195

PowerShell's Get-ADGroupMember cmdlet returns members of a specific group. Is there a cmdlet or property to get all the groups that a particular user is a member of?

TylerH
  • 20,799
  • 66
  • 75
  • 101
Primoz
  • 4,079
  • 17
  • 56
  • 67

32 Answers32

363

Get-ADPrincipalGroupMembership from the Active Directory module will do this. You'll need that module, or RSAT on Windows 10+, installed to run the command below.

Get-ADPrincipalGroupMembership username | select name

name
----
Domain Users
Domain Computers
Workstation Admins
Company Users
Company Developers
AutomatedProcessingTeam
TylerH
  • 20,799
  • 66
  • 75
  • 101
kstrauss
  • 3,662
  • 1
  • 13
  • 2
  • I have tried this but found that it only returns the 'Domain Users' group for any user. – toryan Dec 08 '14 at 17:33
  • 9
    The above was giving me errors ("The server was unable to process the request due to an internal error" - presumably functionality not available on the server). `get-aduser $username -Properties memberof | select -expand memberof` worked fine though. – JohnLBevan Feb 16 '15 at 17:14
  • Perfect. Could use the username environment variable to show the current user: `Get-ADPrincipalGroupMembership $env:USERNAME | select name` – Underverse Jun 22 '15 at 06:31
  • 1
    Note that the Get-ADPrincipalGroupMembership requires a "global catalog server" - without that it returns the error "Directory Object Not Found" even though the object is confirmed to exist via Get-ADUser cmdlet and it has membership. Response from @schmeckendeugler worked very well for me to get group membership. – John Nov 03 '17 at 23:03
  • I had a particular username I was trying to run this for, `Get-ADPrincipalGroupMembership DatabaseRemoverDevAppPool` but it kept failing with `Cannot find an object with identity: 'DatabaseRemoverDevAppPool'`. I ran it as `Get-ADPrincipalGroupMembership DatabaseRemoverDevAp` and it succeeded. The difference is that `DatabaseRemoverDevAppPool` is the cn but the sAMAccountName was `DatabaseRemoverDevAp`. Apparently `Get-ADPrincipalGroupMembership` looks up by sAMAccountName, not cn. – mason Sep 21 '18 at 18:59
  • Unfortunately, [the `Get-ADPrincipalGroupMembership` cmdlet is broken in such a way that makes it fundamentally unreliable](https://stackoverflow.com/questions/59057379/), so I don't recommend using it. The script I posted in linked answer works correctly, though. – Bill_Stewart May 30 '21 at 23:39
  • @Bill_Stewart It's only broken if you use characters that need to be escaped in AD usernames or group names which is an uncommon situation because that's not a recommended practice by Microsoft in the first place. It's certainly a useful caveat to be aware of, but it's also a _far cry_ from "fundamentally unreliable". – TylerH Mar 10 '23 at 17:19
  • I will agree to (rather strongly) disagree. In many AD environments, for example, the "/" character is _required_ in AD object names. I stand by my "fundamentally unreliable" assessment as the built-in cmdlets should handle characters that are perfectly valid (albeit need escaping) in AD. – Bill_Stewart Mar 10 '23 at 17:29
138

Single line, no modules necessary, uses current logged user:

(New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$($env:username)))")).FindOne().GetDirectoryEntry().memberOf

Kudos to this vbs/powershell article: http://technet.microsoft.com/en-us/library/ff730963.aspx

Jamie Ide
  • 48,427
  • 16
  • 81
  • 117
Canoas
  • 1,981
  • 1
  • 13
  • 13
  • 8
    Thank you, I appreciate this no-modules version. I simply changed the variable from `$env:username` to `$username` and set with `$username = "testuser"` to easily do variable substitution for other user lookups. – p̻̻̥r̥̻̥o̻j̤͛ec͔t̞dp Jan 25 '16 at 21:23
  • Does not work correctly for nested membership of user's DEFAULT GROUP. See here: https://stackoverflow.com/questions/53451706/ldap-matching-rule-in-chain-not-working-with-default-ad-groups-domain-users – StackzOfZtuff Jul 30 '21 at 09:16
  • To get (sorted) plain list of groups only, you can run `(New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$($env:username)))")).FindOne().GetDirectoryEntry().memberOf -replace "CN=(.*?),.*" ,"``$1" | Sort`. – CraZ Oct 22 '21 at 16:02
64

A more concise alternative to the one posted by Canoas, to get group membership for the currently-logged-on user.

