName)"

}

$e = Get-ADGroup -Identity $d.DistinguishedName -Properties MemberOf

}

$e.MemberOf | Sort-Object | %{

# prevent a loop if the group is a member of itself

if ( $_ -ne $e.DistinguishedName ) {

Get-GroupsForObject -Object $_ -Level($Level + 1)

}

Sample usage:

PS C:\&gt; Get-GroupsForObject -Object (Get-ADuser Andrew).DistinguishedName
PS C:\&gt; Get-GroupsForObject -Object (Get-ADGroup "vCenter Administrators").DistinguishedName

1 2	PS C:\> Get-GroupsForObject -Object (Get-ADuser Andrew).DistinguishedName PS C:\> Get-GroupsForObject -Object (Get-ADGroup "vCenter Administrators").DistinguishedName