How can I check group membership when an user account is deleted ?

Question

I have a scheduled task which executes a PowerShell script when an user account is deleted from Active Directory. Is there a way to check the group membership of that user account ? I have tried with

 If ((Get-ADUser $user -Properties MemberOf | Select -ExpandProperty MemberOF) -ccontains $groupname)
    {
      //code
    }

but unfortunately, this didn't worked.(and is understandable why).

I was thinking at something as using a customized xml file for the creation of the scheduled task, but neither in this case, I don't know which value I have to query.

Any ideas?

Answer 1

After a user account object is deleted, the SID will be removed from all groups the object was a member of. That is the reason why I personally prefer to disable user accounts, instead of deleting them.

However, if you enabled the Active-Directory Recycle Bin feature, you will be able to restore the user account object and all group membership information with it.

There are several ways to do so. I prefer to use the PowerShell. Here is an example:

 Get-ADObject -Filter {displayName -eq "Mary"} -IncludeDeletedObjects | Restore-ADObject

If you want to read more on the topic, please have a look at the Active Directory Recycle Bin Step-by-Step Guide

I also suggest you to enable said feature, if you haven't already.

The second option would be to fall back on your Active Directory backups, if your backup solution supports granular AD object restoration.

Answer 2

You can't check anything at all after a user account is deleted, because then AD no longer has any information about it; your only option is to check group membership (or any other info you might need) before deleting the user account.