Here’s a PowerShell Function that leverages Active Directory .Net to get a list of the AD authorization groups. This is extremely useful to get a complete list of security groups that comprise a user’s AD Kerberos token without having to loop or recurse AD groups.<\/p>\n
<\/p>\n
$ErrorActionPreference = \"SilentlyContinue\" $UserAuthGroups = $NULL $Assembly = [System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.AccountManagement\") $UserAccount = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($Context,$([System.DirectoryServices.AccountManagement.IdentityType]::SAMAccountName),$AccountID)<\/p>\n [array]$UserAuthGroups = $UserAccount.GetAuthorizationGroups()<\/p>\n $UserAccount.GetAuthorizationGroups() | ForEach { [array]$UserAuthGroupsDN += $_.DistinguishedName } IF ($UserAuthGroups.Count -eq 0) IF ($CountAuthGroups -eq $True) IF ($ReturnGroups -eq $True) }<\/code><\/p>\n","protected":false},"excerpt":{"rendered":" Here’s a PowerShell Function that leverages Active Directory .Net to get a list of the AD authorization groups. This is extremely useful to get a complete list of security groups that comprise a user’s AD Kerberos token without having to loop or recurse AD groups. Function GetAuthGroups { Param ( $AccountID, [switch]$CountAuthGroups, [Switch]$ReturnGroups = … <\/p>\n Function GetAuthGroups
\n{
\n Param
\n (
\n $AccountID,
\n [switch]$CountAuthGroups,
\n [Switch]$ReturnGroups = $True
\n )<\/p>\n
\n [int]$UserAuthGroupsCount = 0<\/p>\n
\n $UserAuthGroupsDN = $NULL<\/p>\n
\n $Context = New-Object -typename \"System.DirectoryServices.AccountManagement.PrincipalContext\" -ArgumentList $([System.DirectoryServices.AccountManagement.ContextType]::Domain)<\/p>\n
\n [int]$UserAuthGroupsCount = $UserAuthGroups.Count<\/p>\n
\n { [int] $UserAuthGroupsCount = $UserAuthGroupsDN.Count }<\/p>\n
\n { return $UserAuthGroupsCount }<\/p>\n
\n {
\n IF ($UserAuthGroups)
\n { return $UserAuthGroups }
\n IF ($UserAuthGroupsDN)
\n { return $UserAuthGroupsDN }
\n }<\/p>\n