Get AD group membership when computer is only Azure AD joined

We can use this function to get users group membership from the local AD. This can be used in scripts that is deployed with Intune and works with WHfB.

PowerShell code

function Get-ADGroupMembership {
    param(
        [parameter(Mandatory=$true)]
        [string]$UserPrincipalName
    )
 
    $Searcher = New-Object -TypeName System.DirectoryServices.DirectorySearcher
    $Searcher.Filter = "(&(userprincipalname=$UserPrincipalName))"
    $Searcher.SearchRoot = "LDAP://$env:USERDNSDOMAIN"
    $Searcher.FindOne().GetDirectoryEntry().memberOf | ForEach-Object { $_.split(",")[0].replace("CN=","") }
}

$UserPrincipalName = $(whoami -upn)
$GroupMemberships = Get-ADGroupMembership -UserPrincipalName $UserPrincipalName

Update 2019-07-23: Below I changed the function to work with nested groups

PowerShell code

function Get-ADGroupMembership {
	param(
		[parameter(Mandatory=$true)]
		[string]$UserPrincipalName
	)

	$Searcher = New-Object -TypeName System.DirectoryServices.DirectorySearcher
	$Searcher.Filter = "(&(userprincipalname=$UserPrincipalName))"
	$Searcher.SearchRoot = "LDAP://$env:USERDNSDOMAIN"
	$DistinguishedName = $Searcher.FindOne().Properties.distinguishedname
	$Searcher.Filter = "(member:1.2.840.113556.1.4.1941:=$DistinguishedName)"
	[void]$Searcher.PropertiesToLoad.Add("name")
	$Searcher.FindAll() | ForEach-Object { $_.Properties.name }
}

$UserPrincipalName = $(whoami -upn)
$GroupMemberships = Get-ADGroupMembership -UserPrincipalName $UserPrincipalName

Thanks and inspiration

Philip – @disqus_ZzllNNkf17