I came across this method in this blog post: http://www.travisrunyard.com/2013/03/26/auto-create-outlook-mapi-user-profiles/

([ADSISEARCHER]"samaccountname=$($env:USERNAME)").Findone().Properties.memberof

An even better version which uses a regex to strip the LDAP guff and leaves the group names only:

([ADSISEARCHER]"samaccountname=$($env:USERNAME)").Findone().Properties.memberof -replace '^CN=([^,]+).+$','$1'

More details about using the [ADSISEARCHER] type accelerator can be found on the scripting guy blog: http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/24/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory.aspx

Daniel.S
  • 913
  • 8
  • 8
  • 3
    Both of these give me the error : Exception calling "FindOne" with "0" argument(s): "The samaccountname= search filter is invalid." – Dallas Sep 15 '15 at 22:23
  • Strange.... I just tested it again, but on Windows 7 in a completely different environment, and it works fine here too. – Daniel.S Feb 16 '17 at 02:54
  • 1
    I tried again just now, still on Win 7, and it does work fine. Perhaps I had typo when first trying this out. Thanks for adding the replace to strip out the forest "guff". – Dallas Mar 13 '17 at 21:09
  • 8
    Works great, append `| Sort-Object` to make it even more readable. – Martin Hollingsworth Apr 09 '18 at 00:41
  • Does not work correctly for nested membership of user's DEFAULT GROUP. See here: https://stackoverflow.com/questions/53451706/ldap-matching-rule-in-chain-not-working-with-default-ad-groups-domain-users – StackzOfZtuff Jul 30 '21 at 09:17
43

Old school way from CMD: 

net user mst999 /domain
Linus Kleen
  • 33,871
  • 11
  • 91
  • 99
user4511672
  • 449
  • 4
  • 2
30
(GET-ADUSER –Identity USERNAME –Properties MemberOf | Select-Object MemberOf).MemberOf
Mathew Thompson
  • 55,877
  • 15
  • 127
  • 148
schmeckendeugler
  • 301
  • 3
  • 3
19

This should provide you the details for current user. Powershell not needed.

whoami /groups

Nayan
  • 3,092
  • 25
  • 34
  • 2
    This is helpful only for the logged in user AD group membership. However if you need another user or are running from an elevated shell this is not helpful. – gregg Apr 12 '22 at 20:24
13

If you cannot get Get-ADPrincipalGroupMembership to work for you could try logging in as that user then use.

$id = [Security.Principal.WindowsIdentity]::GetCurrent()
$groups = $id.Groups | foreach-object {$_.Translate([Security.Principal.NTAccount])}
$groups | select *
andrew pate
  • 3,833
  • 36
  • 28
  • You don't need to login as the user either if you use something like `$id = [Security.Principal.WindowsIdentity]("username")` – Bitcoin Murderous Maniac Jun 17 '19 at 16:19
  • 2
    This shortens nicely to the one-liner `[System.Security.Principal.WindowsIdentity]::GetCurrent().Groups | % {$_.Translate([Security.Principal.NTAccount])}`. – alx9r Jan 07 '20 at 20:51
8

While there are many excellent answers here, there is one which I was personally looking for that was missing. Once I figured it out - I thought I should post it in case I want to find it later, or it actually manages to help someone else at some point:

Get-ADPrincipalGroupMembership username | Format-Table -auto

A second approach for presenting this is to specify the individual columns you are interested in eg:

Get-ADPrincipalGroupMembership username | select name, GroupScope, GroupCategory

This gives all the AD groups the username belongs to - but also presents all of the default properties of each group formatted nicely as a table.

