Active Directory security groups are used to grant users’ permissions to various domain services and resources. Therefore, to understand what permissions are assigned to a specific user in the AD domain, it is enough to look at the groups in which the user account is a member.
Getting Group Membership via ADUC
The easiest and most clear way to get a list of user groups in AD is to use the graphical snap-in Active Directory Users & Computers (ADUC).
- Run the dsa.msc snap-in;
- Right-click on the domain root and select Find;
- Enter a username and click Find Now;
- Open the user properties and go to the Member of tab;
- This tab lists the groups the selected user is a member of.
Checking AD Group Membership via Command Line
You can also check Active Directory group membership through the command-line. Run the command:
net user USERNAME /domain
As you can see, the command output contains the domain (Global Group memberships) and local groups (Local Group Memberships) of the user.
Using the following command, you can list the security groups that your account is a member of:
whoami /groups
List the members of the domain group:
Net group "CorpAPPUser" /DOMAIN
The main drawback of the methods described above is that the nested AD groups are not displayed (when the group is a member of other security groups).
You can display a full list of user groups (including nested ones) using the dsget tool. Instead of a username, you need to specify its distinguishedName:
dsget user "CN=Jon Brion,OU=Users,OU=UK,DC=theitbros,DC=com" -memberof –expand
If you need to get the members of a specific security group, including nested group membership, use the command:
dsget group "CN=NY-Managers,OU=Users,OU=NY,DC=theitbros,DC=com" –members -expand
When you need to do the opposite operation and display a list of groups in which the group belongs, run:
dsget group "CN=NY-Managers,OU=Users,OU=NY,DC=theitbros,DC=com" –memberof -expand
Using dsquery and net group commands, you can display the members of a specific AD group:
dsquery group -name "AllowUSB" | dsget group -members
or:
net group "AllowUSB" /domain
How to List AD Group Members using PowerShell?
You can also check user AD group membership using the PowerShell cmdlets: Get-AdUser, Get-ADPrincipalGroupMembership. To do this, you need the PowerShell Active Directory module installed on your computer.
Tip. To use the AD PowerShell Module on Windows 10, you need to install RSAT.
Display only usernames that are added to the specific AD group (including nested groups):
Import-module Activedirectory Get-ADGroupMember -Identity AllowUSB -Recursive | ft name
Display group members with detailed information on each member:
Get-ADGroupMember -Identity AllowUSB | foreach { Get-ADUser $_ -Properties * }You can display only certain attributes of users in a group:
Get-ADGroupMember -Recursive GroupName" | ForEach {Get-ADUser -filter {samaccountname -eq $_.SamAccountName} -Properties displayName, company, title, department } | Format-Table displayName,company,department,title -AutoSizeThe list of Active Directory groups in which the user is a member can be displayed using the following commands:
Get-ADPrincipalGroupMembership jbrion | Select name
or
Get-ADUser jbrion -Properties Memberof | Select -ExpandProperty memberOf
Hint. If you need to export the resulting list of groups or users to a text CSV file, add the following line to the end of any of the PowerShell commands discussed here:
| Export-Csv -NoTypeInformation .\ad_group.csv -Encoding UTF8
Another way to get a list of all members of a group (explicit or implicit) is to use the –RecursiveMatch operator:
Get-ADUser -Filter {MemberOf -RecursiveMatch "CN=NY-Sales,OU=Groups,OU=NY,DC=theitbros,dc=com"}If we are interested only whether a certain user belongs to a certain group, we can proceed as follows:
Get-ADUser -Filter {MemberOf -RecursiveMatch "CN=NY-Sales,OU=Groups,OU=NY,DC=theitbros,dc=com"} -SearchBase "CN=User,OU=Users,OU=NY,DC=theitbros,DC=com"You can use the filter by group name:
Get-ADPrincipalGroupMembership jbrion | where {$_ -like "*allow*"} | Sort-Object | select -ExpandProperty name
You can use complex LDAP filters to get nested group membership. For instance, to get a full list of the groups to which a user account belongs (including nested groups), use the command:
Get-ADGroup –LDAPFilter (member:1.2.840.113556.1.4.1941:=CN=John Brion,OU=Employees,OU=NY,DC=theitbros,DC=co,)
The following PowerShell script template can be used to check a user’s membership in a specific Active Directory group and perform some actions depending on group membership (the group name must be specified between the * characters):
$group = “*AllowUSB*”
$user = “jbrion”
if ((Get-ADUser $user -Properties memberof).memberof -like $group )
if ((Get-ADUser $user -Properties memberof).memberof -like “*$group*” )
{
# If the user is a member of a group
echo “True”
}
Else
{
# User not in group
echo “False”
}
- How to Fix PFN_LIST_CORRUPT Blue Screen of Death in Windows 10? - June 20, 2021
- How to Prevent/Allow Log on Locally via GPO? - June 19, 2021
- Deploying Local Administrator Password Solution (LAPS) in Active Directory - June 19, 2021
Thank you. This is just what I needed however during testing it became clear that you may need to use a wildcard since the Get-ADUser cmdlet will return the distinguished name of the group which contains superfluous verbiage, eg, CN=GroupName,OU=Marketing,DC=Domain,DC=Subdomain,DC=com.
Thus, using the -like operator requires that you enclose the search term like such:
if ((Get-ADUser $user -Properties memberof).memberof -like “*$group*” )
If i’m piping this out into a file tracking user login/out, what is the variable for the security group? I have a simple batch file but can’t get the group or even the description to pipe out. Came across this post, hoping you can maybe help? Simple bat file is below, just need to capture the security group or description. So far i’ve tried group, groups, groupname, membership, memberships, memberof, securitygroup, security and description. Hope you can help, thank you.
Echo %computername %username% %date% %time% >>’file’