Summary: Use Windows PowerShell to find if a user is a nested member of a particular group.
How can I use Windows PowerShell to quickly find if a user is a nested member of a particular group,
for example, Domain Admins?
Use the -RecursiveMatch LDAP filter operator:
Get-ADUser -Filter 'memberOf ‑RecursiveMatch "CN=Administrators,CN=Builtin,DC=Fabrikam,DC=com"' ‑SearchBase "CN=Administrator,CN=Users,DC=Fabrikam,DC=com"
If the user is a member of the group, the query returns an AD object representing the user.
If not a member of the group, the query returns nothing.
You can even use it in a function:
Function Test-ADGroupMember {
Param ($User,$Group)
Trap {Return "error"}
If (
Get-ADUser `
-Filter "memberOf -RecursiveMatch '$((Get-ADGroup $Group).DistinguishedName)'" `
-SearchBase $((Get-ADUser $User).DistinguishedName)
) {$true}
Else {$false}
}
Now we have a simple function to check if a user is nested into a privileged group:
PS C:\> Test-ADGroupMember -User Guest -Group "Domain Admins"
True
PS C:\> Test-ADGroupMember -User JoeJrAdmin -Group "Domain Admins"
False
PS C:\> Test-ADGroupMember -User bogus -Group "Domain Admins"
error