Stealthbits

What Active Directory Groups Am I In?

Blog >What Active Directory Groups Am I In?
What Active Directory Groups Am I In?

It’s often helpful to know which Active Directory groups your current user is a member of when joined to a domain. That information is typically easy to obtain, however you need to know where to look.

For many, having a graphical UI is helpful for any task. While this isn’t the quickest way to locate your AD group membership, it’s the best way if you want to avoid the command line (i.e. PowerShell or Command Prompt).

Let’s discuss several methods to achieve our goal, including via the UI, PowerShell, and Command Prompt.

Method #1 – (UI) Active Directory Users and Computers

Windows Server

On a Windows Server, Active Directory Users and Computers (along with some optional PowerShell utilities) can be installed from the Server Manager.

  • In Server Manager, click on “Manage” and then “Add Roles and Features”.

Navigate through the wizard to the Features menu, and install: Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > AD DS Tools

Select features
Confirm installation selections

Windows 10

Steps may vary depending on your version of Windows 10. For this blog, I’m using Win10 Enterprise Version 20H2.

On Windows 10, open the Start Menu, search for “Manage optional features”, and open that menu. At the top, click on “Add a feature”, search for “RSAT: Active Directory Domain Services and Lightweight Directory Services Tools”, and install that feature.

You may also need to install the “RSAT: Server Manager” feature first.

Add an optional feature

You can now search for “Active Directory Users and Computers” in the Start Menu and launch that feature on either Windows Server or Windows 10

Use the left sidebar to navigate through your domain, down into the containers (folders, organizational units, etc.) that contain users, locate your user, right-click your user, and click Properties. In Properties, navigate to the Member Of tab, and you’ll see which groups that user is a member of.

Properties

That was quite cumbersome, wasn’t it? While using the UI is nice for some, it’s by no means an efficient way to query for this type of information. Let’s dive into some simple PowerShell and Command Prompt queries, which will output similar information in a fraction of the time.

Method #2 – PowerShell Active Directory Module

If you followed the previous steps to install Active Directory Users and Computers, then you may have noticed there were also options to install the Active Directory PowerShell Module while doing so. This module makes querying Active Directory information much easier than in the UI – take the following query as an example:

PS >> Get-ADPrincipalGroupMembership <username> | select name

name
----
Domain Users
Domain Admins

This gives us the same information as the UI screenshot above, in far less time. If you remove the | select name from the query, then you can get additional information about each group a user is a member of such as distinguishedName, GroupCategory, GroupScope, objectClass, objectGUID, SamAccountName, and SID.

Method #3 – Command Prompt

While PowerShell is more robust, allowing you to manipulate query results in more meaningful ways, Command Prompt may be the simplest approach to gathering group membership information. In fact, we don’t need to install anything ahead of time – these commands are available out of the box with most versions of Windows.

The simplest is whoami /groups, which gives a simple listing of both domain and local group membership for the user running the Command Prompt session:

>> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                     Type             ...         
============================================== ================ =====
Everyone                                       Well-known group ...
BUILTIN\Users                                  Alias            ...          
BUILTIN\Administrators                         Alias            ...          
NT AUTHORITY\INTERACTIVE                       Well-known group ...
CONSOLE LOGON                                  Well-known group ...
NT AUTHORITY\Authenticated Users               Well-known group ...
NT AUTHORITY\This Organization                 Well-known group ...
LOCAL                                          Well-known group ...
SBPMLAB\Domain Admins                          Group            ...       
Authentication authority asserted identity     Well-known group ...          
Mandatory Label\High Mandatory Level           Label            ...       

You’ll notice this output is a bit more verbose than the PowerShell command we discussed, which is typically why PowerShell is my go-to CLI workflow for querying Active Directory group information. However, the built-in Command Prompt commands are convenient if you don’t have the ability to install the PowerShell Active Directory Module.

Another way to do this in Command Prompt is gpresult /r:

>> gpresult /r

...
...

The user is a part of the following security groups
---------------------------------------------------
	Domain Users
	Everyone
	BUILTIN\Users
	BUILTIN\Administrators
	NT AUTHORITY\INTERACTIVE
	CONSOLE LOGON
	NT AUTHORITY\Authenticated Users
	This Organization
	LOCAL
	Domain Admins
	Authentication authority asserted identity
	Denied RODC Password Replication Group
	High Mandatory Level

Finally, there’s the net user command:

>> net user /domain <username>

The request will be processed at a domain controller for domain <domain>.

User name                    <username>

...
...

Local Group Memberships      *None
Global Group memberships     *Domain Users         *Domain Admins

It should be noted that there are some functional differences between these Command Prompt group membership queries. For example, some of the commands don’t consider implicit group memberships and only display explicit groups.

With that said, I recommend using PowerShell as a first option, followed by the UI method, and finally Command Prompt as a last resort (depending on the resources and privileges available to your current user).

Stealthbits Technologies

IDENTIFY THREATS. SECURE DATA. REDUCE RISK.

Stealthbits Technologies, Inc. is a customer-driven cybersecurity software company focused on protecting an organization’s sensitive data and the credentials attackers use to steal that data. By removing inappropriate data access, enforcing security policy, and detecting advanced threats, our highly innovative and infinitely flexible platform delivers real protection that reduces security risk, fulfills compliance requirements, and decreases operational expense.

For more information on how Stealthbits protects Active Directory and more, please visit stealthbits.com.

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe

DON’T MISS A POST. SUBSCRIBE TO THE BLOG!

 

Loading

© 2020 Stealthbits Technologies, Inc.

Start a Free Stealthbits Trial!

No risk. No obligation.

FREE TRIAL