The key benefit this gives you is you can see at a glance which are distribution lists, & which are Security groups. You can further see at a glance which are Universal, which are DomainLocal & which are Global.
Why would you care about this last bit?

  • Universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give universal security groups rights and permissions on resources in any domain in the forest.
  • Global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain.
  • Domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located.
kiltannen
  • 1,057
  • 2
  • 12
  • 27
  • 1
    I agree. This is the better solution if you want to DO something with the output in PowerShell (which a sysadmin probably will). Also a lot easier to remember than the -I admit- very elegant oneliner-solution that was proposed and upvoted for 100+ times. – IT M Jan 17 '22 at 15:26
5

Get group membership for a user:

$strUserName = "Primoz"
$strUser = get-qaduser -SamAccountName $strUserName
$strUser.memberof

See Get Group Membership for a User

But also see Quest's Free PowerShell Commands for Active Directory.

[Edit: Get-ADPrincipalGroupMembership command is included in Powershell since v2 with Windows 2008 R2. See kstrauss' answer below.]

Abraham
  • 479
  • 7
  • 23
tiago2014
  • 3,392
  • 1
  • 21
  • 28
  • 2
    Actually there's an easier way with Quest cmdlets: Get-QADGroup -Contains Primoz – fenster Feb 23 '11 at 00:21
  • 18
    This is no longer the best answer as Get-ADPrincipalGroupMembership is now built into PowerShell – Rob Cannon Sep 23 '14 at 13:47
  • 1
    Voted down because It would be much better to use Get-ADPrincipalGroupMembership. I would like to undo this downvote, but I cannot. I will edit the answer to point out that the built in option now exists. – Abraham Aug 29 '16 at 17:24
5

Get-Member is not for getting user's group membership. If you want to get a list of groups a user belongs to on the local system, you can do so by:

$query = "ASSOCIATORS OF {Win32_Account.Name='DemoUser1',Domain='DomainName'} WHERE ResultRole=GroupComponent ResultClass=Win32_Account"

Get-WMIObject -Query $query | Select Name

In the above query, replace DemoUser1 with the username you want and the DomainName with either your local computer name or domain name.

ravikanth
  • 24,922
  • 4
  • 60
  • 60
  • 1
    This query is very time consuming and responds very slow when there are multiple users and groups in the environment – randeepsp Mar 09 '15 at 06:47
  • Whoever is editing the answer make sure you edit it the right way. I was suggesting the OP to replace DemoUser1 with whatever username he wants. And, you completely changed that meaning. – ravikanth Mar 28 '15 at 10:48
4

First, import the ActiveDirectory module:

Import-Module ActiveDirectory

Then issue this command:

Get-ADGroupMember -Identity $group | foreach-object {
    Write-Host $_.SamAccountName
}

This will display the members of the specified group.

Jonathan Rioux
  • 1,067
  • 2
  • 14
  • 30
4

I wrote a PowerShell function called Get-ADPrincipalGroupMembershipRecursive. It accepts the DSN of a user, computer, group, or service account. It retrieves an initial list of groups from the account's memberOf attribute, then recursively checks those group's memberships. Abbreviated code is below. Full source code with comments can be found here.

function Get-ADPrincipalGroupMembershipRecursive( ) {

    Param(
        [string] $dsn,
        [array]$groups = @()
    )

    $obj = Get-ADObject $dsn -Properties memberOf

    foreach( $groupDsn in $obj.memberOf ) {

        $tmpGrp = Get-ADObject $groupDsn -Properties memberOf

        if( ($groups | where { $_.DistinguishedName -eq $groupDsn }).Count -eq 0 ) {
            $groups +=  $tmpGrp           
            $groups = Get-ADPrincipalGroupMembershipRecursive $groupDsn $groups
        }
    }

    return $groups
}

# Simple Example of how to use the function
$username = Read-Host -Prompt "Enter a username"
$groups   = Get-ADPrincipalGroupMembershipRecursive (Get-ADUser $username).DistinguishedName
$groups | Sort-Object -Property name | Format-Table
Brian Reich
  • 143
  • 1
  • 2
  • 4
  • Does not work correctly with user's DEFAULT GROUP. See here: https://stackoverflow.com/questions/53451706/ldap-matching-rule-in-chain-not-working-with-default-ad-groups-domain-users – StackzOfZtuff Jul 30 '21 at 09:14
4

No need for long scripts when it is a simple one liner..

