The tokenGroups attribute is a multi-valued attribute that contains a list of SIDs of the groups the user belongs to, stored as byte arrays. The attribute is populated behind the scenes by AD. To get the list of token groups, you first have to explicitly retrieve the contents of the attribute by calling GetInfoEX. Then, for each token in the list, we create a security principal object that we can translate into a user name. I toss the results into a hashtable so that I can sort the output.
The Perl version (see Enumerate TokenGroups using Perl) is slightly more complicated in that you have to convert the bytes yourself. PowerShell does the conversion for you automatically.
- Backup DFS Namespaces Using PowerShell
- Translate Active Directory Name Formats Using PowerShell
- List Linux Users in Active Directory Using PowerShell
- Enable Trust for Delegation in Active Directory Using PowerShell
- TCP/IP Subnet Math with PowerShell - What AD Site is that Server in?
- List Sites and Subnets in Active Directory with PowerShell
- Find Disabled Users in Active Directory with PowerShell
- List Forest-wide Group Memberships with PowerShell
- Find Old Computer Accounts in AD with PowerShell
- List SPNs in Active Directory with PowerShell
- List Domain Controllers in Active Directory