How can I tell which of my nested AD groups a user is member of?

Question 1

I have a set of nested AD groups:

group
   subgroup1
      subsubgroup1a
      subsubgroup2b
   subgroup2
      subsubgroup2a
         userXY
      subsubgroup2b

I’m using “group” to grant access to a server. Now I want to know why my “userXY” has access to the server. How can I use powershell to find out that the user is member of “subsubgroup2a”?

Question 2

Update: Technically if you don’t mind building a bulky function,

    function GetGroups ($object)
{
    Get-ADPrincipalGroupMembership $object | ForEach `
    {
        $_
        Get-ADPrincipalGroupMembership $_
    }
}

Then you can run:

GetGroups username | select name -Unique

I’ve used that one in the past. Takes a while too.
Or

Here’s a prebuilt script to find nested group data: https://gallery.technet.microsoft.com/scriptcenter/Get-nested-group-15f725f2

Update 2: Admin friend uses this script. It does list all sec groups but still does work and you can dump to CSV for easy nav: http://practical-admin.com/blog/powershell-recursively-show-user-membership-in-an-active-directory-group/

How can I tell which of my nested AD groups a user is member of?

Answer

Related

Leave a Comment Cancel reply

Full Server Backup procedure [closed]

phpmyadmin port change? [closed]

is it possible to have Web server and NAS on the same hardware microsever? [closed]

How to time how long it takes to compile Red Hat from source? [closed]

Is there another database server software for PHP other than MySQL? [closed]