Sign in
 
HomeLibraryWikiLearnGalleryDownloadsSupportForumsBlogs

PowerShell script to check group membership

PowerShell script that uses tokenGroups attribute to check membership in security groups

IsMember.ps1
 
 
 
 
 
4.4 Star
(11)
6,637 times
Add to favorites
Active Directory
10/18/2016
E-mail Twitter del.icio.us Digg Facebook
Report abuse to Microsoft
Sign in to ask a question

  • Answer the question | Hide
    Changes
    1 Posts | Last post February 17, 2017
    • Written February 17, 2017 
      Can you tell me what changes i need to make to the script so that i can get the memberof groups of all the computers in a domain. Need the output in a CSV format
  • Answer the question | Hide
    Feedback
    1 Posts | Last post October 29, 2016
  • Answer the question | Hide
    Exception calling "Add" with "2" argument(s): "Item has already been added.
    1 Posts | Last post July 10, 2015
    • Written July 10, 2015 
      I had the same issue, added the changes you suggested, but it's still not working. So bummed because this is exactly what I need!
  • Answer the question | Hide
    calling multiple time the same group
    3 Posts | Last post January 17, 2013
    • Written January 16, 2013 
      Hello everyone. I use this script which is working fine thanks for that but the problem is during the process it is calling multiple time the same group. resulting of this error:

Exception calling "Add" with "2" argument(s): "Item has already been added. Key
 in dictionary: 'GROUP1'  Key being added: 'GROUP1'"
At \\BLABLABLA\netlogon\Signatures\IsMember.ps1:60 char:32
+             $err=$GroupList.Add <<<< ($ADObject.sAMAccountName.ToString()+ "\
" + $Group.Value.Split("\")[1], $True)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

the line in question is this one:
$GroupList.Add($ADObject.sAMAccountName.ToString()+ "\" + $Group.Value.Split("\")[1], $True)

Could you help me to fix this redundant groups coming.

Thanks,

Simon
    • Written January 16, 2013 
      Very Interesting. The error means the user is member of two groups with the same sAMAccountName (pre-Windows 2000 name). I never anticipated this (sAMAccountName should be unique in the domain). There are two ways this can happen. One is if the same group is created by two admins at almost the same time while connected to different DC's, so the objects are saved before replication exposes the conflict. This should be rare, and the duplicate should be deleted. The more likely cause is that the user is a member of two different groups with the same sAMAccountName in different domains in the same forest.
In the script, $Group is the group name in the form "Domain\GroupName", where "Domain" is the NetBIOS name of the domain and "GroupName" is the sAMAccountName of the group. Your user is a member of "Domain1\Group1" and "Domain2\Group1". The script only saves the name "Group1" in the hash table, so the function can test for membership in the group "Group1" (without the domain name).
Assuming my theory is correct, the solution is to identify groups by "Domain\GroupName". In place of this statement:

            $GroupList.Add($ADObject.sAMAccountName.ToString() `
                + "\" + $Group.Value.Split("\")[1], $True)

use this:

            $GroupList.Add($ADObject.sAMAccountName.ToString() `
                + "\" + $Group.Value, $True)

In addition, the name of the group passed to the function must be in the form "Domain\GroupName". For example:

If (IsMember $User "Domain1\Group1" -eq $True)
{
    "User " + $User.sAMAccountName + " is a member of group Domain1\Group1"
}
    • Written January 17, 2013 
      Hi, Thanks for the answer. I know it is strange but it is doing that for all users and to many security groups. but as I see it is doing this errors to Universal Groups only...