Get list of AD groups a user is a member of

Question

Suppose I have the user id of a user in Active Directory. I'd like to get a list of all AD groups in which that user is currently a member of. How can I do this from the Windows command line?

I've tried the following:

dsget user "DC=jxd123" -memberof

Error:

dsquery failed:'-memberof' is an unknown parameter.
type dsquery /? for help.

You certainly won't get an error for dsquery when you execute dsget. Copy&Paste fail? — mfinni, Aug 19 '13 at 18:57
FYI, found the [same question](http://stackoverflow.com/q/5072996/190298) on StackOverflow with a couple more answers. — Nic, Aug 20 '13 at 07:42
I don't have enough reputation to answer, but assuming you are using powershell, you can write this: Get-ADPrincipalGroupMembership username | select name — A P, Sep 10 '19 at 07:29
See also: https://stackoverflow.com/questions/5072996/how-to-get-all-groups-that-a-user-is-a-member-of — Ben Creasy, Apr 25 '23 at 06:05

score 112 · Answer 1 · answered Aug 19 '13 at 18:58

112

Or with the net user command...

net user /domain username

answered Aug 19 '13 at 18:58

Jack

1,336
2
7
4

4

I love the simplicity that some of the "old" DOS commands offer. And, they've always been there so even if you don't have PoSH loaded on an old machine, DOS comes to the rescue! Thanks for posting this. – Jeff Moden Nov 04 '14 at 21:06
5

This will only return explicit, but not implicit group memberships. – Elias Probst Nov 05 '14 at 22:45
19

Slick command, BUT, the groups names in the output are truncated to 21 characters... :-( – t0r0X Mar 16 '15 at 13:37
1

Yes, there are limitations. Nested group memberships are not shown and you are right, the output is truncated. Admittedly, I had not considered the latter. – Jack Jun 23 '15 at 00:18
Worked great but why would it be truncated? Is there a config/parameter that can be added for full group name? – ThinkCode Aug 17 '16 at 14:44
This one is nice since it comes out of the box with Windows so will work on client machines joined to the domain which may not have AD Powershell cmdlets installed – nijave Aug 31 '21 at 17:01

Canoas · Answer 2 · 2019-09-24T10:45:06.477

69

Single line, no modules necessary, uses current logged user $($env:username), runs from other windows machines:

(New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$($env:username)))")).FindOne().GetDirectoryEntry().memberOf

Qudos to this vbs/powershell article: http://technet.microsoft.com/en-us/library/ff730963.aspx

edited Sep 24 '19 at 10:45

answered May 13 '14 at 09:42

Canoas

872
6
8

7

Very good solution, the only one which worked for me without installing any additional softwar! Thanks! – t0r0X Mar 16 '15 at 13:46
6

+1 for working on a restricted system without any additional software! – Saustrup Aug 11 '16 at 07:50
4

Another +1 here for both working on a restricted system and having better output than net.exe. Thanks a bunch! – Scott Johnson Feb 22 '21 at 21:38
1

Thanks a lot! This is just **perfect solution** indeed. It gets **non-truncated** group names and works with limited permissions. For quick ad hoc view I use `net group /domain`. But when full group names are critical this PS snippet is a life-saver. – Puterdo Borato Feb 10 '23 at 10:39

score 55 · Accepted Answer · edited Nov 02 '18 at 16:32

55

You can do this in PowerShell pretty easily. I'm sure you can do it with the ds tools too, but they're old and crusty and PowerShell should be used for everything possible nowadays.

Import-Module ActiveDirectory
(Get-ADUser userName –Properties MemberOf | Select-Object MemberOf).MemberOf

Shorter version

(Get-ADUser userName –Properties MemberOf).MemberOf

edited Nov 02 '18 at 16:32

Community

1

answered Aug 19 '13 at 18:47

MDMarra

100,734
32
197
329

I downloaded Powershell, and now have a *.msu file. How do I install it using the *.msu file? – JustBeingHelpful Aug 19 '13 at 18:51
What operating system are you on? PowerShell is built into anything newer than XP and is available to XP as an optional Windows Update. – MDMarra Aug 19 '13 at 18:53
Windows XP .. My company is slow :-\ – JustBeingHelpful Aug 19 '13 at 18:57
Then you downloaded the wrong installer. Also, just a heads up, XP support ends in just under a year. Get upgrades moving! http://www.microsoft.com/en-us/windows/endofsupport.aspx – MDMarra Aug 19 '13 at 18:58
1

Thanks for the info! I work for a hospital, so we have hundreds of thousands of workstations. They are upgrading to Windows 7 next April. I don't have any control over hot fixes unfortunately. It's done via some Novell scripts. I just work in research. – JustBeingHelpful Aug 19 '13 at 19:18
2

`Get-ADPrincipalGroupMembership` is another way to do this in PowerShell. – Nic Aug 20 '13 at 07:43
I get only a error: `FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand`. But the other PowerShell one-liner from @Canoas does work very well! – t0r0X Mar 16 '15 at 13:44
find this link for updated powershell command https://akshaya-m.blogspot.com/2018/04/powershell-find-user-exist-in-ad-group.html – Akxaya Apr 12 '18 at 22:36
I get this error: Import-Module : The specified module 'ActiveDirectory' was not loaded because no valid module file was found in any module directory. – MikeKulls Nov 08 '22 at 04:10

score 19 · Answer 4 · answered Jan 29 '16 at 11:04

19

If you need to see your own groups, there's whoami /groups:

Displays the user groups to which the current user belongs.

