Home / server / Questions / 532106
Accepted
MacGyver
Asked: 2013-08-20 10:42:43 +0800 CST

Get list of AD groups a user is a member of

  • 772

Suppose I have the user id of a user in Active Directory. I'd like to get a list of all AD groups in which that user is currently a member of. How can I do this from the Windows command line?

I've tried the following:

dsget user "DC=jxd123" -memberof

Error:

dsquery failed:'-memberof' is an unknown parameter.
type dsquery /? for help.
windows

15 Answers

  1. Or with the net user command...

    net user /domain username
    • 104

  2. Single line, no modules necessary, uses current logged user $($env:username), runs from other windows machines:

    (New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$($env:username)))")).FindOne().GetDirectoryEntry().memberOf

    Qudos to this vbs/powershell article: http://technet.microsoft.com/en-us/library/ff730963.aspx

    • 61
  3. Best Answer

    You can do this in PowerShell pretty easily. I'm sure you can do it with the ds tools too, but they're old and crusty and PowerShell should be used for everything possible nowadays.

    Import-Module ActiveDirectory
(Get-ADUser userName –Properties MemberOf | Select-Object MemberOf).MemberOf

    Shorter version

    (Get-ADUser userName –Properties MemberOf).MemberOf
    • 47

  4. If you need to see your own groups, there's whoami /groups:

    Displays the user groups to which the current user belongs.

    The advantage of this command over net user /domain username is that implicit group memberships are also displayed with whoami.

    • 17

  5. Found a good resource:

    http://social.technet.microsoft.com/wiki/contents/articles/2195.active-directory-dsquery-commands.aspx

    Here's how to do it from Windows command prompt:

    dsquery user -samid jxd123 | dsget user -memberof | dsget group -samid
    • 12

  6. PowerShell:

    Get-ADPrincipalGroupMembership -Identity jdoe | Format-Table -Property name
    • 11

  7. Another approach: a PowerShell script that lists all implicit group memberships from the Windows account token. Works on a restricted system.

    $token = [System.Security.Principal.WindowsIdentity]::GetCurrent() 
ForEach($group in $token.Groups){
    $group.Translate([System.Security.Principal.NTAccount])
}
    • 6 
  8. dsquery user -samid "user id" | dsget user -memberof > userid_memberof.txt
    • 3

  9. adfind is another great tool for this sort of thing. It is a free tool from MVP Joe Richards

    http://www.joeware.net/freetools/tools/adfind/

    You can use one of the shortucts

    adfind -sc u:username memberof
    • 2 
  10. $ADUser = Read-Host "Provide the AD User account"
Get-ADPrincipalGroupMembership -Identity $ADUser | Sort-Object name | Format-Table -Expand name
    • 2