Powershell not returning expected groups

Question

I am trying to use the following code in Powershell to get the Active Directory groups for the current user so I can perform specific actions based on what groups the user belongs to. Here is the code:

$id = [Security.Principal.WindowsIdentity]::GetCurrent()
$groups = $id.Groups | foreach-object {
 $_.Translate([Security.Principal.NTAccount])
}
$groups

However, this code does not display all the Active Directory groups that a user belongs to. I am aware that WindowsIdentity.Groups does not return all groups, excluding groups that were on the token for deny-only or a group which is the SE_GROUP_LOGON_ID as documented here: https://blogs.msdn.microsoft.com/shawnfa/2008/02/07/which-groups-does-windowsidentity-groups-return/

I am looking to get all the groups that are returned in the command prompt by using net user \domain to get a list of groups that member belongs to from the domain controller. I don't mind if more groups are included, but at a minimum all of the domain controller's groups that are displayed with the net user command need to be there. I have also tried another way of retrieving the group names in Powershell (below). It returns another set of groups that is still different from what is returned by the domain controller using net user and also different from the first method above:

$strName = $env:username
$strFilter = "(&(objectCategory=User)(samAccountName=$strName))"

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.Filter = $strFilter

$objPath = $objSearcher.FindOne()
$objUser = $objPath.GetDirectoryEntry()
$objUser.memberOf

Any help that can get me a list that contains all the groups returned using the net user command in the command prompt would be appreciated. Ideally, I am looking for an elegant solution like my first snippet of code above which returns the groups as objects. I am considering parsing out the names of the groups from the net user command's output directly in Powershell, but before I do that I wanted to make sure I am not missing more elegant solutions.

Answer 1

You can use the System.DirectoryServices.AccountManagement namespace like this:

[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.AccountManagement")
[System.DirectoryServices.AccountManagement.UserPrincipal]::get_Current().GetAuthorizationGroups()

Answer 2

Here are few ways to attack this effort.

Using DOS commands, but then you have to turn them into object and extract what you are after.

gpresult /V /user $env:USERNAME
whoami /GROUPS
net user $env:USERNAME /Domain

PoSh, just doing something like the following... This gets all users, but you can of course filter on whatever username you wish.

### Show User and AD group membership

# Get users with all their properties and their group membership, display user and group name
 ForEach ($TargetUser in (Get-ADUser -Filter * -Properties *))
 {
 "`n" + "-"*12 + " Showing group membership for " + $TargetUser.SamAccountName
 Get-ADPrincipalGroupMembership -Identity $TargetUser.SamAccountName `
 | Select Name
 }

# Get users with base properties and their group membership, display user and group name
 ForEach ($TargetUser in (Get-ADUser -Filter *))
 {
 "`n" + "-"*12 + " Showing group membership for " + $TargetUser.SamAccountName
 Get-ADPrincipalGroupMembership -Identity $TargetUser.SamAccountName `
 | Select Name
 }

# Get user and AD group info, display user and group name
 Get-ADUser -Filter "*" -SearchBase "CN=Users,DC=contoso,DC=com" `
 -SearchScope OneLevel -Properties Name, MemberOf `
 | Select-Object Name, @{Label="Memberof";
 expression={($_.memberof `
 | Get-ADGroup `
 | Select-Object -ExpandProperty Name) -Join ","}}

Get-ADUser -Filter "*" -SearchBase "CN=users,DC=contoso,DC=com" `
-SearchScope OneLevel -Properties Name, MemberOf |
 Select-Object Name, @{Label="Memberof";
 expression={($_.memberof | Get-ADGroup `
 | Select-Object -ExpandProperty Name) -Join ","}} `
 | Format-List

Of course format as needed.