QUEST Command

(Get-QADUser -Identity john -IncludedProperties MemberOf | Select-Object MemberOf).MemberOf

MS AD Command

(GET-ADUSER –Identity john –Properties MemberOf | Select-Object MemberOf).MemberOf

I find the MS AD cmd is faster but some people like the Quest ones better..

Steve

Steve Adkin
  • 41
  • 1
4

Use:

Get-ADPrincipalGroupMembership username | select name | export-CSV username.csv

This pipes output of the command into a CSV file.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Dee
  • 41
  • 1
4

Get-Member is a cmdlet for listing the members of a .NET object. This has nothing to do with user/group membership. You can get the current user's group membership like so:

PS> [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups | 
         Format-Table -auto

BinaryLength AccountDomainSid    Value
------------ ----------------    -----
          28 S-1-5-21-...        S-1-5-21-2229937839-1383249143-3977914998-513
          12                     S-1-1-0
          28 S-1-5-21-...        S-1-5-21-2229937839-1383249143-3977914998-1010
          28 S-1-5-21-...        S-1-5-21-2229937839-1383249143-3977914998-1003
          16                     S-1-5-32-545
...

If you need access to arbitrary users' group info then @tiagoinu suggestion of using the Quest AD cmdlets is a better way to go.

Keith Hill
  • 194,368
  • 42
  • 353
  • 369
3

It is just one line:

(get-aduser joe.bloggs -properties *).memberof

end of :)

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
user4931356
  • 41
  • 1
  • Piping that to a `select -expandproperty memberof` will make the output a little more readable/useful. – Ben Thul Jul 07 '16 at 20:46
2

The below works well:

get-aduser $username -Properties memberof | select -expand memberof

If you have a list of users:

$list = 'administrator','testuser1','testuser2'
$list | `
    %{  
        $user = $_; 
        get-aduser $user -Properties memberof | `
        select -expand memberof | `
        %{new-object PSObject -property @{User=$user;Group=$_;}} `
    }
JohnLBevan
  • 22,735
  • 13
  • 96
  • 178
2
(Get-ADUser $env:username -Properties MemberOf).MemberOf | % {$_.split(",")[0].replace("CN=","")}

Domain Users
Domain Computers
Workstation Admins
Company Users
Company Developers
AutomatedProcessingTeam
Nick Ali
  • 147
  • 1
  • 4
  • 2
    Hi, this question already has an answer, if you have a different solution, that is better in some way, try to explain how it or when it is better than the approved one – SpaceDogCS Apr 21 '21 at 13:28
1

Get-QADUser -SamAccountName LoginID | % {$_.MemberOf } | Get-QADGroup | select name

Sathish
  • 11
  • 1
1
   Get-ADUser -Filter { memberOf -RecursiveMatch "CN=Administrators,CN=Builtin,DC=Fabrikam,DC=com" } -SearchBase "CN=Administrator,CN=Users,DC=Fabrikam,DC=com"  -SearchScope Base
                  ## NOTE: The above command will return the user object (Administrator in this case) if it finds a match recursively in memberOf attribute.
Sunil Aher
  • 747
  • 3
  • 14
  • 34
1

I couldn't get the following to work for a particular user:

Get-ADPrincipalGroupMembership username

It threw an error that I was not willing to troubleshoot.

