We can find if an Active Directory user is member of an AD group using Get-ADGroupMember cmdlet. In this article, I am going to write powershell script to check if user is exists in a group or nested group, and check multiple users are member of an AD group.
Run the following command to import Active Directory cmdlets.
Import-Module ActiveDirectory
Powershell scipt to check if User is Member of a Group
The following powershell script checks whether the given user is member of the given group. We are using the parameter -Recursive with Get-ADGroupMember cmdlet to get nested group members along with direct group members.
$user = "TestUser" $group = "Domain Admins" $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty Name If ($members -contains $user) { Write-Host "$user exists in the group" } Else { Write-Host "$user not exists in the group" }
Check if multiple users are member of a Group
Use the below powershell command to check if multiple users are member of a Group.
$users = "TestUser1","TestUser2" $group = "Domain Admins" $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty Name ForEach ($user in $users) { If ($members -contains $user) { Write-Host "$user exists in the group" } Else { Write-Host "$user not exists in the group" }}
Advertisement
function test-groupMemberShip($user,$group,$dc)
{
$t = $null
[boolean]$retValue = $false
try
{
$t = Get-ADGroupMember -Identity $group -Server $dc
if($t -ne $null)
{
if ( $t | select SamAccountName | Where-Object { $_.samaccountName -ccontains $user } )
{
$retValue = $true
}
else
{
$retValue =$false
}
}
}
catch
{
$retValue =$false
}
return $retValue
}
function get-adgroups($username)
{
$groups = @()
([System.Security.Principal.WindowsIdentity]$username).Groups | %{ $Groups += $_.Value }
return $groups
}
function user-memberofadgroup($username,$group)
{
$groups = get-adgroups $username
return $groups -contains ((new-object System.Security.Principal.NTAccount($group)).Translate([System.Security.Principal.SecurityIdentifier]).value)
}
Works the same way as the test-groupmembership but is about 10 times faster.
Very slick. Extremely efficient and fast and no additional modules needed. Much better than getting all members of a group, especially when that group could have many thousands of users. Will not help for nested group membership, but for most use cases this is a great way to to.
Thank you so much. It worked for me !!
what would be the command for multiple users, but imported from csv
I tried getting the multiple user account from CSV, but it does not work as it just says user not added even the abc123 already is.
Import-Module ActiveDirectory
$users = import-csv c:tempnames.csv
$group = "GROUP1_HQ_Trainning"
$domain = "DC=TEST,DC=ABC-TST,DC=COM"
$members = get-adgroupmember -Identity $group -Recursive | select -ExpandProperty Name
ForEach ($user in $users) {
If ($members -contains $user) {
Write-Host "$user exists in the group"
} Else {
Write-Host "$user does not exists in the group"
}}
the contents of CSV looks like this
user
abc123
def456
The original example always returns False, but the following works:-
$members = Get-ADGroupMember -Identity $group -Recursive
If ($members.NAME -contains $user) {
Can this be done for a CSV? I have the following but does't seem to work. It returns all the values as none group members.
$user = -import-csv -path c:tempuserlist.csv
$group = "Domain Admins"
$members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty Name
If ($members -contains $user) {
Write-Host "$user exists in the group"
} Else {
Write-Host "$user not exists in the group"
}
Uhh… this doesn't work.
"Get-ADGroupMember -Identity SG_Desktop -Recursive | Select -ExpandProperty Name" returns the full name of a user. Not a very practical example, because most likely we are going to do this:
$username = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
Hence, we really just want to compare the username. Easy way to do this?
Why complicate it so?
$user = Get-ADUser -Identity -Properties MemberOf
$group = Get-ADGroup -Identity
$user.MemberOf -contains $group.DistinguishedName
Note: Get-ADGroupMember does NOT work if group size > 5000