Christos Polydorou

A few days ago, I published an article on how to use the "Get-ActiveDirectoryGroupMember" function to get all the objects that are members of a group recursively. With this article, I'm going to show you how to use the "Get-ActiveDirectoryMembership" function in order to get all the groups that an object is a member of  recursively. As always, my user account will be the test subject! When I get the groups that I am a member of, the list contains only the groups that I am a direct member. PS C:\> $user = Get-ADUser cpolydorou PS C:\> Get-ActiveDirectoryGroupMembership -Identity $user.DistinguishedName Name                    DistinguishedName ----                    ----------------- Domain Admins           CN=

A very common scenario when assigning permissions is having nested security groups. Although this is an easier way to manage the permission delegation, is adds complexity when there's the need to determine whether a principal is granted the permission or getting a list with all the principles involved. The CPolydorou.ActiveDirectory module now includes a function that is the solution to the problem. The Get-ActiveDirectoryGroupMember function will return all the objects that are members of a specified Active Directory group. The "-Recurse" parameter will query Active Directory and return all the members of the group recursively. This way, we are able to get a list of all the objects that are granted a permission without having to consider the nested groups. Let's take a quick look at an example. We have a group named "NestedGroup" that the user CPolydorou is a member of. This group is also a member of another group named "Group". PS C: