How to Get All Group Membership of a User Using PowerShell
-
Get a User’s Group Membership With
net
Legacy Commands - Get a User’s Group Membership With ADSI
- Get a User’s Group Membership With a New Object
- Get a User’s Group Membership With the Active Directory Module
In Windows PowerShell, there are many ways to fetch the list of a specific user’s group membership. We can use legacy commands, native commands, or extensions to run inside PowerShell’s scripting environment.
This article will discuss all of these methods one by one, their advantages and disadvantages, and how they are correctly executed.
The following commands will only run properly if your computer or server is joined into the domain. Using the default WORKGROUP
domain will result in an exception error.
Get a User’s Group Membership With net
Legacy Commands
We can start with a legacy command that’s been around from the very early stages of the operating system, which we call the net
commands. The net
commands are usually run in the command prompt and work with Windows PowerShell through aliases.
The net
commands are typically used to manage the local computer. Still, we can use the command to get the membership of a specific user for this particular purpose by using the syntax below.
net user /domain username
Using this method doesn’t only return global domain groups but also the local groups of the user.
One of the disadvantages of this command is that it is less flexible than the newer Windows PowerShell cmdlets. Also, we will not see long group names (approximately 21 characters) correctly when exported as they will be truncated into the command line.
Get a User’s Group Membership With ADSI
According to Microsoft, ADSI or Active Directory Service Interfaces are built-in COM interfaces used to access directory services. Within the ADSI library is the [ADSISearcher]
class that we can run in Windows PowerShell to query a group membership of a current user.
([ADSISEARCHER]"samaccountname=$($env:USERNAME)").Findone().Properties.memberof
We can improve upon this by adding regex to strip the unneeded LDAP characters CN="groupname"
, which will only return the user’s group names.
([ADSISEARCHER]"samaccountname=$($env:USERNAME)").Findone().Properties.memberof -replace '^CN=([^,]+).+$', '$1'
This method will not need any module installations to run as it comes built-in with the machine. The only requirement that it will need is a machine joined in a domain. Running the syntax above will throw an error exception.
The only disadvantage of this syntax is the query will only work with a currently logged-in user. It means that you can not target a different user while running the syntax when logged in.
Get a User’s Group Membership With a New Object
Another method of getting a user’s group membership is using the directory services and creating a new object. In this method, we also do not need to install a separate module for this to work.
Also, this method can target a specific user inside your domain as it will query the domain controller you are currently joined inside the network.
(New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$($env:USERNAME)))")).FindOne().GetDirectoryEntry().memberOf
If you don’t want to query the logged-in user, you can replace $env:USERNAME
with the exact username of the target user.
$username = "user01"
(New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$($username)))")).FindOne().GetDirectoryEntry().memberOf
This method will output unneeded LDAP characters and output the whole organizational unit (OU) search base like the previous method.
Get a User’s Group Membership With the Active Directory Module
We can consider this one of the simplest and shortest methods of getting a user’s group membership for this last method. The only condition for this method is installing the Active Directory Module to import the AD cmdlets into our scripting environment.
Installing the Active Directory Module
Usually, running the cmdlet, Install-Module
should fetch the package from a remote CDN and install it on your computer. Still, with the Active Directory Module, you must install a pre-requisite package to be successful. This pre-requisite package is what we call the Remote Server Administration Tools or RSAT.
To install RSAT on your computer or the server, you may run the PowerShell scripts below.
Installing RSAT for Windows 10:
Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online
Installing RSAT for Windows Server (Multiple Versions from 2008 to 2016):
Install-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature
Installing the RSAT feature on your machine will also install the Active Directory Module for Windows PowerShell.
Using the Get-ADPrincipalGroupMembership
Cmdlet
Once the Active Directory module is installed, you can now import the active directory module with the following syntax.
Import-Module -Name ActiveDirectory
Once the Active Directory module is imported, you can now run AD cmdlets, and we will use these specific extended cmdlets to get the list of a user’s group membership.
To get a user’s group membership, we will be using the cmdlet Get-ADPrincipalGroupMembership
. This cmdlet will return all of the AD groups of the user, computer, group, or service account. In addition, since we can target users and group objects, this cmdlet will also return nested group memberships.
Run the syntax below to get the group membership of the user. Make sure that the active directory module is imported.
Get-ADPrincipalGroupMembership username | select name
Piping the name
property will output all user group membership.
Output:
name
----
Domain Users
Domain Computers
Workstation Admins
Company Users
Company Developers
AutomatedProcessingTeam
Marion specializes in anything Microsoft-related and always tries to work and apply code in an IT infrastructure.
LinkedIn