PowerShell and AD groups best combination

by A.K.in common, Microsoft Active Directory, Powershellon Posted on

The estimated reading time 2 minutes

In daily life there are a lot situation where you have to copy members of AD groups, or checking if someone is member of an AD group. Therefore I created this blogpost to provide a small assistance doing this tasks via powershell.

Function to check user Group Membership

Here is a short function checking if an user is member of a special group: 

function Check-UserInGroup {
  [CmdletBinding()]
  param (
    [Parameter(
        Mandatory=$true,
    Position=0)]
    [string] $samaccount,
    [Parameter(Mandatory=$true)]
    [string] $groupsamaccount
  )
  $user = $samaccount
  $group = "$groupsamaccount"
  [string]$memberofs = Get-ADuser -Identity "$user" -Properties MemberOf | Select-Object MemberOf -ExpandProperty MemberOf
  If ($memberofs -match $group) {
    return $true
  } Else {
    return $false
  }
}

How can I use this function? Here is a short example:

 $membergroupb = Check-UserInGroup -samaccount "user-a" -groupsamaccount "group-b"
    
    if($membergroupb -eq $false){
    
      Add-ADGroupMember -identity "group-b" -members "user-a"
    }

First line checks if the user is member or not (TRUE or FALSE), and with the IF you can add an action if the user is not a member (for example adding)

List all groups of special user

If you want to get all groupmemberships from one special user you can use this kind of onliner:

Get-ADPrincipalGroupMembership -Identity USERSAMACCOUNTNAME | select SamAccountName,name

If you want to exclude some special groups, there is an extension you can add to the command above:

Get-ADPrincipalGroupMembership -Identity USERSAMACCOUNTNAME | select SamAccountName,name  |where{$_.name -ne "SAMACCOUNTGROUPNOTWANTED"} | sort name
#multiple groups not wanted
Get-ADPrincipalGroupMembership -Identity USERSAMACCOUNTNAME | select SamAccountName,name  |where{$_.name -ne "SAMACCOUNTGROUPNOTWANTED" -and $_.name -ne "SAMACCOUNTANOTHERGROUP" } | sort name

Function check if an AD group exists

Checking if an AD group exists already in the current AD

function Check-Groupexists {
  [CmdletBinding()]
  param (
    [Parameter(
        Mandatory=$true,
    Position=0)]
    [string] $groupname,
   [Parameter(Mandatory=$true)]
    [string] $dc
    
        
  )
  $gn = $groupname
  $domaincontroller = $dc
  $groupexists = $(try {Get-ADGroup -Filter "SamAccountName -eq '$gn'"} catch {$null})
  If ($groupexists) {
    return $true
  } Else {
    return $false
  }


}

How to use this function? See this expample.

$grpname = "NEWADGROUPNAME"
$DC = "DOMAINCONTROLLER"

if(Check-Groupexists -groupname $grpname -dc $DC)
{
  Write-Host "$grpname already exists!" -ForegroundColor Yellow
}
else{
  Write-Host "$grpname available..." -ForegroundColor Green
  New-ADGroup -SamAccountName "$grpname" -DisplayName "$grpname" -Server "$DC" -GroupScope Global -Name "$grpname" -Description "DESCRIPTION" -Path "distinguished name to OU"
}

This short script checks if the name of the group is available, and if its not used it creates a new AD group

Have fun with this powershell functions an small scripts. If you liked this article please click on helpful.

Was this article helpful?
YesNo
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments