This is a problem that has plagued me for a long time. I’ve seen solutions implemented in VBScript, and I’ve seen PowerShell solutions that relied on third-party tools to get the job done. Well I’ve finally implemented a solution to finding all of an account’s group memberships with PowerShell.
The following script provides a function I call Get-ADPrincipalGroupMembershipRecursive, which I named after the built-in function ADPrincipalGroupMembership. The function is called by passing the distinguished name of the account. It will determine all of the group’s memberships using the memberOf attribute, then recursively check those groups, their subgroups, etc. until a comprehensive list of the account’s memberships has been built.