Active Directory security groups are used to grant users permissions to various domain services and resources. Therefore, to understand what permissions are assigned to a specific user in the AD domain, it is enough to look at the groups in which the user account is a member of.
There are several administrative tools that allow you to display Active Directory group membership: AD graphical consoles, command line tools, and PowerShell cmdlets.
View Active Directory User Group Membership via GUI
The easiest and most clear way to view a list of direct user groups in Active Directory is to use the graphical snap-in Active Directory Users and Computers snap-in (ADUC).
- Run the dsa.msc snap-in;
- Right-click on the domain root and select Find;
- Enter a username and click Find Now;
- Open the user properties and go to the Member of tab;
- This tab lists the groups the selected user is a member of.
You can also list a user’s groups using the Active Directory Administrative Center (dsac.exe) console.
- Enter a user name in the Global Search filed and hit Enter;
- Double-click a user account you need and go to the “Member of” tab;
- Here you can see a list of groups that the specified user is a member of;
- If the user is in a large number of groups, you can use a filter to search for them by name.
This method only shows the direct groups that the user has been added to. If another Active Directory group (nested group) is added to any of these groups, it won’t be appear in the console. To display all user groups (including nested ones), you need to use command line tools.
Checking AD Group Membership via Command Line
You can also check Active Directory group membership through the command line. Run the command:
net user USERNAME /domain
As you can see, the command output contains the domain (Global Group memberships) and local groups (Local Group Memberships) of the user.
Using the following command, you can list the security groups that your account is a member of:
whoami /groups
List the members of the domain group:
Net group "CorpAPPUser" /DOMAIN
Also, you can use the gpresult tool to see the current user membership. Run the “gpresult /r” command and under User Settings, you will see the memberships of the logged-in user:
The user is a part of the following security groups
You can display a full list of user groups (including nested ones) using the dsget tool. Instead of a username, you need to specify its distinguishedName:
dsget user "CN=Jon Brion,OU=Users,OU=UK,DC=theitbros,DC=com" -memberof –expand
If you need to get the members of a specific security group, including nested group membership, use the command:
dsget group "CN=NY-Managers,OU=Users,OU=NY,DC=theitbros,DC=com" –members -expand
When you need to do the opposite operation and display a list of groups to which the group belongs, run:
dsget group "CN=NY-Managers,OU=Users,OU=NY,DC=theitbros,DC=com" –memberof -expand
You can display the members of a specific AD group using dsquery and net group commands:
dsquery group -name "AllowUSB" | dsget group -members
or:
net group "AllowUSB" /domain
How to List AD Group Members Using PowerShell?
You can also check user AD group membership using the PowerShell cmdlets: Get-AdUser, Get-ADPrincipalGroupMembership, Get-ADGroup, and Get-ADGroupMember. You need the PowerShell Active Directory module installed on your computer to do this.
Tip. To use the AD PowerShell Module on Windows 10 or Windows 11 desktop devices, you need to install Remote Server Administration Tools.
Import the Active Directory PowerShell module into the current session:
Import-module Activedirectory
You can use the Get-ADGroup or Get-ADGroupMember cmdlets to get a list of users in a group. For example, to find a group in a domain and display a list of users in it, you can use the command:
(Get-ADGroup -Filter {Name -like "*_AllowUSB"} -Properties Members | SELECT *).Members
The previous command will only return the DN (Distinguished Name) of users who are members of the group. If you need other attributes of the users in the group (for example, SID, SamAccountName, name, etc.), it’s better to use the Get-ADGroupMember cmdlet:
Get-ADGroup -Filter {Name -like "*_AllowUSB"} -Properties Members | Get-ADGroupMember
In the example above, we assumed you don’t know the exact name of the group you are looking for. If you know the group’s full name, you can immediately specify it as the Get-ADGroupMember parameter.
The Get-ADGroupMember cmdlet allows listing the members of an AD group (members can be users, groups, and computers).
Display only usernames that are added to the specific AD group (including nested groups):
Get-ADGroupMember -Identity AllowUSB -Recursive | ft name
Note. The -Recursive option allows you to display not only the account of users directly added to the AllowUSB group, but also the users of groups that are members of this group (child or nested group).
Display group members with detailed information on each member:
Get-ADGroupMember -Identity AllowUSB | foreach { Get-ADUser $_ -Properties * }
You can display only certain attributes of users in a group:
Get-ADGroupMember -Recursive “GroupName" | ForEach {Get-ADUser -filter {samaccountname -eq $_.SamAccountName} -Properties displayName, company, title, department } | Format-Table displayName,company,department,title –AutoSize
The following example will display the email addresses of all users of a specific security group:
Get-ADGroupMember -Recursive "UK_IT_DEPT" | ForEach { Get-ADUser -filter {samaccountname -eq $_.SamAccountName} -Properties mail } | Sort-Object mail | Format-Table mail
To count the number of users in an AD group, you need to use the PowerShell Count method:
(Get-ADGroupMember -Identity "Domain Admins").Count
Find empty groups in Active Directory (which do not contain any user):
Get-ADGroup -filter * | where {-Not ($_ | Get-ADGroupMember)} | Select Name
You can perform the reverse task — display a list of users who are not included in a particular AD group. The following PowerShell command will list all domain users that are not a member of the nyManagers group.
