Author | Stephen Bennett, sqlnotesfromtheunderground.wordpress.com , Simone Bizzotto (@niphlod) |
Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out Find-DbaLoginInGroup on GitHub.
Want to see the Bill Of Health for this command? Check out Find-DbaLoginInGroup.
Discovers individual Active Directory users within Windows group logins on SQL Server instances.
Connects to SQL Server instances and recursively expands all Windows Active Directory group logins to reveal the individual user accounts that inherit access through group membership. This function queries Active Directory to enumerate all users within each Windows group login, including nested groups, providing a complete view of who actually has access to your SQL Server through group-based authentication. Essential for security audits, compliance reporting, and troubleshooting login access issues when you need to know which specific users can connect through group logins.
Find-DbaLoginInGroup
[-SqlInstance] <DbaInstanceParameter[]>
[[-SqlCredential] <PSCredential>]
[[-Login] <String[]>]
[-EnableException]
[<CommonParameters>]
PS C:\> Find-DbaLoginInGroup -SqlInstance DEV01 -Login "MyDomain\Stephen.Bennett"
Returns all active directory groups with logins on Sql Instance DEV01 that contain the AD user Stephen.Bennett.
PS C:\> Find-DbaLoginInGroup -SqlInstance DEV01
Returns all active directory users within all windows AD groups that have logins on the instance.
PS C:\> Find-DbaLoginInGroup -SqlInstance DEV01 | Where-Object Login -like '*stephen*'
Returns all active directory users within all windows AD groups that have logins on the instance whose login contains "stephen"
The target SQL Server instance or instances. This can be a collection and receive pipeline input.
Alias | |
Required | True |
Pipeline | true (ByValue) |
Default Value |
PSCredential object to connect under. If not specified, current Windows login will be used.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Filters results to show only Windows Active Directory groups that contain the specified individual user account(s).
Use this when you need to find which AD groups give a specific user access to SQL Server, rather than seeing all users from all groups.
Accepts multiple login names in DOMAIN\username format and supports pipeline input.
Alias | |
Required | False |
Pipeline | false |
Default Value |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
Alias | |
Required | False |
Pipeline | false |
Default Value | False |