We’ll also show multiple methods to know in which groups a user belongs to by exploring the following:
Table of Contents
- 1 Get all Groups a user is a member of
- 1.1 Which groups a user is a member of using Command Prompt
- 1.2 Get Group Membership PowerShell
- 1.2.1 Check Group Scope Using PowerShell
- 1.2.2 Get Global Security Group for a user is a member of
- 1.2.3 Get Local Security Group for a user is a member of
- 1.3 Get All Groups for the current user is a member of
- 1.4 Get All Groups for the current user is a member of without importing AD module
You might alto like to read Logon failure: The user has not been granted the requested logon type at this computer.
Get all Groups a user is a member of
Consider you have a domain user, and you would like to check which local and global groups a user is a member of. but
- You didn’t have permission on the Active Directory.
- Or you can’t import Active Directory Module.
In this case, you can easily use “net user” cmdlet to Get all Groups a user is a member of as the following:
Which groups a user is a member of using Command Prompt
Steps
- Run Command Prompt / Windows Power-Shell as administrator.
- Run the below cmdlet.
In my scenario, I would like to know if the “spfarm” user is a member of the Domain Admins group or not.
net user /domain spfarm- Check Global and local Group Membership line to find all groups in that a user “spepmfarm” is a member of.
Besides this method is an easy and fast, it’s very helpful to check:
- If the account is active and not disabled.
- Account expiration status.
- When the account password expires.
- The last date password changed.
- If the account can change its password.
- Last logon.
- Which local group a user is a member of.
- Which global domain group a user is a member of.
Note: if the group name is long (> 21 chars) it will truncate the group name.
Get Group Membership PowerShell
The previous method is very helpful and doesn’t require permission on the AD server to get all groups a user is a member of. but as we earlier mentioned, if the group name is long (> 21 chars) it will truncate the group name.
So in this case, you can use the build-in “Get-ADPrincipalGroupMembership” to get Get all Groups a user is a member of using PowerShell.
Steps
- Run Windows PowerShell as Administrator.
- Import Active Directory Module.
Note: if you can’t import AD module, try to install RAST feature as the following:
Install-WindowsFeature RSAT-AD-PowerShell- Run “Get-ADPrincipalGroupMembership“.
“Get-ADPrincipalGroupMembership” helps you to get the local and global security groups in which a user is a member of
Check Group Scope Using PowerShell
Groups are characterized by a scope to define where the group can be granted permissions.
There are three group scopes are defined by Active Directory:
- Domain Local.
- Global.
- Universal.
You might also like to read Active Directory Security Groups.
To check if a group scope using PowerShell, you should select “Groupscope” as shown below:
Get-ADPrincipalGroupMembership spfarm | select name,groupscopeGet Global Security Group for a user is a member of
Get-ADPrincipalGroupMembership spfarm | select name,groupscope | Where-Object Groupscope -eq "Global"Get Local Security Group for a user is a member of
Get-ADPrincipalGroupMembership spfarm | select name,groupscope | Where-Object Groupscope -eq "domainlocal"Get All Groups for the current user is a member of
Instead of typing specific user, you can also get all groups for the current user is a member of by using $env:USERNAME
Get-ADPrincipalGroupMembership $env:USERNAME | select name,groupscopeGet All Groups for the current user is a member of without importing AD module
If the above cmdlets is not working for any reason, so in this case, you should try the following:
(get-aduser $env:USERNAME -Properties memberof | select -expand memberof | get-adgroup) | select Name,groupscopeAlternatively, you can also use the below power-shell cmdlet that not requires to import AD module.
net user /domain spfarm0This cmdlet gives you the same result as shown below
net user /domain spfarm1Conclusion
In conclusion we have learned how to get all groups a user is a member of, we have also learned how to get local and global Group Membership for a user is a member of using PowerShell.