Get-ADuser -Filter * -Properties MemberOf | where { -Not ($_.MemberOf -match "nyManagers") } | Select Name
You can also use pipe with the Out-GridView cmdlet to conveniently sort and filter the list of group members. Out-GridView allows you to present any set of PowerShell data in a simple GUI. With the Add Criteria options, you can add different filters. To sort the table by any attribute, just click on the column name in the table header.
Get-ADGroupMember -Identity ca_AllowUSB | Select-Object name, objectClass,distinguishedName | Out-GridView
Get Active Directory User Group Membership with PowerShell
The list of Active Directory groups in which the user is a member can be displayed using the following commands:
Get-ADPrincipalGroupMembership jbrion | Select name
or
Get-ADUser jbrion -Properties Memberof | Select -ExpandProperty memberOf
Another way to get a list of all members of a group (explicit or implicit) is to use the –RecursiveMatch operator:
Get-ADUser -Filter {MemberOf -RecursiveMatch "CN=NY-Sales,OU=Groups,OU=NY,DC=theitbros,dc=com"}
If we are interested only in whether a certain user belongs to a certain group, we can proceed as follows:
Get-ADUser -Filter {MemberOf -RecursiveMatch "CN=NY-Sales,OU=Groups,OU=NY,DC=theitbros,dc=com"} -SearchBase "CN=User,OU=Users,OU=NY,DC=theitbros,DC=com"
You can use the filter by group name:
Get-ADPrincipalGroupMembership jbrion | where {$_ -like "*allow*"} | Sort-Object | select -ExpandProperty name
You can use complex LDAP filters to get nested group membership. For instance, to get a full list of the groups to which a user account belongs (including nested groups), use the command:
Get-ADGroup –LDAPFilter (member:1.2.840.113556.1.4.1941:=CN=John Brion,OU=Employees,OU=NY,DC=theitbros,DC=com)
The following PowerShell script template can be used to check a user’s membership in a specific Active Directory group and perform some actions depending on group membership (the group name must be specified between the * characters):
$group = “*AllowUSB*” $user = “jbrion” if ((Get-ADUser $user -Properties memberof).memberof -like $group* ) { # If the user is a member of a group echo “True” } Else { # User not in the group echo “False” }
Export Active Directory Group Members using PowerShell
Previously, we showed how to get AD group membership using PowerShell. In some cases, you need to export the resulting list of users or groups to a text or CSV file.
In order to save the list of users that the user is a member of to a plain text file, it is enough to redirect the results of the command to a file using the >> operator. For example:
Get-ADUser j.brion -Properties Memberof | Select -ExpandProperty memberOf >> c:\ps\ad_group.txt
As a result, a text file will appear in the specified directory with the distinguished name of all groups of which the user is a member of.
To export PowerShell objects to CSV format, use the Export-CSV cmdlet. All you need to do is use a pipe to pass the output of the previous command to the Export-Csv cmdlet.
Let’s get a list of group users and export this list to a CSV file.
Get-ADPrincipalGroupMembership j.brion | Select-Object name,description,GroupCategory,GroupScope,distinguishedName| Export-Csv -NoTypeInformation c:\ps\ad_group.csv -Encoding UTF8
Note that you can use the Select-Object cmdlet to get only the attributes of the PowerShell objects whose values you want to export to CSV.
- How to Search and Delete Malicious Emails in Office 365? - January 29, 2023
- How to Install Google Chrome for Fedora? - January 29, 2023
- Lens Kubernetes IDE — Opensource Lens Desktop - January 27, 2023
Thank you. This is just what I needed however during testing it became clear that you may need to use a wildcard since the Get-ADUser cmdlet will return the distinguished name of the group which contains superfluous verbiage, eg, CN=GroupName,OU=Marketing,DC=Domain,DC=Subdomain,DC=com.
Thus, using the -like operator requires that you enclose the search term like such:
if ((Get-ADUser $user -Properties memberof).memberof -like “*$group*” )
If i’m piping this out into a file tracking user login/out, what is the variable for the security group? I have a simple batch file but can’t get the group or even the description to pipe out. Came across this post, hoping you can maybe help? Simple bat file is below, just need to capture the security group or description. So far i’ve tried group, groups, groupname, membership, memberships, memberof, securitygroup, security and description. Hope you can help, thank you.
Echo %computername %username% %date% %time% >>’file’
Hi,
How can we get just security group list which used in AD through PowerShell.
Thanks
Devin