How To Check AD Group Membership? - TheITBros

The Active Directory Users and Computers (ADUC) graphical MMC snap-in can be used to view the list of Active Directory groups that the user is a member of. Simply open this snap-in (run the dsa.msc command), find the user and go to the Member of tab. This shows the current user’s AD group membership.

However, this method only shows the user’s direct group membership and does not allow you to export a list of groups in any form. To list all the groups that the user is a member of (including nested ones) and export the list to a CSV/TXT file, it is more convenient to use command-line tools or PowerShell cmdlets.

Contents

Toggle

• List AD groups a user is a member of with PowerShell
  • Include Nested Group Membership in Results
• Export AD Group Members to CSV using PowerShell
• List Active Directory Group Members with PowerShell
  • Add User Attributes for Each Group Member
• Check AD Group Membership via Command Line
  • Using NET USER and NET GROUP Commands
  • Using whoami /groups Command

List AD groups a user is a member of with PowerShell

To check the user’s membership in AD groups, use the cmdlets from the PowerShell Active Directory module.

Use one of the following commands:

Get-ADPrincipalGroupMembership jbrion | Select name

or

Get-ADUser jbrion -Properties Memberof | Select -ExpandProperty memberOf

Both commands list the Active Directory groups the jbrion user account is a member of. However, the output doesn’t include nested AD groups.

Include Nested Group Membership in Results

To include nested group membership to the output, use the following PowerShell script, which uses a simple LDAP filter to check the membership:

$username = 'jbrion' $filter = "member:1.2.840.113556.1.4.1941:=" + (Get-ADUser $username).DistinguishedName Get-ADGroup -LDAPFilter "($filter)" |select SamAccountName,ObjectClass

Export AD Group Members to CSV using PowerShell

To export the resulting AD group membership report to a text or CSV file, you can use the >> operator or the Export-CSV cmdlet.

For example, export the list of Distinguished Names (DNs) of all the groups the user is a member of to a plain TXT file:

Get-ADUser j.brion -Properties Memberof | Select -ExpandProperty memberOf >> c:\ps\ad_group.txt

Or select the group attributes you need and export the group membership to a CSV file:

Get-ADPrincipalGroupMembership j.brion | Select-Object name,description,GroupCategory,GroupScope,distinguishedName| Export-Csv -NoTypeInformation c:\ps\ad_group.csv -Encoding UTF8

List Active Directory Group Members with PowerShell

In some cases, you may need to view a full list of AD group members (including nested ones). Use this command:

Get-ADGroupMember -Identity fs01-salary -Recursive | ft SamAccountName, SID, name

Add User Attributes for Each Group Member

If you need to add specific user attributes for each group member, add the foreach loop:

Get-ADGroupMember -Identity fs01-salary -Recursive | foreach { Get-ADUser $_ -Properties * } | select displayName,company,department,title,email

Check AD Group Membership via Command Line

Using NET USER and NET GROUP Commands

You can also list the Active Directory user’s group membership from the command prompt using the built-in net user command:

NET USER username /DOMAIN

The command output contains the user’s domain (Global Group Memberships) and Local Group Memberships.

If you need to list all users who are members of a specified AD group from cmd, use the net group command. For example:

NET GROUP "group name" /DOMAIN

Using whoami /groups Command

If you need to list the security groups that your account is a member of, run:

whoami /groups