Recursively check if a User/Computer is a member of an AD Group with PowerShell 2.0

Hi Again,

Recently we’ve been fed up with Deployed Printer Connections through Group Policy and have decided to map printers using a PowerShell logon script. We wanted printer additions, removals and defaults to be based on AD groups, and for the script to work with PowerShell 2.0. Our clients are Windows 7 and therefore have PowerShell 2.0 installed by default, with no Active Directory module included.

Checking if a user or computer is a member of a group recursively can be achieved easily in later versions of PowerShell by using Get-ADGroupMember with the recursive switch, this requires the Active Directory module. However this wasn’t an option for us.

What we ended up doing was writing a function that performed an LDAP query using the “In Chain” Object Identifier. This Page explains more about the different LDAP search filters. This is the LDAP filter we used:

(&(|(&(objectClass=user)(sAMAccountName=*USERNAMEHERE*))((&(objectClass=computer)(sAMAccountName=*COMPUTERNAMEHERE*))))(memberof:1.2.840.113556.1.4.1941:=*DISTINGUISHEDNAMEOFGROUPHERE*))”

It’s important to note that this LDAP query is an OR query and requires both the computer name and username to function properly, so it reads:

Object Class = User AND SAMAccountName = *USERNAMEHERE* OR Object Class = Computer AND SAMAccountName = *COMPUTERNAMEHERE* AND is a chained member of *DISTINGUISHEDNAMEOFGROUPHERE*

Here’s the script we came up with:

Again the function requires both the User’s sAMAccountName and Computer’s sAMAccountName (E.g MYComputer$) supplied or the function will fail.

The function returns True if the user or computer is a member of the group, and False if they are not.

The username should be supplied without the domian, E.g $ENV:Username or “JohnW”
The Computername argument is the sAMAccountName of the computer E.g “MYCOMPUTER$”
The GroupName argument is the name of the group you want to query. E.g “MyGroup”

The script does the following:

  • Finds the Logon Server of the user running the function
  • Searches for the group by name to find its Distinguished Name
  • If we found the group – perform the LDAP query with the supplied arguments and the Distinguished Name of the group.
  • Return True if the LDAP query returns a result. Return False if not.

As always, let us know if you find a use for this, or if you have any questions or comments!

One thought on “Recursively check if a User/Computer is a member of an AD Group with PowerShell 2.0

Leave a Reply

Your email address will not be published. Required fields are marked *