I did however come up with a different solution using Get-ADUser. I like it a bit better because if you don't know the account name then you can get it based off of a wildcard on the user's actual name. Just fill in PartOfUsersName and away it goes.

#Get the groups that list of users are the member of using a wildcard search

[string]$UserNameLike = "*PartOfUsersName*" #Use * for wildcards here
[array]$AccountNames = $(Get-ADUser -Filter {Name -like $UserNameLike}).SamAccountName

ForEach ($AccountName In $AccountNames) {
Write-Host "`nGETTING GROUPS FOR" $AccountName.ToUpper() ":"
(Get-ADUser -Identity $AccountName -Properties MemberOf|select MemberOf).MemberOf|
    Get-ADGroup|select Name|sort name
    }

Huge props to schmeckendeugler and 8DH for getting me to this solution. +1 to both of you.

Adam
  • 571
  • 1
  • 6
  • 8
1

To get it recursive, you can use:

<# 
    .SYNOPSIS   
        Get all the groups that a user is MemberOf.

    .DESCRIPTION
        This script retrieves all the groups that a user is MemberOf in a recursive way.

    .PARAMETER SamAccountName
        The name of the user you want to check #>

Param (
    [String]$SamAccountName = 'test',
    $DomainUsersGroup = 'CN=Domain Users,CN=Users,DC=domain,DC=net'
)


Function Get-ADMemberOf {
    Param (
        [Parameter(ValueFromPipeline)]
        [PSObject[]]$Group,
        [String]$DomainUsersGroup = 'CN=Domain Users,CN=Users,DC=grouphc,DC=net'
    )
    Process {
        foreach ($G in $Group) {
            $G | Get-ADGroup | Select -ExpandProperty Name
            Get-ADGroup $G -Properties MemberOf| Select-Object Memberof | ForEach-Object {
                Get-ADMemberOf $_.Memberof
            }
        }
    }
}


$Groups = Get-ADUser $SamAccountName -Properties MemberOf | Select-Object -ExpandProperty MemberOf
$Groups += $DomainUsersGroup
$Groups | Get-ADMemberOf | Select -Unique | Sort-Object
DarkLite1
  • 13,637
  • 40
  • 117
  • 214
1

When you do not have privileges to consult other member groups but you do have the privilege to consult group members, you can do the following to build a map of which user has access to which groups.

$groups = get-adgroup -Filter * | sort name | select Name
$users = @{}
foreach($group in $groups) {
    $groupUsers = @()
    $groupUsers = Get-ADGroupMember -Identity $group.Name | Select-Object SamAccountName
    $groupUsers | % {
        if(!$users.ContainsKey($_.SamAccountName)){
            $users[$_.SamAccountName] = @()
        }
        ($users[$_.SamAccountName]) += ($group.Name)
    }
}
kiltannen
  • 1,057
  • 2
  • 12
  • 27
Nadzzz
  • 530
  • 3
  • 12
1

Studying all comments presented gave me a starting point (thanks for such) but left me with several unresolved issues. As result here is my answer. The code snippet provided does a little more than what is asked for but it provides helpful debugging info.

[array] $script:groupsdns = @()
function Get-ADPrincipalGroupMembershipRecursive() 
{
  Param( [string] $dn, [int] $level = 0, [array] $groups = @() )

