Description

PowerShell script to check if a security principal (Active Directory user, computer, or group) is a member of a specified security group. The script uses the tokenGroups attribute, which is operational (constructed). TokenGroups is a collection of the objectSID values of all security groups the principal is a member of, including due to nesting and the "primary" group. The collection does not include distribution groups or groups in other domains. A hash table is used to keep track of memberships separately for each security principal, so they only need to be retrieved once. You can use the function to check membership in several groups, for several users, or for the current user and the local computer.


This script demonstrates how to retrieve operational attributes, how to convert SID values (which are byte arrays), and how to translate SID values into the corresponding NT format name, which is in the form <NetBIOS name of domain>\<sAMAccountName>.

Script

PowerShell
Edit|Remove
# Hash table of security principals and their security group memberships. 
$GroupList = @{} 
 
Function IsMember ($ADObject, $GroupName) 
{ 
    # Function to check if $ADObject is a member of security group $GroupName. 
 
    # Check if security group memberships for this principal have been determined. 
    If ($GroupList.ContainsKey($ADObject.sAMAccountName.ToString() + "\") -eq $False) 
    { 
        # Memberships need to be determined for this principal. Add "pre-Windows 2000" 
        # name to the hash table. 
        $GroupList.Add($ADObject.sAMAccountName.ToString() + "\", $True) 
        # Retrieve tokenGroups attribute of principal, which is operational. 
        $ADObject.psbase.RefreshCache("tokenGroups") 
        $SIDs = $ADObject.psbase.Properties.Item("tokenGroups") 
        # Populate hash table with security group memberships. 
        ForEach ($Value In $SIDs) 
        { 
            $SID = New-Object System.Security.Principal.SecurityIdentifier $Value, 0 
            # Translate into "pre-Windows 2000" name. 
            $Group = $SID.Translate([System.Security.Principal.NTAccount]) 
            $GroupList.Add($ADObject.sAMAccountName.ToString() ` 
                + "\" + $Group.Value.Split("\")[1], $True) 
        } 
    } 
    # Check if $ADObject is a member of $GroupName. 
    If ($GroupList.ContainsKey($ADObject.sAMAccountName.ToString() + "\" + $GroupName)) 
    { 
        Return $True 
    } 
    Else 
    { 
        Return $False 
    } 
} 
 
# Bind to the user object in Active Directory. 
$User = [ADSI]"LDAP://cn=TestUser,ou=Sales,dc=MyDomain,dc=com" 
 
# Bind to the computer object in Active Directory. 
$Computer = [ADSI]"LDAP://cn=TestComputer,ou=Sales,dc=MyDomain,dc=com" 
 
If (IsMember $User "Engineering" -eq $True) 
{ 
    "User " + $User.sAMAccountName + " is a member of group Engineering" 
} 
 
If (IsMember $User "Domain Users" -eq $True) 
{ 
    "User " + $User.sAMAccountName + " is a member of group Domain Users" 
} 
 
If (IsMember $Computer "Deploy" -eq $True) 
{ 
    "Computer " + $Computer.sAMAccountName + " is a member of group Deploy" 
}