{"id":281,"date":"2014-11-25T11:59:00","date_gmt":"2014-11-25T11:59:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2014\/11\/25\/powertip-use-powershell-to-find-if-user-is-nested-group-member\/"},"modified":"2019-02-18T10:36:56","modified_gmt":"2019-02-18T17:36:56","slug":"powertip-use-powershell-to-find-if-user-is-nested-group-member","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/powertip-use-powershell-to-find-if-user-is-nested-group-member\/","title":{"rendered":"PowerTip: Use PowerShell to Find if User Is Nested Group Member"},"content":{"rendered":"

Summary<\/strong>: Use Windows PowerShell to find if a user is a nested member of a particular group.<\/span><\/span>\n\"Hey, How can I use Windows PowerShell to quickly find if a user is a nested member of a particular group,
           for example, Domain Admins?<\/span><\/p>\n

\"Hey, Use the -RecursiveMatch<\/b> LDAP filter operator:<\/p>\n

Get-ADUser -Filter ‘memberOf ‑RecursiveMatch “CN=Administrators,CN=Builtin,DC=Fabrikam,DC=com”‘ ‑SearchBase “CN=Administrator,CN=Users,DC=Fabrikam,DC=com”<\/p>\n

If the user is a member of the group, the query returns an AD object representing the user.
If not a member of the group, the query returns nothing.<\/p>\n

You can even use it in a function:<\/p>\n

Function Test-ADGroupMember {<\/p>\n

Param ($User,$Group)<\/p>\n

  Trap {Return “error”}<\/p>\n

  If (<\/p>\n

    Get-ADUser `<\/p>\n

      -Filter “memberOf -RecursiveMatch ‘$((Get-ADGroup $Group).DistinguishedName)'” `<\/p>\n

      -SearchBase $((Get-ADUser $User).DistinguishedName)<\/p>\n

    ) {$true}<\/p>\n

    Else {$false}<\/p>\n

}<\/p>\n

Now we have a simple function to check if a user is nested into a privileged group:<\/p>\n

PS C:> Test-ADGroupMember -User Guest -Group “Domain Admins”<\/p>\n

True<\/p>\n

PS C:> Test-ADGroupMember -User JoeJrAdmin -Group “Domain Admins”<\/p>\n

False<\/p>\n

PS C:> Test-ADGroupMember -User bogus -Group “Domain Admins”<\/p>\n

error\n <\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Use Windows PowerShell to find if a user is a nested member of a particular group.  How can I use Windows PowerShell to quickly find if a user is a nested member of a particular group,            for example, Domain Admins?  Use the -RecursiveMatch LDAP filter operator: Get-ADUser -Filter ‘memberOf ‑RecursiveMatch “CN=Administrators,CN=Builtin,DC=Fabrikam,DC=com”‘ […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,313,56,3,45],"class_list":["post-281","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-ashley-mcglone","tag-guest-blogger","tag-scripting-guy","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Summary: Use Windows PowerShell to find if a user is a nested member of a particular group.  How can I use Windows PowerShell to quickly find if a user is a nested member of a particular group,            for example, Domain Admins?  Use the -RecursiveMatch LDAP filter operator: Get-ADUser -Filter ‘memberOf ‑RecursiveMatch “CN=Administrators,CN=Builtin,DC=Fabrikam,DC=com”‘ […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/281","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=281"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/281\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=281"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=281"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=281"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}