  #if(($groupsdns | where { $_.DistinguishedName -eq $dn }).Count -ne 0 ) { return $groups } # dependency on next statement
  #$groupsdns += (Get-ADObject $dn -Properties MemberOf) # Get-ADObject cannot find an object with identity
  if ($script:groupsdns.Contains($dn)) { return $groups }
  $script:groupsdns += $dn
  $mo = $Null
  $mo = Get-ADObject $dn -Properties MemberOf # Get-ADObject cannot find an object with identity
  $group = ($dn + " (" + $level.ToString())
  if ($mo -eq $Null) { $group += "!" }
  $group += ")"
  $groups += $group
  foreach( $groupdn in $mo.MemberOf )
  {
    $groups = Get-ADPrincipalGroupMembershipRecursive -dn $groupdn -level ($level+1) -groups $groups
  }
  if ($level -le 0) 
  { 
    $primarygroupdn = (Get-ADUser -Identity $dn -Properties PrimaryGroup).PrimaryGroup 
    $groups = Get-ADPrincipalGroupMembershipRecursive -dn $primarygroupdn -level ($level+1) -groups $groups
  }
  return $groups
}
$adusergroups = Get-ADPrincipalGroupMembershipRecursive -dn $aduser.DistinguishedName
$adusergroups | ft -AutoSize | `
              Out-File -Width 512 Get-ADPrincipalGroupMembershipRecursive.txt #-Append #-Wrap # | Sort-Object -Property Name
ES44AC SD70MAC
  • 91
  • 1
  • 3
  • Sorry I forgot to clarify. Do this first: $aduserDistinguishedName = "CN=name,OU=..." $aduser = Get-ADUser -Identity $aduserDistinguishedName -Properties * – ES44AC SD70MAC Nov 28 '18 at 20:25
1

For LOCAL users and groups (ie not in Active Directory), and if you don't want to, or aren't allowed to, or can't install RSAT and/or Install-WindowsFeature RSAT-AD-PowerShell and/or import-module activedirectory then here's a pure, pre-installed powershell (5.1+) way to do it.

(Note: Get-LocalGroup* used below are only available Powershell v5.1 and above. "...v5.1 was released along with the Windows 10 Anniversary Update on August 2, 2016, and in Windows Server 2016. ...[F]or Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 [it] was released on January 19, 2017." (wikipedia))

$username = "user002"
Get-LocalGroup | ForEach-Object {
    # the usernames are returned in the string form "computername\username"
    if (Get-LocalGroupMember -Group $_ | Where-Object name -like "*\$username") {
        $_.name
    } 
}

Example output:

Administrators
Users
john v kumpf
  • 431
  • 3
  • 8
  • This method is unrelated to Active Directory. – Slogmeister Extraordinaire Mar 22 '21 at 18:18
  • @Slogmeister Extraordinaire My reasoning is that some Internet users searching for this question will be interested in local groups not in active directory – john v kumpf Mar 22 '21 at 21:05
  • @johnvkrumpf Understood, but your answer does not indicate that it is not an Active Directory solution. It suggests that if you can't load the AD module/tools that this will work, but it will not in this context. The question specifically requests an AD solution. I'm not against your reasoning, however as I have done the same plenty of times. However, consider that the reader may not understand that your answer doesn't work with AD and be very frustrated trying. Modify your answer to clearly indicate this is a non-AD solution and I'll upvote it. – Slogmeister Extraordinaire Mar 23 '21 at 12:46
0
Import-Module ActiveDirectory
Get-ADUser -SearchBase "OU=Users,DC=domain,DC=local" -Filter * | foreach-object {
write-host "User:" $_.Name -foreground green
    Get-ADPrincipalGroupMembership $_.SamAccountName | foreach-object {
        write-host "Member Of:" $_.name
    }
}

Change the value of -SearchBase to reflect the OU you need to list the users from :)

This will list all of the users in that OU and show you which groups they are a member of.

Stephen Galvin
  • 11
  • 3
0

Get-ADPrincipalGroupMembership USERLOGON | select name

Jacob Fischlein
  • 1
0

This is the simplest way to just get the names:

Get-ADPrincipalGroupMembership "YourUserName"

# Returns distinguishedName : CN=users,OU=test,DC=SomeWhere GroupCategory : Security GroupScope : Global name : testGroup objectClass : group objectGUID : 2130ed49-24c4-4a17-88e6-dd4477d15a4c SamAccountName : testGroup SID : S-1-5-21-2114067515-1964795913-1973001494-71628

Add a select statement to trim the response or to get every user in an OU every group they are a user of:

foreach ($user in (get-aduser -SearchScope Subtree -SearchBase $oupath -filter * -Properties samaccountName, MemberOf | select samaccountName)){ Get-ADPrincipalGroupMembership $user.samaccountName | select name}

Stuart
  • 1
0

Almost all above solutions used the ActiveDirecotry module which might not be available by default in most cases.

