In my SharePoint environment I like to use the security model where each SharePoint Group contains an AD Group and each AD group contains AD users.
The main issue I have with that model is that from within SharePoint I can’t figure out which user is a member of which AD group. This makes the security difficult to control.
I now looked into a solution to get the members of an AD group by using PowerShell. I’m not querying AD directly as I want to know what SharerPoint thinks the members of an AD group are.
First I’m getting my list
$webUrl = “https://intranet.mycorp.com/admin/site”
$web = Get-SPWeb $webUrl
$list = $web.Lists[“MyList”]
then the role assignments
$roleAssignment = $list.RoleAssignments
For simplicity sake I’m looking at the second role assignment and I’m only picking up my first User ( this is actually a AD Group)
$ADGroupName = $roleAssignment.Member.Users.Name
Getting the AD Group using the EnsureUser method. The same way you would do this with user accounts.
$ADGroup = $web.EnsureUser($ADGroupName)
Then now the magic commands:
$reachedMax = $false
$users = [Microsoft.SharePoint.Utilities.SPUtility]::GetPrincipalsInGroup($web, $ADGroup, 10, [ref]$reachedMax)
All my users in my AD group is in the $users variable.