Powershell : Check if AD User is Member of a Group

We can find if an Active Directory user is member of an AD group using Get-ADGroupMember cmdlet. In this article, I am going to write powershell script to check if user is exists in a group or nested group, and check multiple users are member of an AD group.

Run the following command to import Active Directory cmdlets.

Import-Module ActiveDirectory

Powershell scipt to check if User is Member of a Group

The following powershell script checks whether the given user is member of the given group. We are using the parameter -Recursive with Get-ADGroupMember cmdlet to get nested group members along with direct group members.

$user = "TestUser"
$group = "Domain Admins"
$members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty Name

If ($members -contains $user) {
      Write-Host "$user exists in the group"
 } Else {
        Write-Host "$user not exists in the group"
}

Check if multiple users are member of a Group

Use the below powershell command to check if multiple users are member of a Group.

$users = "TestUser1","TestUser2"
$group = "Domain Admins"
$members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty Name
ForEach ($user in $users) {
    If ($members -contains $user) {
      Write-Host "$user exists in the group"
 } Else {
      Write-Host "$user not exists in the group"
}}
Advertisement

11 thoughts on “Powershell : Check if AD User is Member of a Group”

  1. function test-groupMemberShip($user,$group,$dc)
    {
    $t = $null
    [boolean]$retValue = $false
    try
    {

    $t = Get-ADGroupMember -Identity $group -Server $dc
    if($t -ne $null)
    {
    if ( $t | select SamAccountName | Where-Object { $_.samaccountName -ccontains $user } )
    {
    $retValue = $true
    }
    else
    {
    $retValue =$false
    }

    }
    }
    catch
    {
    $retValue =$false
    }
    return $retValue
    }

    Reply
  2. function get-adgroups($username)
    {
    $groups = @()
    ([System.Security.Principal.WindowsIdentity]$username).Groups | %{ $Groups += $_.Value }
    return $groups
    }
    function user-memberofadgroup($username,$group)
    {
    $groups = get-adgroups $username
    return $groups -contains ((new-object System.Security.Principal.NTAccount($group)).Translate([System.Security.Principal.SecurityIdentifier]).value)
    }

    Works the same way as the test-groupmembership but is about 10 times faster.

    Reply
    • Very slick. Extremely efficient and fast and no additional modules needed. Much better than getting all members of a group, especially when that group could have many thousands of users. Will not help for nested group membership, but for most use cases this is a great way to to.

      Reply
  3. I tried getting the multiple user account from CSV, but it does not work as it just says user not added even the abc123 already is.

    Import-Module ActiveDirectory
    $users = import-csv c:tempnames.csv
    $group = "GROUP1_HQ_Trainning"
    $domain = "DC=TEST,DC=ABC-TST,DC=COM"
    $members = get-adgroupmember -Identity $group -Recursive | select -ExpandProperty Name

    ForEach ($user in $users) {
    If ($members -contains $user) {
    Write-Host "$user exists in the group"
    } Else {
    Write-Host "$user does not exists in the group"

    }}

    the contents of CSV looks like this

    user
    abc123
    def456

    Reply
  4. The original example always returns False, but the following works:-

    $members = Get-ADGroupMember -Identity $group -Recursive
    If ($members.NAME -contains $user) {

    Reply
  5. Can this be done for a CSV? I have the following but does't seem to work. It returns all the values as none group members.

    $user = -import-csv -path c:tempuserlist.csv
    $group = "Domain Admins"
    $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty Name

    If ($members -contains $user) {
    Write-Host "$user exists in the group"
    } Else {
    Write-Host "$user not exists in the group"
    }

    Reply
  6. Uhh… this doesn't work.
    "Get-ADGroupMember -Identity SG_Desktop -Recursive | Select -ExpandProperty Name" returns the full name of a user. Not a very practical example, because most likely we are going to do this:

    $username = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name

    Hence, we really just want to compare the username. Easy way to do this?

    Reply
  7. Why complicate it so?
    $user = Get-ADUser -Identity -Properties MemberOf
    $group = Get-ADGroup -Identity
    $user.MemberOf -contains $group.DistinguishedName

    Reply

Leave a Comment