PowerShell script to check group membership

PowerShell script that uses tokenGroups attribute to check membership in security groups

4.4 Star
8,630 times
Add to favorites
Active Directory
E-mail Twitter del.icio.us Digg Facebook
  • Changes
    1 Posts | Last post February 17, 2017
    • Can you tell me what changes i need to make to the script so that i can get the memberof groups of all the computers in a domain. Need the output in a CSV format
  • Feedback
    1 Posts | Last post October 29, 2016
  • Exception calling "Add" with "2" argument(s): "Item has already been added.
    1 Posts | Last post July 10, 2015
    • I had the same issue, added the changes you suggested, but it's still not working. So bummed because this is exactly what I need!
  • calling multiple time the same group
    3 Posts | Last post January 17, 2013
    • Hello everyone. I use this script which is working fine thanks for that but the problem is during the process it is calling multiple time the same group. resulting of this error:
      Exception calling "Add" with "2" argument(s): "Item has already been added. Key
       in dictionary: 'GROUP1'  Key being added: 'GROUP1'"
      At \\BLABLABLA\netlogon\Signatures\IsMember.ps1:60 char:32
      +             $err=$GroupList.Add <<<< ($ADObject.sAMAccountName.ToString()+ "\
      " + $Group.Value.Split("\")[1], $True)
          + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
          + FullyQualifiedErrorId : DotNetMethodException
      the line in question is this one:
      $GroupList.Add($ADObject.sAMAccountName.ToString()+ "\" + $Group.Value.Split("\")[1], $True)
      Could you help me to fix this redundant groups coming.
    • Very Interesting. The error means the user is member of two groups with the same sAMAccountName (pre-Windows 2000 name). I never anticipated this (sAMAccountName should be unique in the domain). There are two ways this can happen. One is if the same group is created by two admins at almost the same time while connected to different DC's, so the objects are saved before replication exposes the conflict. This should be rare, and the duplicate should be deleted. The more likely cause is that the user is a member of two different groups with the same sAMAccountName in different domains in the same forest.
      In the script, $Group is the group name in the form "Domain\GroupName", where "Domain" is the NetBIOS name of the domain and "GroupName" is the sAMAccountName of the group. Your user is a member of "Domain1\Group1" and "Domain2\Group1". The script only saves the name "Group1" in the hash table, so the function can test for membership in the group "Group1" (without the domain name).
      Assuming my theory is correct, the solution is to identify groups by "Domain\GroupName". In place of this statement:
                  $GroupList.Add($ADObject.sAMAccountName.ToString() `
                      + "\" + $Group.Value.Split("\")[1], $True)
      use this:
                  $GroupList.Add($ADObject.sAMAccountName.ToString() `
                      + "\" + $Group.Value, $True)
      In addition, the name of the group passed to the function must be in the form "Domain\GroupName". For example:
      If (IsMember $User "Domain1\Group1" -eq $True)
          "User " + $User.sAMAccountName + " is a member of group Domain1\Group1"
    • Hi, Thanks for the answer. I know it is strange but it is doing that for all users and to many security groups. but as I see it is doing this errors to Universal Groups only...