IsMember – Check group membership in Active Directory
The PowerShell function “IsMember” checks if the user who runs the PowerShell script is a member of a certain group. This has advantages compared to using Active Directory Service Interfaces (ADSI).
Index
PowerShell function: IsMember
The function “IsMember” evaluates the “User Token” which is generated when a user logs into a computer. The system reads the group security identifiers (SIDs) from the access token of the registered user. It checks the information against the group name/SID that is passed to the function. If it is identical it displays the value „True“. In order to run a group query with “IsMember”, simply use the group name.
IsMember query for group „WordUser“:
|
1 |
IsMember(WordUser) |
There are pre-defined groups whose group names depend on the operating system. The group of local administrators for example is called “Administrators”. In these instances it is advisable to use the SIDs of these groups instead of their names. Add the parameter “–GroupSID” to proceed.
Microsoft provides a list of pre-defined SIDs.
IsMember query for “–GroupSID”:
|
1 |
IsMember –GroupSID “X-X-XX-XXX" |
Advantage over ADSI queries
In the user’s access token you find the SIDs of all local groups and all domain groups which the user is a member of. A big advantage over ADSI queries is that you don’t need to contact a domain controller every time. It accelerates the process when you run scripts containing a large number of group queries (i.e. Logon scripts).
With this function you can run queries on local and domain groups.
Start the script as an admin
In addition to checking group memberships you can use the “IsMember” function to find out if the script was started with local administrative rights. If you activated the User Account Control (UAC) and if the user is a member of the local administrator group, the system will not add the SID of the local administrator group automatically to the access token. The SID will only appear in the token if the user has started the script/program with “Run as Administrator”.
With pre-defined groups like the local “Administrator” group you should use the SID (in this instance “S-1-5-32-544“) instead of the name. Thus you will not depend on the language of your operating system:
|
1 2 3 4 5 |
If (!(IsMember -GroupSID "S-1-5-32-544")) { # throw error Throw "The script must be started with administrative privileges." } |
The complete IsMember script:
Check group membership of a user
Here is the complete script of the PowerShell function “IsMember”:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
############################################################################################################################### # Function: IsMember # ------------------ # Task: Checks if the user is a member of a group # Parameters: Group - Name of the group # Domain - if this parameter is left empty the environment variable "USERDOMAIN" will be used instead # SID - instead of a group name a SID can be passed as String to identify the group # Returns: True - User is a member # False - User is not a member ############################################################################################################################### function IsMember { #Parameters param( [String]$Group = "", [String]$Domain=$Env:USERDOMAIN, [String]$GroupSID = "" ) # No SID If($GroupSID -eq "") { If($Domain -like $env:COMPUTERNAME) { $NtSecurityPrincipal = New-Object System.Security.Principal.NTAccount($Group) } Else { $NtSecurityPrincipal = New-Object System.Security.Principal.NTAccount($Domain, $Group) } $GroupSID = ($NtSecurityPrincipal.Translate([System.Security.Principal.SecurityIdentifier])).Value } # Compare SID with SIDs in the token $Token = [System.Security.Principal.WindowsIdentity]::GetCurrent() $GroupSIDs = $Token.Groups ForEach($Sid in $GroupSIDs) { # Is member If($Sid -eq $GroupSID) {Return $True} } # Is no member Return $False } |
More examples using IsMember
In addition to the complete script here are three further examples:
- Check if the user who runs the PowerShell script is logged in as an administrator (see chapter „Start the script as an admin“)
- Check if the user is a member of the group “Domain Users”
123456789# Query that checks if the user is a member of the group "Domain Users"If(IsMember("Domain Users")){Write-Host("User is a member")}Else{Write-Host("User is not a member")} - Check if the user is a member of the group „Domain Users“ in the domain „FirstAttribute“
123456789# Query that checks if the user is a member of the group "Domain Users" in the domain "FirstAttribute"If(IsMember("Domain Users") -Domain "FirstAttribute"){Write-Host("User is a member")}Else{Write-Host("User is not a member")}
How many group memberships do AD users have?
Find out with our free AD analysis tool – without using PowerShell!
Quite often it is sufficient to know how many group memberships a user has. FirstAttribute’s AD reporting and analysis tool FirstWare AD-Inspector finds group memberships of individual users for you. For an introduction to the software read this article: Simplified Active Directory reporting.
FirstWare AD-Inspector (→Article: User group membership)
Number of groups – per user and OU
The analysis of group memberships will provide you with two sets of information. First of all you get a list showing the number of groups which your user is a direct member of. Secondly you receive a list which summarizes in how many nested groups (“TokenGroups”) the user is registered as an indirect member.
On our website you will find descriptions of 17 different reports that the AD-Inspector can provide. To download the software click here. :
FirstAttribute AG – Microsoft Consulting Partner for
Migration and Active Directory
3 Comments
Leave your reply.