I'm running a Windows XP desktop in a corporate environment. How can I find out which Active Directory groups I belong to?
Asked
Active
Viewed 4.8e+01k times
254
-
5Well, it's from a client/desktop perspective. It'd be pretty easy to figure out if I had access to AD. – chris Feb 10 '10 at 16:50
-
@chirs, perhaps clarify in your question that you mean from the perspective of a client in a Windows domain. – heavyd Feb 10 '10 at 17:09
7 Answers
267
Try running gpresult /R for RSoP summary or gpresult /V for verbose output from the command line as an administrator on the computer. It should output something like this:
C:\Windows\system32>gpresult /V
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 2/10/2010 at 10:27:41 AM
RSOP data for OQMSupport01\- on OQMSUPPORT01 : Logging Mode
------------------------------------------------------------
OS Configuration: Standalone Workstation
OS Version: 6.1.7600
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\-
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
Last time Group Policy was applied: 2/10/2010 at 10:16:09 AM
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: OQMSUPPORT01
Domain Type: <Local Computer>
Applied Group Policy Objects
-----------------------------
N/A
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
-------------------------------------------------------
System Mandatory Level
Everyone
Debugger Users
IIS_WPG
SQLServer2005MSSQLUser$OQMSUPPORT01$ACT7
SQLServerMSSQLServerADHelperUser$OQMSUPPORT01
BUILTIN\Users
NT AUTHORITY\SERVICE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
BDESVC
BITS
CertPropSvc
EapHost
hkmsvc
IKEEXT
iphlpsvc
LanmanServer
MMCSS
MSiSCSI
RasAuto
RasMan
RemoteAccess
Schedule
SCPolicySvc
SENS
SessionEnv
SharedAccess
ShellHWDetection
wercplsupport
Winmgmt
wuauserv
LOCAL
BUILTIN\Administrators
USER SETTINGS
--------------
Last time Group Policy was applied: 2/10/2010 at 10:00:51 AM
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: OQMSupport01
Domain Type: <Local Computer>
The user is a part of the following security groups
---------------------------------------------------
None
Everyone
Debugger Users
HomeUsers
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
NTLM Authentication
High Mandatory Level
The user has the following security privileges
----------------------------------------------
Bypass traverse checking
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Adjust memory quotas for a process
Remove computer from docking station
Perform volume maintenance tasks
Impersonate a client after authentication
Create global objects
Change the time zone
Create symbolic links
Increase a process working set
Or if you are logged in to a Windows Server OS with the ActiveDirectory PowerShell Module (or Client OS with the Remote Server Administration Tools) try the Get-ADPrincipalGroupMembership cmdlet:
C:\Users\username\Documents> Get-ADPrincipalGroupMembership username | Select name
name
----
Domain Users
All
Announcements
employees_US
remotes
ceo-report
all-engineering
not-sales
Global-NotSales
Greg Bray
- 5,610
- 5
- 36
- 53
-
35For reasons probably related to the configuration of my client's network, when I used /v, I received a giant wall of text with the group list buried somewhere inside. I had much better luck with `gpresult /r`. – Jake May 23 '13 at 18:37
-
16Bit of a sledehammer to crack a nut. WHOAMI is the way forward, or NET USER
/domain, although this truncates groups with long names. – Simon Catlin Jul 18 '13 at 19:04 -
2I had to use `gpresult /r`. `NET USER` only displayed the first 3 - 5 group memberships. – Eddie Groves Aug 06 '15 at 22:40
-
1I read this question every time I get a new job. This time it's favourited! – Robino May 25 '16 at 14:16
-
With full credit to Greg Bray's answer... if the result exceeds the screen size and you need to see ALL of it, use the handy [redirect(pipe) command](https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/redirection.mspx?mfr=true): "**`>`**" to write the results to file. So it would become something like this: C:\Windows\system32>gpresult /V >c:\group_details.txt – tinonetic Mar 24 '17 at 08:05
189
Use
whoami /groups
This should not only list security groups but distribution groups, if I recall correctly (and which might also be useful to know). Also takes care of nesting, ie you are in group A which is in B, so it shows you as also in B (again I am trying to recall the details here).
In Vista and Win7 natively, for XP you probably need the sp2 support tools (which would also require that you have sufficient priviledges to install them of course). http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en
AdamV
- 2,021
- 1
- 11
- 4
-
Also whoami /groups has an edge case where you get the wrong information. See http://stackoverflow.com/questions/4051883/batch-script-how-to-check-for-admin-rights/30921854#30921854 – zumalifeguard Jun 18 '15 at 17:36
48
I think you can write in a cmd window:
net user USERNAME /domain
Replace USERNAME with your own username, without domain prefix.
Stevoisiak
- 123
- 8
Patrik Lindström
- 591
- 4
- 5
-
2Awesome; this helps me not only see what I have, but what others have, which is useful when I need to see why other users don't have access to something. Excellent work! – Question3CPO Aug 21 '13 at 22:12
-
Will definitely file this one away for the future - carries over to powershell as well. – Jun 11 '15 at 18:00
-
Just a comment to say thanks, this is much easier than logging into server to check groups, some other useful info there too. – Adam Dempsey Sep 08 '17 at 08:54
17
Start - Run - CMD - GPRESULT /r is sufficient -> you don't need to display the full "/v" to visualize group belongings as a client-user as far as AD is concerned (under Windows 7 for sure, but I'm not sure about winxp)
Wojtek Krotoszynski
- 171
- 1
- 2
9
If you don't have access to AD:
Start - Run - CMD - GPRESULT /v
You will see at the end: The user is part of the following security groups
r0ca
- 212
- 2
- 10
- 25
6
If you're looking for speed then gpresult is s l o w...especially if there are a lot of GPO's applied.
Just run one of the following, one is for local group and the other is for domain groups:-
Local - 'c:\windows\system32\net.exe localgroup' + 'name of group to check'
Domain - 'c:\windows\system32\net.exe group /domain' + 'name of group to check'
Then parse the output for the username you are looking for as the result will list of the users in that group. Hope this helps.
user1673554
- 161
- 1
- 1
0
I've stumbled upon this many times and finally I wrote the small PowerShell script to filter them out by name.
whoami /groups | Select-String -Pattern "[\w-]*)\s+Group" | % { $_.matches.groups[1].Value }
The above does
- Print all groups in table like structure
- Selects those rows that has the second column set to Group
- Prints the captured group which will be the value of first column
As you can see by the script, I'm not a PowerShell expert so this can likely be improved greatly.
Hope it might come in handy
Cheers
joacar
- 101
- 1