powershellactive-directoryget-aduser

Getting AD user MemberOf (group memberships) values using PowerShell


I’m attempting to get MemberOf values for an AD user object. However, I’m hitting some roadblocks wherein I am not able to get an absolute list of AD group memberships (MemberOf) for a given AD user.

Below, based on my validation, I’ve jotted down the possible values for the PowerShell Get-ADUser cmdlet’s -Server parameter.

PowerShell Get-ADUser “Server” parameter value options based on MemberOf Group’s Scope

MemberOf a Universal group,

  1. User domain DC/GC
  2. Root/Parent domain GC
  3. Other domains GC in the same forest

MemberOf a Global group,

  1. User domain DC/GC

MemberOf a Domain-local group,

  1. Group domain GC
  2. Root/Parent domain GC

Now, my question goes, is my above deduction valid, and if yes is it by design - a thumb rule based on how the AD group memberships are designed to work?, or, is it more of a DC replication configuration thing?

Any advice is highly appreciated.


Solution

  • Most of what you figured out is correct. A couple corrections/clarifications:

    Universal groups

    The memberOf attribute will always contain all universal groups that the user is a member of. This is because universal groups can only contain objects from the same forest, and you can only read the user from a DC/GC in the same forest. So you can be confident that you won't be missing any universal groups in memberOf.

    Global groups

    You're correct here. You'll only see global groups in memberOf if they are on the same domain as the user.

    Domain local

    This one is tricky. You will only see domain local groups in memberOf if they are on the same domain as the server you are retrieving results from.

    Let's say your user is on DomainA. If you read from a GC in DomainB (that is in the same forest), then you will only see domain local groups in DomainB, and not DomainA.

    This is why you do need to be careful if you're relying on memberOf. I discussed this in an article I wrote under the heading Beware of memberOf

    How you approach this will depend on what your purpose is. This is something I discussed in another article I wrote on the topic, which might help you: Active Directory: Finding all of a user’s groups