Powershell – How to tell which of the nested AD groups a user is member of

active-directorypowershell

I have a set of nested AD groups:

group
   subgroup1
      subsubgroup1a
      subsubgroup2b
   subgroup2
      subsubgroup2a
         userXY
      subsubgroup2b

I'm using "group" to grant access to a server. Now I want to know why my "userXY" has access to the server. How can I use powershell to find out that the user is member of "subsubgroup2a"?

Best Answer

Update: Technically if you don't mind building a bulky function,

    function GetGroups ($object)
{
    Get-ADPrincipalGroupMembership $object | ForEach `
    {
        $_
        Get-ADPrincipalGroupMembership $_
    }
}

Then you can run:

GetGroups username | select name -Unique

I've used that one in the past. Takes a while too. Or

Here's a prebuilt script to find nested group data: https://gallery.technet.microsoft.com/scriptcenter/Get-nested-group-15f725f2

Update 2: Admin friend uses this script. It does list all sec groups but still does work and you can dump to CSV for easy nav: http://practical-admin.com/blog/powershell-recursively-show-user-membership-in-an-active-directory-group/

Best Answer

Related Solutions

Windows – AD: Can you be member of unlimited groups

Dsquery nested groups

Related Topic