You can however, query AD groups for the members but that could be quite intensive. The script could determine membership without picking up a new token but the NTFS perms that rely on the new token would still require a logon.