Retrieve the Number of Groups a User Belongs to, Including Nesting

Posted: August 6, 2013 in Active Directory

Just a simple one here, but want to keep it on file. This will rebuild the tokenGroups attribute for a user, which is a dynamic attribute, i.e. not part of the schema. Useful for working out why people are getting token bloat and kerberos issues.
$UserName = Read-Host -Prompt "Enter the user name to check"
If (Get-ADUser $Username){
$DN = (Get-ADUser $UserName).DistinguishedName
$user = [ADSI]"LDAP://$DN"
$secirc = new-object System.Security.Principal.IdentityReferenceCollection
foreach($sidByte in $user.TokenGroups)
$secirc.Add((new-object System.Security.Principal.SecurityIdentifier $sidByte,0))
($secirc.Translate([System.Security.Principal.NTAccount]) | Measure-Object).Count


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s