In this post, we’ll learn how to get all groups a user is a member of using PowerShell.
We’ll also show multiple methods to know in which groups a user belongs to by exploring the following:
You might alto like to read Logon failure: The user has not been granted the requested logon type at this computer.
Get all Groups a user is a member of
Consider you have a domain user, and you would like to check which local and global groups a user is a member of. but
- You didn’t have permission on the Active Directory.
- Or you can’t import Active Directory Module.
In this case, you can easily use “net user” cmdlet to Get all Groups a user is a member of as the following:
Which groups a user is a member of using Command Prompt
Steps
- Run Command Prompt / Windows Power-Shell as administrator.
- Run the below cmdlet.
net user /domain usernameIn my scenario, I would like to know if the “spfarm” user is a member of the Domain Admins group or not.
net user /domain spfarm- Check Global and local Group Membership line to find all groups in that a user “spepmfarm” is a member of.
Besides this method is an easy and fast, it’s very helpful to check:
- If the account is active and not disabled.
- Account expiration status.
- When the account password expires.
- The last date password changed.
- If the account can change its password.
- Last logon.
- Which local group a user is a member of.
- Which global domain group a user is a member of.
Note: if the group name is long (> 21 chars) it will truncate the group name.
Get Group Membership PowerShell
The previous method is very helpful and doesn’t require permission on the AD server to get all groups a user is a member of. but as we earlier mentioned, if the group name is long (> 21 chars) it will truncate the group name.
So in this case, you can use the build-in “Get-ADPrincipalGroupMembership” to get Get all Groups a user is a member of using PowerShell.
Steps
- Run Windows PowerShell as Administrator.
- Import Active Directory Module.
import-module activedirectoryNote: if you can’t import AD module, try to install RAST feature as the following:
Install-WindowsFeature RSAT-AD-PowerShell- Run “Get-ADPrincipalGroupMembership“.
Get-ADPrincipalGroupMembership username_withoutdomain | select name
“Get-ADPrincipalGroupMembership” helps you to get the local and global security groups in which a user is a member of
Check Group Scope Using PowerShell
Groups are characterized by a scope to define where the group can be granted permissions.
There are three group scopes are defined by Active Directory:
- Domain Local.
- Global.
- Universal.
You might also like to read Active Directory Security Groups.
To check if a group scope using PowerShell, you should select “Groupscope” as shown below:
Get-ADPrincipalGroupMembership spfarm | select name,groupscope
Get Global Security Group for a user is a member of
Get-ADPrincipalGroupMembership spfarm | select name,groupscope | Where-Object Groupscope -eq "Global"
Get Local Security Group for a user is a member of
Get-ADPrincipalGroupMembership spfarm | select name,groupscope | Where-Object Groupscope -eq "domainlocal"
Get All Groups for the current user is a member of
Instead of typing specific user, you can also get all groups for the current user is a member of by using $env:USERNAME
Get-ADPrincipalGroupMembership $env:USERNAME | select name,groupscopeGet All Groups for the current user is a member of without importing AD module
If the above cmdlets is not working for any reason, so in this case, you should try the following:
(get-aduser $env:USERNAME -Properties memberof | select -expand memberof | get-adgroup) | select Name,groupscope
Alternatively, you can also use the below power-shell cmdlet that not requires to import AD module.
((New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$($env:username)))")).FindOne().GetDirectoryEntry().memberOf | get-adgroup)| select Name,groupscopeThis cmdlet gives you the same result as shown below
Name groupscope
---- ----------
WF Admins Global
WSS_WPG DomainLocal
WSS_RESTRICTED_WPG_V4 DomainLocal
WSS_ADMIN_WPG DomainLocal
EPMSys Accounts Global
Domain Admins Global
IIS_IUSRS DomainLocal
Performance Log Users DomainLocal
Performance Monitor Users DomainLocal
Administrators DomainLocal
PS C:\Users\spfarm>Conclusion
In conclusion we have learned how to get all groups a user is a member of, we have also learned how to get local and global Group Membership for a user is a member of using PowerShell.
Applies To
- Windows PowerShell.
- Command Prompt.
- Windows Server 2016.
- Windows Server 2012.
The last code uses get-adgroup, doesn’t that require an module import?
Excellent information! Very convenient, all in one location. Thank you!
On time, many thanks
this what I need thanks