Get All Groups A User Is A Member Of Using PowerShell

In this post, we’ll learn how to get all groups a user is a member of using PowerShell.

Get all groups that a user is a member of using PowerShell

We’ll also show multiple methods to know in which groups a user belongs to by exploring the following:

Table of Contents

1 Get all Groups a user is a member of

You might alto like to read Logon failure: The user has not been granted the requested logon type at this computer.

Get all Groups a user is a member of

Consider you have a domain user, and you would like to check which local and global groups a user is a member of. but

You didn’t have permission on the Active Directory.
Or you can’t import Active Directory Module.

In this case, you can easily use “net user” cmdlet to Get all Groups a user is a member of as the following:

Which groups a user is a member of using Command Prompt

Steps

Run Command Prompt / Windows Power-Shell as administrator.

Run the below cmdlet.

net user /domain username

In my scenario, I would like to know if the “spfarm” user is a member of the Domain Admins group or not.

net user /domain spfarm

Check Global and local Group Membership line to find all groups in that a user “spepmfarm” is a member of.

Get all Groups a user is a member of Using PowerShell

Besides this method is an easy and fast, it’s very helpful to check:

If the account is active and not disabled.
Account expiration status.
When the account password expires.
The last date password changed.
If the account can change its password.
Last logon.
Which local group a user is a member of.
Which global domain group a user is a member of.

Note: if the group name is long (> 21 chars) it will truncate the group name.

Get Group Membership PowerShell

The previous method is very helpful and doesn’t require permission on the AD server to get all groups a user is a member of. but as we earlier mentioned, if the group name is long (> 21 chars) it will truncate the group name.

So in this case, you can use the build-in “Get-ADPrincipalGroupMembership” to get Get all Groups a user is a member of using PowerShell.

Steps

Run Windows PowerShell as Administrator.

Import Active Directory Module.

import-module activedirectory

Note: if you can’t import AD module, try to install RAST feature as the following:

Install-WindowsFeature RSAT-AD-PowerShell

Run “Get-ADPrincipalGroupMembership“.

Get-ADPrincipalGroupMembership username_withoutdomain | select name

“Get-ADPrincipalGroupMembership” helps you to get the local and global security groups in which a user is a member of

Check Group Scope Using PowerShell

Groups are characterized by a scope to define where the group can be granted permissions.

There are three group scopes are defined by Active Directory:

Domain Local.
Global.
Universal.

You might also like to read Active Directory Security Groups.

To check if a group scope using PowerShell, you should select “Groupscope” as shown below:

Get-ADPrincipalGroupMembership spfarm | select name,groupscope

Get Global Security Group for a user is a member of

Get-ADPrincipalGroupMembership spfarm | select name,groupscope | Where-Object Groupscope -eq "Global"

Get Local Security Group for a user is a member of

Get-ADPrincipalGroupMembership spfarm | select name,groupscope | Where-Object Groupscope -eq "domainlocal"

Get All Groups for the current user is a member of

Instead of typing specific user, you can also get all groups for the current user is a member of by using $env:USERNAME

Get-ADPrincipalGroupMembership $env:USERNAME | select name,groupscope

Get All Groups for the current user is a member of without importing AD module

If the above cmdlets is not working for any reason, so in this case, you should try the following:

(get-aduser $env:USERNAME -Properties memberof | select -expand memberof | get-adgroup) | select Name,groupscope

Get All Groups for the current user is a member of without importing AD module

Alternatively, you can also use the below power-shell cmdlet that not requires to import AD module.

((New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$($env:username)))")).FindOne().GetDirectoryEntry().memberOf | get-adgroup)| select Name,groupscope

This cmdlet gives you the same result as shown below

Name                                                                                                         groupscope
----                                                                                                         ----------
WF Admins                                                                                                        Global
WSS_WPG                                                                                                     DomainLocal
WSS_RESTRICTED_WPG_V4                                                                                       DomainLocal
WSS_ADMIN_WPG                                                                                               DomainLocal
EPMSys Accounts                                                                                                  Global
Domain Admins                                                                                                    Global
IIS_IUSRS                                                                                                   DomainLocal
Performance Log Users                                                                                       DomainLocal
Performance Monitor Users                                                                                   DomainLocal
Administrators                                                                                              DomainLocal

PS C:\Users\spfarm>

Conclusion

In conclusion we have learned how to get all groups a user is a member of, we have also learned how to get local and global Group Membership for a user is a member of using PowerShell.