A user can be a member of different Active Directory groups that grant permissions to access different domain services and resources. With the right permissions assignment strategy in AD, you only need to look at the list of groups the user is a member of to understand what permissions is assigned to this user.
There are several ways to list Active Directory user group memberships: AD graphical consoles, command-line tools, and PowerShell cmdlets
Get the List of Groups a User is Member of with Active Directory GUI
You can use the Active Directory Users and Computers snap-in (ADUC) graphical MMC to view a list of user groups.
- Run the dsa.msc snap-in;
- Right-click on the domain root and select Find;
- Enter a username and click Find Now;
- Open the user properties and go to the Member of tab;
- This tab lists the groups the selected user is a member of.
You can also list a user’s groups using the Active Directory Administrative Center (dsac.exe) console.
- Type a user name in the Global Search filed and hit Enter;
- Double-click a user account and go to the “Member of” tab;
- Here you can see a list of groups that the specified user is a member of;
- If the user is in a large number of groups, you can use a filter to search for them by name.
This method only shows the direct groups that the user is a member of. If another Active Directory group (nested group) is added to any of these groups, it won’t appear in the console. To view all user groups (including nested ones), you must use command-line tools.
Check AD Group Membership via Command Line
You can list Active Directory group membership with the command:
net user USERNAME /domain
The command output contains the user’s domain (Global Group memberships) and local groups (Local Group Memberships).
You can list the security groups that your account is a member of:
whoami /groups
Also, you can use the “gpresult /r” command to see the current user membership:
The user is a part of the following security groups
You can display a full list of user groups (including nested ones) using the dsget tool. You must specify the distinguishedName of the target user instead of a username:
dsget user "CN=Jon Brion,OU=Users,OU=UK,DC=theitbros,DC=com" -memberof –expand
If you need to get the members of a specific security group, including nested group membership, use the command:
dsget group "CN=NY-Managers,OU=Users,OU=NY,DC=theitbros,DC=com" –members -expand
List Active Directory Group Members with PowerShell
You can use the PowerShell cmdlets to check the user’s membership in AD groups. In this case, you must use the Get-AdUser, Get-ADPrincipalGroupMembership, Get-ADGroup, and Get-ADGroupMember cmdlets from the PowerShell Active Directory module.
Display a list of AD group members with the command:
Get-ADGroup -Filter {Name -like "*AllowUSB*"} -Properties Members | Get-ADGroupMember| select SamAccountName, SID, name
This command returns a list of users, groups, and computers which have been added directly to the specified group.
If you only want to list user accounts that are members of a specific AD group (including nested groups):
Get-ADGroupMember -Identity AllowUSB -Recursive | ft name
View the members of the group, including specific user attributes for each member:
Get-ADGroupMember -Identity AllowUSB -Recursive | foreach { Get-ADUser $_ -Properties * } | select displayName,company,department,title,email
Get Active Directory User Group Membership with PowerShell
Use the following commands to display the list of Active Directory groups that the user is a member of:
Get-ADPrincipalGroupMembership jbrion | Select name
or
Get-ADUser jbrion -Properties Memberof | Select -ExpandProperty memberOf
You can use complex LDAP filters to get nested group membership. For instance, to get a full list of the groups to which a user account belongs (including nested groups), use the command:
Get-ADGroup –LDAPFilter "(member:1.2.840.113556.1.4.1941:=CN=John Brion,OU=Employees,OU=NY,DC=theitbros,DC=com)"
The following PowerShell script can be used to check a user’s membership in a specific Active Directory group and perform some actions depending on the group membership:
$group = “*AllowUSB*”
$user = “jbrion”
if ((Get-ADUser $user -Properties memberof).memberof -like $group* )
{
# If the user is a member of a group
echo “True”
}
Else
{
# User not in the group
echo “False”
}
Export Active Directory Group Members to CSV using PowerShell
You can export the resulting AD group membership report to a text or CSV file.
Use the >> operator to redirect the result of the PowerShell cmdlet to a plain text file. For example:
Get-ADUser j.brion -Properties Memberof | Select -ExpandProperty memberOf >> c:\ps\ad_group.txt
This text file will contain the Distinguished Names (DNs) of all the groups the user is a member of.
You can use the Export-CSV cmdlet to save a list of user groups to a CSV file format.
Get-ADPrincipalGroupMembership j.brion | Select-Object name,description,GroupCategory,GroupScope,distinguishedName| Export-Csv -NoTypeInformation c:\ps\ad_group.csv -Encoding UTF8
This example uses the Select-Object cmdlet to filter only the attributes of the user or group that you want to export.
You can use the above command-line tools or PowerShell script to easily list and export Active Directory group memberships.
1 comment
Hi,
How can we get just security group list which used in AD through PowerShell.
Thanks
Devin