Active Directory Group Membership Recursively

A few days ago, I published an article on how to use the "Get-ActiveDirectoryGroupMember" function to get all the objects that are members of a group recursively. With this article, I'm going to show you how to use the "Get-ActiveDirectoryMembership" function in order to get all the groups that an object is a member of  recursively.

As always, my user account will be the test subject! When I get the groups that I am a member of, the list contains only the groups that I am a direct member.
PS C:\> $user = Get-ADUser cpolydorou

PS C:\> Get-ActiveDirectoryGroupMembership -Identity $user.DistinguishedName

Name                    DistinguishedName
----                    -----------------
Domain Admins           CN=Domain Admins,CN=Users,DC=LAB,DC=local
Enterprise Admins       CN=Enterprise Admins,CN=Users,DC=LAB,DC=local
NISAdmins               CN=NISAdmins,OU=Citrix,OU=Security Groups,OU=LAB,DC=LAB,DC=local
Organization Management CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=LAB,DC=local
TestGroup3              CN=TestGroup3,OU=Test,OU=LAB,DC=LAB,DC=local

We notice a few more groups when adding the "-Recurse" parameter. Let's see why is that!
PS C:\> Get-ActiveDirectoryGroupMembership -Identity $user.DistinguishedName -Recurse

Name                                   DistinguishedName
----                                   -----------------
Administrators                         CN=Administrators,CN=Builtin,DC=LAB,DC=local
Denied RODC Password Replication Group CN=Denied RODC Password Replication Group,CN=Users,DC=LAB,DC=local
Domain Admins                          CN=Domain Admins,CN=Users,DC=LAB,DC=local
Enterprise Admins                      CN=Enterprise Admins,CN=Users,DC=LAB,DC=local
NISAdmins                              CN=NISAdmins,OU=Citrix,OU=Security Groups,OU=LAB,DC=LAB,DC=local
Organization Management                CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=LAB,DC=local
SQL Server Administrators              CN=SQL Server Administrators,OU=SQL,OU=Security Groups,OU=LAB,DC=LAB,DC=local
TestGroup1                             CN=TestGroup1,OU=Test,OU=LAB,DC=LAB,DC=local
TestGroup2                             CN=TestGroup2,OU=Test,OU=LAB,DC=LAB,DC=local
TestGroup3                             CN=TestGroup3,OU=Test,OU=LAB,DC=LAB,DC=local

My account is a member of TestGroup1 and TestGroup2 because I'm a member of TestGroup3 and TestGroup3 is a member of TestGroup2 which in turn is a member of TestGroup1. Moreover, I'm a member of the SQL Server Administrators since the Domain Admins group is a member of this group.

And why is this helpful? By getting all the groups an object is a member of including nested groups, you are able to tell what permissions are granted to the object. Assuming of course that you assign and delegate permissions using security groups and not directly!

The "Get-ActiveDirectoryGroupMembership" function is available in my CPolydorou.ActiveDirectory module since version 1.5.1.

This module also contains the function "Test-ActiveDirectoryGroupMembership" which will query Active Directory and return whether or not an object is a member of a group, including nested groups.

Popular posts from this blog

Domain Controller Machine Password Reset

Configuring a Certificate on Exchange Receive Connector

Verbose Parameter Passing to cmdlet inside Function