The advantage of this command over net user /domain username is that implicit group memberships are also displayed with whoami.

answered Jan 29 '16 at 11:04

Dmitry Grigoryev

607
5
14

5

Best solution. Upvoted. Short and sweet. Doesn't truncate. Personally I like best the LIST format, i.e. `whoami /groups /fo list`, because it is the easiest to read with the eye. – peterh Feb 17 '17 at 14:15
1

Best answer here especially on corporate systems where utilities are severely limitied. – Carlos Nov 30 '21 at 00:26
Only works for current use though – MikeKulls Nov 08 '22 at 04:12

score 12 · Answer 5 · answered Aug 19 '13 at 18:56

12

Found a good resource:

http://social.technet.microsoft.com/wiki/contents/articles/2195.active-directory-dsquery-commands.aspx

Here's how to do it from Windows command prompt:

dsquery user -samid jxd123 | dsget user -memberof | dsget group -samid

answered Aug 19 '13 at 18:56

JustBeingHelpful

1,964
7
37
53

score 12 · Answer 6 · edited Apr 15 '14 at 03:59

12

PowerShell:

Get-ADPrincipalGroupMembership -Identity jdoe | Format-Table -Property name

edited Apr 15 '14 at 03:59

Michael Hampton

244,070
43
506
972

answered Apr 15 '14 at 03:50

AbeNice

121
1
2

score 6 · Answer 7 · answered Mar 02 '17 at 11:37

Another approach: a PowerShell script that lists all implicit group memberships from the Windows account token. Works on a restricted system.

$token = [System.Security.Principal.WindowsIdentity]::GetCurrent() 
ForEach($group in $token.Groups){
    $group.Translate([System.Security.Principal.NTAccount])
}

score 3 · Answer 8 · edited Aug 20 '14 at 10:43

3

dsquery user -samid "user id" | dsget user -memberof > userid_memberof.txt

edited Aug 20 '14 at 10:43

jscott

24,484
8
79
100

answered Aug 20 '14 at 10:24

Vibhat

31
1

Add the `-expand` parameter to include indirect group memberships – Simon Biber Aug 09 '22 at 04:02

score 2 · Answer 9 · edited Jun 22 '15 at 20:25

2

adfind is another great tool for this sort of thing. It is a free tool from MVP Joe Richards

http://www.joeware.net/freetools/tools/adfind/

You can use one of the shortucts

adfind -sc u:username memberof

edited Jun 22 '15 at 20:25

sebix

4,313
2
29
47

answered Aug 20 '13 at 14:38

Mike Kline

21
1

score 2 · Answer 10 · edited Jun 22 '15 at 20:24

2

$ADUser = Read-Host "Provide the AD User account"
Get-ADPrincipalGroupMembership -Identity $ADUser | Sort-Object name | Format-Table -Expand name

edited Jun 22 '15 at 20:24

sebix

4,313
2
29
47

answered Jun 22 '15 at 19:56

Bill Ou

21
1

score 1 · Answer 11 · answered Aug 31 '16 at 14:53

1

This PowerShell version returns just the AD group names, rather than the DN of the group. The 'select-object' output can easily be piped to a CSV or test file.

(Get-ADUser ExampleUser –Properties MemberOf).memberof | Get-ADGroup | Select-Object name

answered Aug 31 '16 at 14:53

Nicholas Leader

11
1

Raman Kathpalia · Answer 12 · 2021-08-31T16:56:32.460

Try adquery (if you're on Linux/RHEL)

#To find All AD groups a user "XXXX" is a part of:

adquery user -a XXXX

Conversely, to find all users an Active Directory group "ABCD" has:

adquery group -a ABCD

You can pipe with grep to refine further.

These commands can be run when you are logged on as a standard user without elevated privileges.

For windows operating system, Jack's answer is relevant.

More info here: https://docs.centrify.com/Content/auth-unix-user/CommandLineUsers.htm

score 0 · Answer 13 · answered Feb 25 '15 at 12:00

0

Powershell, gives a nice and clean output.

(get-aduser USER -Properties MemberOf | select MemberOf).MemberOf | % {$_.split(",")[0].replace("CN=","")}

answered Feb 25 '15 at 12:00

Trbo

1

score 0 · Answer 14 · edited May 26 '17 at 07:02

0

Try this:

gpresult -V /user blah

edited May 26 '17 at 07:02

HBruijn

77,029
24
135
201

answered May 26 '17 at 04:14

Andrew

31

I use gpresult and find it simple and effective. I don't know why this is downvoted. – Andrew E Jul 13 '22 at 05:54

score 0 · Answer 15 · answered Jan 04 '18 at 21:21

Here's a solution searching all domains under the given domain (assuming proper permission for each domain):

# provide the logon name here:
$user="alice"
$allGroups=@()

foreach ( $d in (Get-ADForest example.net).domains ) { Write-Output "Looking up $user in domain $d"; $allGroups += Get-ADPrincipalGroupMembership $user -ResourceContextServer $d }

$allGroups | ft name,GroupScope,distinguishedName -AutoSize

Using Get-ADPrincipalGroupMembership

Get list of AD groups a user is a member of

15 Answers15

Linked