It’s often helpful to know which Active Directory groups your current user is a member of when joined to a domain. That information is typically easy to obtain, however you need to know where to look.
For many, having a graphical UI is helpful for any task. While this isn’t the quickest way to locate your AD group membership, it’s the best way if you want to avoid the command line (i.e. PowerShell or Command Prompt).
Let’s discuss several methods to achieve our goal, including via the UI, PowerShell, and Command Prompt.
On a Windows Server, Active Directory Users and Computers (along with some optional PowerShell utilities) can be installed from the Server Manager.
Navigate through the wizard to the Features menu, and install: Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > AD DS Tools
Steps may vary depending on your version of Windows 10. For this blog, I’m using Win10 Enterprise Version 20H2.
On Windows 10, open the Start Menu, search for “Manage optional features”, and open that menu. At the top, click on “Add a feature”, search for “RSAT: Active Directory Domain Services and Lightweight Directory Services Tools”, and install that feature.
You may also need to install the “RSAT: Server Manager” feature first.
You can now search for “Active Directory Users and Computers” in the Start Menu and launch that feature on either Windows Server or Windows 10
Use the left sidebar to navigate through your domain, down into the containers (folders, organizational units, etc.) that contain users, locate your user, right-click your user, and click Properties. In Properties, navigate to the Member Of tab, and you’ll see which groups that user is a member of.
That was quite cumbersome, wasn’t it? While using the UI is nice for some, it’s by no means an efficient way to query for this type of information. Let’s dive into some simple PowerShell and Command Prompt queries, which will output similar information in a fraction of the time.
If you followed the previous steps to install Active Directory Users and Computers, then you may have noticed there were also options to install the Active Directory PowerShell Module while doing so. This module makes querying Active Directory information much easier than in the UI – take the following query as an example:
PS >> Get-ADPrincipalGroupMembership <username> | select name name ---- Domain Users Domain Admins
This gives us the same information as the UI screenshot above, in far less time. If you remove the | select name from the query, then you can get additional information about each group a user is a member of such as distinguishedName, GroupCategory, GroupScope, objectClass, objectGUID, SamAccountName, and SID.
While PowerShell is more robust, allowing you to manipulate query results in more meaningful ways, Command Prompt may be the simplest approach to gathering group membership information. In fact, we don’t need to install anything ahead of time – these commands are available out of the box with most versions of Windows.
The simplest is whoami /groups, which gives a simple listing of both domain and local group membership for the user running the Command Prompt session:
>> whoami /groups GROUP INFORMATION ----------------- Group Name Type ... ============================================== ================ ===== Everyone Well-known group ... BUILTIN\Users Alias ... BUILTIN\Administrators Alias ... NT AUTHORITY\INTERACTIVE Well-known group ... CONSOLE LOGON Well-known group ... NT AUTHORITY\Authenticated Users Well-known group ... NT AUTHORITY\This Organization Well-known group ... LOCAL Well-known group ... SBPMLAB\Domain Admins Group ... Authentication authority asserted identity Well-known group ... Mandatory Label\High Mandatory Level Label ...
You’ll notice this output is a bit more verbose than the PowerShell command we discussed, which is typically why PowerShell is my go-to CLI workflow for querying Active Directory group information. However, the built-in Command Prompt commands are convenient if you don’t have the ability to install the PowerShell Active Directory Module.
Another way to do this in Command Prompt is gpresult /r:
>> gpresult /r ... ... The user is a part of the following security groups --------------------------------------------------- Domain Users Everyone BUILTIN\Users BUILTIN\Administrators NT AUTHORITY\INTERACTIVE CONSOLE LOGON NT AUTHORITY\Authenticated Users This Organization LOCAL Domain Admins Authentication authority asserted identity Denied RODC Password Replication Group High Mandatory Level
Finally, there’s the net user command:
>> net user /domain <username> The request will be processed at a domain controller for domain <domain>. User name <username> ... ... Local Group Memberships *None Global Group memberships *Domain Users *Domain Admins
It should be noted that there are some functional differences between these Command Prompt group membership queries. For example, some of the commands don’t consider implicit group memberships and only display explicit groups.
With that said, I recommend using PowerShell as a first option, followed by the UI method, and finally Command Prompt as a last resort (depending on the resources and privileges available to your current user).
IDENTIFY THREATS. SECURE DATA. REDUCE RISK.
Stealthbits Technologies, Inc. is a customer-driven cybersecurity software company focused on protecting an organization’s sensitive data and the credentials attackers use to steal that data. By removing inappropriate data access, enforcing security policy, and detecting advanced threats, our highly innovative and infinitely flexible platform delivers real protection that reduces security risk, fulfills compliance requirements, and decreases operational expense.
For more information on how Stealthbits protects Active Directory and more, please visit stealthbits.com.
Start a Free Stealthbits Trial!
No risk. No obligation.