0

There are lots of questions around counting members in a group but with the hard limit of 200 groups for groups to get into a token, I need to get a count of groups a user is member of.

This (Get-ADUser userName –Properties MemberOf).MemberOf from this response gets me the list of groups a user is member of but how do I just get a count?

Breiz
  • 103
  • 1
  • 5
  • Can you be more specific? Do you want to know the count of groups returned by the memberOf constructed attribute, or do you want the count of Kerberos token groups the user has when logging in? They could be very different results... – twconnell May 09 '21 at 13:19
  • The former: the count of groups returned by the memberOf. – Breiz May 11 '21 at 21:49
  • 2
    Too easy, just use the count method (available since PSv3) by appending .count to the end of your statement. – twconnell May 13 '21 at 14:35
  • The limit of 200 groups in the token is for JWT: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims – Breiz May 27 '21 at 03:07

2 Answers2

2

There are many ways to count things in PowerShell. Measure-Object is one, but my preferred choice is the count method:

(Get-ADUser <username> -Properties MemberOf).MemberOf.count

Personally, I would be more interested in the recursive (nested) group memberships of the user. This provides a more complete picture of what they have access to. To get all nested groups a user is a member of, you could use the constructed attribute tokenGroups (as explained here):

Get-ADUser -SearchScope Base -SearchBase (Get-ADUser <username>).DistinguishedName -LDAPFilter '(objectClass=user)' -Properties tokenGroups | Select-Object -ExpandProperty tokenGroups | Select-Object -ExpandProperty Value | %{(Get-ADGroup $_).Name} | Sort-Object

twconnell
  • 902
  • 5
  • 13
  • Yes, this answer is counting the actual group objects returned from the MemberOf query. `Measure-Object -line` is really intended for measuring lines in a text file (and I wouldn't be surprised if it were slower in aggregate due to parsing a "string") – LeeM May 18 '21 at 03:18
0

Perhaps Measure-Object -Line

(Get-ADUser userName –Properties MemberOf).MemberOf | Measure-Object -Line
PMTucker
  • 76
  • 5
  • 1
    There's an important parenthesis missing at the beginning. – Davidw May 07 '21 at 00:30
  • Also, if you're using the dot property (`.MemberOf`), you can omit the `-Properties MemberOf`, because it will get only that property anyway. – Davidw May 08 '21 at 00:24