How to Check Active Directory Group Membership?

Active Directory security groups are used to grant users’ permissions to various domain services and resources. Therefore, to understand what permissions are assigned to a specific user in the AD domain, it is enough to look at the groups in which the user account is a member of.

The easiest and most clear way to get a list of user groups in AD is to use the graphical snap-in Active Directory Users & Computers (ADUC).

  1. Run the dsa.msc snap-in;
  2. Right-click on the domain root and select Find;
  3. Enter a username and click Find Now;
  4. Open the user properties and go to the Member of tab;
  5. This tab lists the groups the selected user is a member of.

check active directory group membership

You can also check Active Directory group membership through command-line. Run the command:

net user USERNAME /domain

As you can see, the command output contains the domain (Global Group memberships) and local groups (Local Group Memberships) of the user.

check active directory group membership command line

Using the following command, you can list the security groups that your account is a member of:

whoami /groups

The main drawback of the methods described above is that the nested AD groups are not displayed (when the group is a member of other security groups).

You can display a full list of user groups (including nested ones) using the dsget tool. Instead of a username, you need to specify its distinguishedName:

dsget user " CN=Jon Brion,OU=Users,OU=UK,DC=theitbros,DC=com" -memberof -expand

command line check active directory group membership

Using dsquery and net group commands, you can display the members of a specific AD group:

dsquery group -name "AllowUSB" | dsget group -members

or:

net group "AllowUSB" /domain

how to check active directory group membership

You can also check user AD group membership using the PowerShell cmdlets: Get-AdUser, Get-ADPrincipalGroupMembership. To do this, you need the PowerShell Active Directory module installed on your computer.

READ ALSO  How to Restore Deleted Active Directory User?

Display only usernames that are added to the specific AD group (including nested groups):

Import-module Activedirectory

Get-ADGroupMember -Identity AllowUSB -Recursive | ft name

Display group members with detailed information for each of them:

Get-ADGroupMember -Identity AllowUSB | foreach { Get-ADUser $_ -Properties * }

The list of Active Directory groups in which the user is a member of can be displayed using the following commands:

Get-ADPrincipalGroupMembership jbrion | Select name

or

Get-ADUser jbrion -Properties Memberof | Select -ExpandProperty memberOf

check active directory group membership with command line

You can use the filter by group name:

Get-ADPrincipalGroupMembership jbrion | where {$_ -like "*allow*"} | Sort-Object | select -ExpandProperty name

active directory group membership

The following PowerShell script template can be used to check user’s membership in a specific Active Directory group and perform some actions depending on group membership (the group name must be specified between the * characters):

$group = “*AllowUSB*”

$user = “jbrion”

if ((Get-ADUser $user -Properties memberof).memberof -like $group )

{

# If the user is a member of a group

echo “True”

}

Else

{

# User not in group

echo “False”

}

 

active directory group membership command prompt

Cyril Kardashevsky
READ ALSO  Active Directory LDAP Query Examples

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.