tree like cmdlet for Active Directory Principals Group Membership.
Get-ADTreePrincipalGroupMembership
[-Identity] <String>
[-Server <String>]
[-Credential <PSCredential>]
[-Depth <Int32>]
[-ShowAll]
[-Exclude <String[]>]
[<CommonParameters>]Get-ADTreePrincipalGroupMembership
[-Identity] <String>
[-Server <String>]
[-Credential <PSCredential>]
[-Recursive]
[-ShowAll]
[-Exclude <String[]>]
[<CommonParameters>]The Get-ADTreePrincipalGroupMembership cmdlet gets the Active Directory groups that have a specified user, computer, group, or service account as a member and displays them in a tree like structure. This cmdlet also helps identifying Circular Nested Groups.
PS ..\PSADTree\> Get-ADTreePrincipalGroupMembership john.doeBy default, this cmdlet uses -Depth with a default value of 3.
PS ..\PSADTree\> Get-ADTreePrincipalGroupMembership john.doe -RecursivePS ..\PSADTree\> Get-ADComputer -Filter * -SearchBase 'OU=myOU,DC=myDomain,DC=com' |
Get-ADTreePrincipalGroupMembershipYou can pipe strings containing an identity to this cmdlet. ADObject instances piped to this cmdlet are also supported.
PS ..\PSADTree\> Get-ADComputer -Filter * -SearchBase 'OU=myOU,DC=myDomain,DC=com' |
Get-ADTreePrincipalGroupMembership -Recursive |
Where-Object IsCircularPS ..\PSADTree\> Get-ADTreePrincipalGroupMembership john.doe -Server otherDomainPS ..\PSADTree\> Get-ADTreePrincipalGroupMembership john.doe -ShowAllBy default, previously processed groups will be marked as "Processed Group" and their hierarchy will not be displayed.
The -ShowAll switch indicates that the cmdlet should display the hierarchy of all previously processed groups.
Note
The use of this switch should not infer in a great performance cost, for more details see the parameter details.
Specifies a user account that has permission to perform this action. The default is the current user.
Type a user name, such as User01 or Domain01\User01, or enter a PSCredential object generated by the Get-Credential cmdlet. If you type a user name, you're prompted to enter the password.
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseDetermines the number of nested group memberships included in the recursion.
By default, only 3 levels of recursion are included. Get-ADTreePrincipalGroupMembership emits a warning if the levels exceed this number.
Type: Int32
Parameter Sets: Depth
Aliases:
Required: False
Position: Named
Default value: 3
Accept pipeline input: False
Accept wildcard characters: FalseSpecifies an array of one or more string patterns to be matched as the cmdlet enumerates child principals. Any matching principal is excluded from the output. Wildcard characters are accepted.
Note
Patterns are tested against the principal's .SamAccountName property.
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: TrueSpecifies an Active Directory principal by providing one of the following property values:
- A DistinguishedName
- A GUID
- A SID (Security Identifier)
- A sAMAccountName
- A UserPrincipalName
See IdentityType Enum for more information.
Type: String
Parameter Sets: (All)
Aliases: DistinguishedName
Required: True
Position: 0
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: FalseSpecifies that the cmdlet should get all group membership of the specified principal.
Type: SwitchParameter
Parameter Sets: Recursive
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseSpecifies the AD DS instance to connect to by providing one of the following values for a corresponding domain name or directory server.
Domain name values:
- Fully qualified domain name
- NetBIOS name
Directory server values:
- Fully qualified directory server name
- NetBIOS name
- Fully qualified directory server name and port
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseBy default, previously processed groups will be marked as "Processed Group" and their hierarchy will not be displayed. This switch forces the cmdlet to display the full hierarchy including previously processed groups.
Note
This cmdlet uses a caching mechanism to ensure that Active Directory Groups are only queried once per Identity.
This caching mechanism is also used to reconstruct the pre-processed group's hierarchy when the -ShowAll switch is used, thus not incurring a performance cost.
The intent behind this switch is to not clutter the cmdlet's output by default.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters. For more information, see about_CommonParameters.
You can pipe strings containing an identity to this cmdlet. ADObject instances piped to this cmdlet are also supported.
treeprincipalmembership is the alias for this cmdlet.