PowerShell: Recursively Show Group Membership for an Active Directory Object

Another PowerShell function to help identify user/group/computer information from Active Directory. This one will recursively show group membership for an Active Directory object.

Sample usage:

3 thoughts on “PowerShell: Recursively Show Group Membership for an Active Directory Object”

  1. # I’ve added some functionality to your script. This version resolves and includes the primary group, and builds a PowerShell object out of the findings. I find working with objects is easier than string output. Usage is the same as before.

    function Get-GroupsForObject {
        [cmdletbinding()]
        param(
            [string]$Object = "", 
            [int]$Level = 0
        )
     
        $indent = "-" * $Level
     
        $d = Get-ADObject -Identity $Object -Properties SamAccountName
     
        if ($Level -eq 0) {
            #write-host "$indent# $($d.SamAccountName)" -ForegroundColor Red
        }
    
        if ($d.ObjectClass -eq "user" -and $Level -eq 0) {
            $e = Get-ADUser -Identity $d.DistinguishedName -Properties MemberOf,PrimaryGroup
    
            #Include primary group
            Get-GroupsForObject -Object (get-adgroup $e.primarygroup).distinguishedname -Level($Level + 1)
    
        } elseif ($d.ObjectClass -eq "group") {
            if ($Level -gt 0) {
                #write-host "$indent> $($d.SamAccountName)"
                New-Object PSObject -Property @{
            		Name = $($d.SamAccountName)
    		        Level = $Level
                }
            }
     
            $e = Get-ADGroup -Identity $d.DistinguishedName -Properties MemberOf
     
        }
     
        $e.MemberOf | Sort-Object | %{
            # prevent a loop if the group is a member of itself
            if ( $_ -ne $e.DistinguishedName ) {
                Get-GroupsForObject -Object $_  -Level($Level + 1)
            }
        }
    
    }
  2. I also add some code to this function base on Will Neumann’s, in order to make it more compatible for single forest multi domains environment

    function Get-GroupsForObject {
    [cmdletbinding()]
    param(
    [string]$Object,
    [int]$Level = 0
    )

    $indent = “-” * $Level

    $Server = “FQDN:3268”
    $d = Get-ADObject -Identity $Object -Properties SamAccountName,CanonicalName -Server $Server
    $dOU = $d.CanonicalName
    $dPos = $dOU.IndexOf(“/”)
    $dSvr = $dOU.Substring(0, $dPos)

    if ($Level -eq 0) {
    #write-host “$indent# $($d.SamAccountName)” -ForegroundColor Red
    }

    if ($d.ObjectClass -eq “user” -and $Level -eq 0) {
    $e = Get-ADUser -Identity $d.DistinguishedName -Properties MemberOf,PrimaryGroup -Server $dSvr

    #Include primary group
    Get-GroupsForObject -Object (get-adgroup $e.primarygroup).distinguishedname -Level($Level + 1)

    } elseif ($d.ObjectClass -eq “group”) {
    if ($Level -gt 0) {
    #write-host “$indent> $($d.SamAccountName)”
    New-Object PSObject -Property @{
    Name = $($d.CanonicalName)
    Level = $Level
    }
    }

    $e = Get-ADGroup -Identity $d.DistinguishedName -Properties MemberOf -Server $dSvr

    }

    $e.MemberOf | Sort-Object | %{
    # prevent a loop if the group is a member of itself
    if ( $_ -ne $e.DistinguishedName ) {
    Get-GroupsForObject -Object $_ -Level($Level + 1)
    }
    }

    }

    #example
    Get-GroupsForObject -Object (Get-ADUser XXX) | fl

Leave a Reply