Execution Flow
Synopsis
Finds all AD groups that a given identity (user, group, or computer) belongs to, optionally traversing parent groups up to -Depth levels. Inverse operation to Get-sqmADGroupMembersRecursive. Useful for auditing SQL Server access when a login is granted via nested group membership.
Does not require dbatools. Requires LDAP connectivity to a domain controller. "Domain Users" is always excluded from results.
Syntax
Get-sqmADMemberGroups -Identity <String[]> # required, pipeline [-Domain <String>] [-Depth <Int>] # 0-10, default 2 [-OutputPath <String>]
Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
| -Identity | String[] | Required | SamAccountName, UPN, or DistinguishedName of the user/group/computer. Pipeline-capable. |
| -Domain | String | auto-detect | AD domain. Auto-detected from current domain if omitted. |
| -Depth | Int | 2 | Maximum nesting depth for parent group traversal (0–10). |
| -OutputPath | String | C:\System\WinSrvLog\MSSQL | Directory for TXT and CSV report files. |
Return Value
| Property | Description |
|---|---|
| Identity | Resolved identity (domain prefix stripped). |
| Domain | AD domain used. |
| Depth | Maximum depth used for parent traversal. |
| GroupCount | Number of unique parent groups found. |
| Groups | List with SamAccountName, DisplayName, GroupScope, Depth. |
| TxtFile / CsvFile | Written report file paths. |
| Status | OK / NoGroups / Error. |
Examples
# Which groups does john.doe belong to? (up to 2 levels) Get-sqmADMemberGroups -Identity "john.doe" -Depth 2 # Check group membership of a computer account Get-sqmADMemberGroups -Identity "SQL01$" # Multiple identities via pipeline "john.doe","svc_sql" | Get-sqmADMemberGroups -Depth 3