I used below method. A bit indirect, but served my purpose.

List all available groups

Get-WmiObject -Class Win32_Group

And then list the groups the user belongs to

[System.Security.Principal.WindowsIdentity]::GetCurrent().Groups

Comparison can then be done via checking through the SIDs. This works for the logged in user. Please correct me if I am wrong. Completely new to PowerShell, but had to get this done for a work commitment.

Ruifeng Ma
  • 2,399
  • 1
  • 22
  • 40
  • If you are checking a user which is already a member of the Administrator group, make sure start PowerShell by "Run As Administrator", otherwise the groups won't be listed out correctly for the 2nd command...took quite a while to figure this out...windows... – Ruifeng Ma Mar 09 '17 at 18:01
0

With user input and fancy output formatting:

[CmdletBinding(SupportsShouldProcess=$True)] 
Param( 
    [Parameter(Mandatory = $True)] 
    [String]$UserName 
) 
Import-Module ActiveDirectory 
If ($UserName) { 
    $UserName = $UserName.ToUpper().Trim() 
    $Res = (Get-ADPrincipalGroupMembership $UserName | Measure-Object).Count 
    If ($Res -GT 0) { 
        Write-Output "`n" 
        Write-Output "$UserName AD Group Membership:" 
        Write-Output "===========================================================" 
        Get-ADPrincipalGroupMembership $UserName | Select-Object -Property Name, GroupScope, GroupCategory | Sort-Object -Property Name | FT -A 
    } 
}
coinbird
  • 1,202
  • 4
  • 24
  • 44
0

Putting this here for future reference. I'm in the midst of an email migration. I need to know each user account and its respective group membership, and also I need to know each group and its respective members.

I'm using the code block below to output a CSV for each user's group membership.

Get-ADUser -Filter * |`
  ForEach-Object { `
    $FileName = $_.SamAccountName + ".csv" ; `
    $FileName ; `
    Get-ADPrincipalGroupMembership $_ | `
      Select-Object -Property SamAccountName, name, GroupScope, GroupCategory | `
        Sort-Object -Property SamAccountName | `
          Export-Csv -Path $FileName -Encoding ASCII ; `
  }

The export process for the groups and their respective members was a little convoluted, but the below works. The output filenames include the type of group. Therefore, the email distribution groups I need are/should be the Universal and Global Distribution groups. I should be able to just delete or move the resulting TXT files I don't need.

Get-ADGroup -Filter * | `
 Select-Object -Property Name, DistinguishedName, GroupScope, GroupCategory | `
  Sort-Object -Property GroupScope, GroupCategory, Name | `
   Export-Csv -Path ADGroupsNew.csv -Encoding ASCII

$MyCSV = Import-Csv -Path .\ADGroupsNew.csv -Encoding ASCII

$MyCSV | `
 ForEach-Object { `
  $FN = $_.GroupScope + ", " + $_.GroupCategory + ", " + $_.Name + ".txt" ; `
  $FN ; `
  Get-ADGroupMember -Identity $_.DistinguishedName | `
   Out-File -FilePath $FN -Encoding ASCII ; $FN=""; `
  }
user208145
  • 369
  • 4
  • 13
0

I use this simple oneliner to recursively search all the groups a user is member of:

Get-ADPrincipalGroupMembership $UserName | foreach-object { Get-ADPrincipalGroupMembership $_.SamAccountName | select SamAccountName }

To filter the groups to find out if user is member of a specific group i use this:

if ( Get-ADPrincipalGroupMembership $UserName | foreach-object { Get-ADPrincipalGroupMembership $_.SamAccountName | select SamAccountName } | where-object {$_.SamAccountName -like "*$Groupname*"} ) { write-host "Found" } else { write-host "not a member of group $Groupname" }
Alex Flora
  • 13
  • 3