PowerShell list local users and groups

We’ll also show multiple methods to know in which groups a user belongs to by exploring the following:

Table of Contents Show

Get all Groups a user is a member of
Which groups a user is a member of using Command Prompt
Get Group Membership PowerShell
Get All Groups for the current user is a member of
Get All Groups for the current user is a member of without importing AD module
How do I list local users in PowerShell?
How do I get local admin group members in PowerShell?
How do I list all local groups in Windows?
How to list local users in cmd?

Table of Contents

1 Get all Groups a user is a member of
1. 1.1 Which groups a user is a member of using Command Prompt
2. 1.2 Get Group Membership PowerShell
  1. 1.2.1 Check Group Scope Using PowerShell
  2. 1.2.2 Get Global Security Group for a user is a member of
  3. 1.2.3 Get Local Security Group for a user is a member of
3. 1.3 Get All Groups for the current user is a member of
4. 1.4 Get All Groups for the current user is a member of without importing AD module

You might alto like to read Logon failure: The user has not been granted the requested logon type at this computer.

Get all Groups a user is a member of

Consider you have a domain user, and you would like to check which local and global groups a user is a member of. but

You didn’t have permission on the Active Directory.
Or you can’t import Active Directory Module.

In this case, you can easily use “net user” cmdlet to Get all Groups a user is a member of as the following:

Which groups a user is a member of using Command Prompt

Steps

Run Command Prompt / Windows Power-Shell as administrator.

Run the below cmdlet.

net user /domain username

In my scenario, I would like to know if the “spfarm” user is a member of the Domain Admins group or not.

net user /domain spfarm

Check Global and local Group Membership line to find all groups in that a user “spepmfarm” is a member of.

Besides this method is an easy and fast, it’s very helpful to check:

If the account is active and not disabled.
Account expiration status.
When the account password expires.
The last date password changed.
If the account can change its password.
Last logon.
Which local group a user is a member of.
Which global domain group a user is a member of.

Note: if the group name is long (> 21 chars) it will truncate the group name.

Get Group Membership PowerShell

The previous method is very helpful and doesn’t require permission on the AD server to get all groups a user is a member of. but as we earlier mentioned, if the group name is long (> 21 chars) it will truncate the group name.

So in this case, you can use the build-in “Get-ADPrincipalGroupMembership” to get Get all Groups a user is a member of using PowerShell.

Steps

Run Windows PowerShell as Administrator.

Import Active Directory Module.

import-module activedirectory

Note: if you can’t import AD module, try to install RAST feature as the following:

Install-WindowsFeature RSAT-AD-PowerShell

Run “Get-ADPrincipalGroupMembership“.

Get-ADPrincipalGroupMembership username_withoutdomain | select name

“Get-ADPrincipalGroupMembership” helps you to get the local and global security groups in which a user is a member of

Check Group Scope Using PowerShell

Groups are characterized by a scope to define where the group can be granted permissions.

There are three group scopes are defined by Active Directory:

Domain Local.
Global.
Universal.

You might also like to read Active Directory Security Groups.

To check if a group scope using PowerShell, you should select “Groupscope” as shown below:

Get-ADPrincipalGroupMembership spfarm | select name,groupscope

Get Global Security Group for a user is a member of

Get-ADPrincipalGroupMembership spfarm | select name,groupscope | Where-Object Groupscope -eq "Global"

Get Local Security Group for a user is a member of

Get-ADPrincipalGroupMembership spfarm | select name,groupscope | Where-Object Groupscope -eq "domainlocal"

Get All Groups for the current user is a member of

Instead of typing specific user, you can also get all groups for the current user is a member of by using $env:USERNAME

Get-ADPrincipalGroupMembership $env:USERNAME | select name,groupscope

Get All Groups for the current user is a member of without importing AD module

If the above cmdlets is not working for any reason, so in this case, you should try the following:

(get-aduser $env:USERNAME -Properties memberof | select -expand memberof | get-adgroup) | select Name,groupscope

Alternatively, you can also use the below power-shell cmdlet that not requires to import AD module.

net user /domain spfarm

This cmdlet gives you the same result as shown below

net user /domain spfarm

Conclusion

In conclusion we have learned how to get all groups a user is a member of, we have also learned how to get local and global Group Membership for a user is a member of using PowerShell.

How do I list local users in PowerShell?

Use Get-LocalUser PowerShell cmdlet to List All User Accounts. The Get-LocalUser PowerShell cmdlet lists all the local users on a device. Remember that Active Directory domain controllers don't have local user accounts.

How do I get local admin group members in PowerShell?

To find local administrators with PowerShell you can use the Get-LocalGroupMember command. The above example is running the command on the local computer. To run on a remote computer you can use the invoke-command. For this command to work you will need to have PowerShell Remoting enabled.

How do I list all local groups in Windows?

To view local groups on your computer:.

Open an elevated/administrator command prompt..

Type net localgroup and press Enter..

Observe the list of local groups on your computer..

How to list local users in cmd?

This method works both in the Command Prompt and PowerShell. Open the command-line app that you prefer, type net user, and press Enter. Net user lists the users that have accounts configured on a Windows PC, including hidden ones or disabled user accounts.