How to get all Active Directory groups of an user with powershell?

Sometimes it is needed to get all the Active Directory groups for an user. One reason is the calculation of KERBEROS TOKEN size for an user.

On the web are a lot of articles exists where you can see that it is solved with just 3 lines, but it never works fine:

Copy to Clipboard

We use very often tool like Access Rights Manager from SolarWinds (formally 8MAN) you see that the number and amount of membership is not true.

Here is the output of the command:

But in the Access Rights Manager/ARM tool you see:

As you can see the number is 8 + 1 (local group membership of a Windows PC). This is a benefit of the ARM tool, that you can see the membership of any device or technology you connected with collectors. The PowerShell command gives us just 5 and this makes a difference of 3.

We’ve adapted the command and then it shows all what the ARM tool shows.

Copy to Clipboard

$samAccountName = 'Sam.Sales'
$global:groupList = New-Object System.Collections.ArrayList

function Get-GroupNameFromDn
{
	[cmdletbinding()]
	param([string]$Dn)

$a = $Dn.split(",")
	$b = $a[0]
	$name = $b.substring(3)
	
	return $name
}

function Get-ADNestedGroupMembersOf 
{
	[cmdletbinding()]
	param (
		[String] $GroupName,
		[Int] $Depth
	)

$dn = (Get-ADGroup $GroupName).DistinguishedName
	$MemberOfs = Get-ADGroup -LDAPFilter ("(member:1.2.840.113556.1.4.1941:={0})" -f $dn) -ResultPageSize 1000 | select -expand DistinguishedName | sort DistinguishedName
	foreach($parent in $MemberOfs) 
	{
		if($parent -notin $global:groupList)
		{
			$global:groupList.Add($parent) | Out-Null
			Get-GroupNameFromDn $parent
		}
		if($Depth -le 4) 
		{
			Get-ADNestedGroupMembersOf -GroupName $parent -Depth ($Depth + 1)
		}
	}
}

$username = $samAccountName
$dn = (Get-ADUser $username).DistinguishedName
$groups = Get-ADGroup -LDAPFilter ("(member:1.2.840.113556.1.4.1941:={0})" -f $dn) | select -expand DistinguishedName | sort DistinguishedName

foreach($group in $groups)
{
	if($group -notin $global:groupList)
	{
		$global:groupList.Add($group) | Out-Null
		Get-GroupNameFromDn $group
		Get-ADNestedGroupMembersOf -GroupName $group -Depth 1
	}
}

$groups = Get-ADPrincipalGroupMembership $samAccountName | select -expand DistinguishedName | sort DistinguishedName
foreach($group in $groups)
{
	if($group -notin $global:groupList)
	{
		$global:groupList.Add($group) | Out-Null
		Get-GroupNameFromDn $group
		Get-ADNestedGroupMembersOf -GroupName $group -Depth 1
	}
}

I hope it helps like you, like it helps a lot of our customers. We support you for scripting and all topics around access rights management and specially we are the experts of ARM by SolarWinds (formally 8MAN), because we were part of the former Protected Networks GmbH family. We invented and developed ARM.

How to get all Active Directory groups of an user with powershell?

How to get all Active Directory groups of an user with powershell?

Ähnliche Beiträge

LDAPS ist nicht LDAP Signing + Channel Binding

8MAN vs SolarWinds ARM

Warum ist der JEDER Account ein Sicherheitsrisiko?

Warum sind Authentifizierte Benutzer ein Sicherheitsrisiko?