使用 PowerShell 检查 SharePoint 用户是否是 AD 组的成员

要求：使用 PowerShell 检查 SharePoint 用户是否是 Active Directory 组的成员

解决方案：虽然我们可以使用 AD PowerShell cmdlet（例如 Get-ADGroupMember）检查特定用户帐户是否是 AD 安全组的成员，但以下是查找特定用户帐户是否是 AD 安全组的本机方法给定 Active Directory 组的成员。

PowerShell 检查 SharePoint 用户是否是 Active Directory 组的成员：

有时您可能需要知道特定 SharePoint 用户是否是 Active Directory 组的成员，因为 Active Directory 组在许多组织中用作 SharePoint 的安全边界。这篇博文将向您展示如何使用 PowerShell 检查用户是否是 Active Directory 组的成员。

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
 
#Variables
$SiteURL="https://intranet.crescent.com"
$SearchUserAccount = "Crescent\salaudeen"
  
#Custom Function to Check if User is member of a Active Directory Group
Function Check-UserIsMemberOfADGroup($web,$SearchUserAccount,$GroupName)
{
    Try {
        #Resolve the AD Group & User in SharePoint
        $ADGroup = $web.EnsureUser($GroupName)
        $User =  $web.EnsureUser($SearchUserAccount)

        #Get All Users of the AD Group
        $ReachedMax = $false
        $Users = [Microsoft.SharePoint.Utilities.SPUtility]::GetPrincipalsInGroup($web, $ADGroup,  ([Int]::MaxValue)-1, [ref]$ReachedMax) 
 
        #Check if user found in the members list
        $SearchUser = $Users | Where {$_.PrincipalType -eq "User" -and $_.LoginName -eq $User.UserLogin}
        If($SearchUser -ne $Null) { Return $True } else { Return $False }
    }
    Catch {
        write-host -f Red "Error Checking User Membership!" $_.Exception.Message
    }
}
 
#Get the Web
$Web = Get-SPWeb $SiteURL
 
#Get All AD Groups which has permission to the object such as Web, List, etc
$RoleAssignments = $Web.RoleAssignments | Where { $_.Member.IsDomainGroup}
     
#Iterate Through permissions of the web
Foreach($RoleAssignment in $RoleAssignments)
{
    $IsMember = Check-UserIsMemberOfADGroup $Web $SearchUserAccount $RoleAssignment.Member.Name
    If($IsMember)
    {
        Write-host -f Green $SearchUserAccount is member of the AD Group $RoleAssignment.Member.Name
    }
    Else
    {
        Write-host -f Red $SearchUserAccount is not a member of the AD Group $RoleAssignment.Member.Name
    }
}

请注意，此脚本仅检查直接成员资格 - 它不会搜索嵌套组！

递归检查用户是否是 AD 组的成员：

这次，我们使用 Get-ADGroupMember cmdlet 递归检查给定用户是否是 AD 组的成员。如果需要检查 SharePoint 用户是否是 Active Directory (AD) 组的成员，可以使用 PowerShell 从域控制器查询组成员身份信息。

#Variables
$UserID = "Crescent\salaudeen"
$ADGroup = "Crescent\Palo Alto RAS"

#Extract SamAccountName and AD Group Name
$SamAccountName = $UserID.Substring($UserID.IndexOf("\") + 1)
$ADGroupName = $ADGroup.Substring($ADGroup.IndexOf("\") + 1)

#Get All Members of the AD Group
$GroupMembers = Get-ADGroupMember -identity $ADGroupName -Recursive | Select -ExpandProperty SamAccountName

If($GroupMembers -contains $SamAccountName)
{
    Write-host -f Green "User '$UserID' is Member of the AD Group: $ADGroupName"
}
else
{
    Write-host -f Red "User '$UserID' is Not a Member of the AD Group: $ADGroupName"
}