Get AD group membership when computer is only Azure AD joined
We can use this function to get users group membership from the local AD. This can be used in scripts that is deployed with Intune and works with WHfB.
PowerShell code
function Get-ADGroupMembership {
param(
[parameter(Mandatory=$true)]
[string]$UserPrincipalName
)
$Searcher = New-Object -TypeName System.DirectoryServices.DirectorySearcher
$Searcher.Filter = "(&(userprincipalname=$UserPrincipalName))"
$Searcher.SearchRoot = "LDAP://$env:USERDNSDOMAIN"
$Searcher.FindOne().GetDirectoryEntry().memberOf | ForEach-Object { $_.split(",")[0].replace("CN=","") }
}
$UserPrincipalName = $(whoami -upn)
$GroupMemberships = Get-ADGroupMembership -UserPrincipalName $UserPrincipalName
Update 2019-07-23: Below I changed the function to work with nested groups
PowerShell code
function Get-ADGroupMembership {
param(
[parameter(Mandatory=$true)]
[string]$UserPrincipalName
)
$Searcher = New-Object -TypeName System.DirectoryServices.DirectorySearcher
$Searcher.Filter = "(&(userprincipalname=$UserPrincipalName))"
$Searcher.SearchRoot = "LDAP://$env:USERDNSDOMAIN"
$DistinguishedName = $Searcher.FindOne().Properties.distinguishedname
$Searcher.Filter = "(member:1.2.840.113556.1.4.1941:=$DistinguishedName)"
[void]$Searcher.PropertiesToLoad.Add("name")
$Searcher.FindAll() | ForEach-Object { $_.Properties.name }
}
$UserPrincipalName = $(whoami -upn)
$GroupMemberships = Get-ADGroupMembership -UserPrincipalName $UserPrincipalName
Thanks and inspiration
Philip – @disqus_ZzllNNkf17