Quick Tip – Determining Group AD Membership Using Powershell…

Although Exchange is a major part of my job and one of my primary interests – there are times when I am called to work on other issues. Currently my team is working on a major project whereby we intend to move from Citrix XPe (3000 seats) on Windows 2000 to Citrix Presentation Server 4.5 on Windows 2008 (yes I know that it has only just been released, but we have been testing it for a while and believe that it is ready to serve in this capacity).

Now my role in the project (apart from being the boss and overseeing things) is to upgrade the current domain from Windows 2000 to 2008, but also to convert all of the existing KIXX based logon scripts into Powershell (the Citrix aspects are being done by my highly skilled Citrix people), so today I sat down with my copy of PowerGUI and began to convert the first KIXX script to Powershell.

For most of the day it went very well, in fact many of the in built PowerShell commands are far more elegant and straight forward that their KIXX (or even VBSCRIPT) counterparts – for example, the creation and deletion of Folders is wonderful (and the inbuilt “Test-Path” cmdlet is a dream), however when it came to the point where I needed to get the script to compare the group membership of user accounts to allocate resources it fell apart a little.

You see (as far as I could tell) there is no inbuilt group “MemberOf” cmdlet in Powershell 1.0 – and after a little but of research it seemed to me that I would need to install third party command libraries (some free other at a cost) in order to fill the gap – neither of which was acceptable to my situation.

Essentially I needed a cmdlet that would accomplish the following pseudo code:

  • Accept an Active Directory “samAccountName” and a Group Name
  • Check to see if the Active Directory Account that had been passed was a member of the group which had been stipulated
  • Return a value that could then be used to map a drive or printer (say for example as part of an “if” condition)

After hours of searching I found many ways where you could obtain the group membership of a given user, but, I could not find a way to perform the tasks above. In the end I decided to write my own function to accomplish the task which I would like to share with you all:

$strName = $env:username

function get-GroupMembership($DNName,$cGroup){

	$strFilter = "(&(objectCategory=User)(samAccountName=$strName))"

	$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
	$objSearcher.Filter = $strFilter

	$objPath = $objSearcher.FindOne()
	$objUser = $objPath.GetDirectoryEntry()
	$DN = $objUser.distinguishedName

	$strGrpFilter = "(&(objectCategory=group)(name=$cGroup))"
	$objGrpSearcher = New-Object System.DirectoryServices.DirectorySearcher
	$objGrpSearcher.Filter = $strGrpFilter

	$objGrpPath = $objGrpSearcher.FindOne()

	If (!($objGrpPath -eq $Null)){

		$objGrp = $objGrpPath.GetDirectoryEntry()

		$grpDN = $objGrp.distinguishedName
		$ADVal = [ADSI]"LDAP://$DN"

		if ($ADVal.memberOf.Value -eq $grpDN){
			$returnVal = 1
			return $returnVal = 1
			$returnVal = 0
			return $returnVal = 0


			$returnVal = 0
			return $returnVal = 0



$result = get-groupMembership $strName "Administrators"

The function requires two parameters:

  • An Active Directory Account Name (in the samAccountName format)
  • The name of a security group

Therefore the syntax of the function is such: “get-groupMembership ” – so an example of the command in use is: get-groupMembership “andy.grogan” “Domain Admins” If the function derives that the account passed is a member of the group passed – the function will return 1, however is the account if NOT a member of the group passed the function will return 0. I have provided a down-loadable copy of the file here (which also includes some demo syntax on how the return values are presented):

get-groupMembership.ps1 I hope that this saves someone the hours that I have lost from my life today!

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.