Home » PowerShell » How to Check AD Group Membership

How to Check AD Group Membership

by

You can check active directory group membership using the command line net user or dsget or using the Get-AdGroupMember PowerShell cmdlet to check ad group membership.

Active Directory groups are a great way to manage and grant access permissions to users like access to specific servers, and computers.

As an administrator, you need to check active directory group membership to make sure who has access to resources and ensure each user has only access permission that they need.

In this article, I will explain how to check ad group membership using the command line net user tool, dsget, or using Get-AdGroupMember cmdlet in PowerShell.

Table of Contents hide
1 Check AD Group Membership using Command Line
2 Get all Users members of Ad Group using net group
3 Check AD Group Membership using dsget
4 Get All Users members of AD group using dsget
5 Check AD Group Membership using PowerShell
6 Conclusion

Check AD Group Membership using Command Line

You can check active directory group membership using the command line net user command. Check the below syntax to check ad group membership

net user /domain "<Active Directory Account>”

For example, to check AD group membership for ad user toms using the command line, run the below command

net user /domain toms

The above command will get ad group membership for ad account toms as below

Check AD Group Membership using Command line net user
Check AD Group Membership using Command line net user

Get all Users members of Ad Group using net group

You can get all users members of a specific active directory group using the command line net user command as given below

net group /domain "SALESLeader"

Open the command line prompt and type the above command to get all users having membership of a specific AD group.

In the above example, SALESLeader is an AD group name and the net group gets all the users belonging to the AD group.

The output of the above command list members of adgroup using the command line.

C:\Windows\system32>net group /domain SALESLeader
Group name     SALESLeader
Comment

Members

-------------------------------------------------------------------------------
chrisd                   toms
The command completed successfully.

Check AD Group Membership using dsget

You can check AD group membership for users using the dsget tool.

Syntax to use dsget tool as below

dsget user "<distinguishedname>" -memberof -expand

While using the dsget tool to check AD group membership, use distinguishedname instead of the user name.

Let’s consider an example below to get ad user group membership for user Tom using the dsget tool

dsget user "CN=Tom Smith,OU=SALES,DC=SHELLPRO,DC=LOCAL" -memberof -expand

In the above, the dsget tool get aduser group membership for the specified user by its distinguishedname as below

C:\Windows\system32>dsget user "CN=Tom Smith,OU=SALES,DC=SHELLPRO,DC=LOCAL" -memberof -expand
"CN=SALESLeader,OU=SALES,DC=SHELLPRO,DC=LOCAL"
"CN=Domain Users,CN=Users,DC=SHELLPRO,DC=LOCAL"
"CN=Users,CN=Builtin,DC=SHELLPRO,DC=LOCAL"

In the above output, it shows Toms ad user group membership in the active directory.

Cool Tip: How to remove a user from group in PowerShell!

Get All Users members of AD group using dsget

You can get all users having membership of a specified AD group using the dsget tool as below

dsget group "CN=SALESLeader,OU=SALES,DC=SHELLPRO,DC=LOCAL" -members -expand

In the above command, dsget lists the members of the ad group SALESLeader using the command line dsget tool.

The output of the above example to list users in ad group using dsget is:

C:\Windows\system32>dsget group "CN=SALESLeader,OU=SALES,DC=SHELLPRO,DC=LOCAL" -members -expand
"CN=Chris Dore,OU=SALES,DC=SHELLPRO,DC=LOCAL"
"CN=Tom Smith,OU=SALES,DC=SHELLPRO,DC=LOCAL"

Cool Tip: Using Get-ADObject to find active directory objects in PowerShell!

Check AD Group Membership using PowerShell

You can check active directory group membership using Get-ADGroupMember cmdlet in PowerShell.

 Get-ADGroupMember -Identity SALESLEADER -Recursive |ft Name

In the above PowerShell script, the Get-AdGroupMember cmdlet gets all users having a membership to a specified active directory group and returns the ad user name as below

PS C:\Windows\system32> Get-ADGroupMember -Identity SALESLEADER -Recursive |ft Name

Name
----
Tom Smith
Chris Dore

You can use the Get-ADPrincipalGroupMembership cmdlet in PowerShell to list the active directory groups for the user is a member of as below

 Get-ADPrincipalGroupMembership Toms | Select Name

This command list ad group for user Toms member of as below

PS C:\Windows\system32> Get-ADPrincipalGroupMembership Toms | Select Name

Name
----
Domain Users
SALESLeader

You can use the Get-AdUser cmdlet in the Active directory to list ad group for the user is a member of as below

Get-ADUser Toms -Properties Memberof | Select -ExpandProperty memberOf

In the above PowerShell script, the Get-ADUser cmdlet gets a list of ad group for user Toms member of and display the ad group as below

PS C:\Windows\system32> Get-ADUser Toms -Properties Memberof | Select -ExpandProperty memberOf
CN=SALESLeader,OU=SALES,DC=SHELLPRO,DC=LOCAL

Conclusion

I hope the above article on how to check AD group membership using command line net user, dsget, or using PowerShell cmdlet is helpful to you.

There are other ways like dsquery or ADUC (Active Directory Users and Computers) to check AD group membership.

As an administrator’s job is to monitor user access permission which they needed only.

Using the above command-line tools or PowerShell script you can easily check ad group membership.

AD Benefits: Read more to know Active Directory’s advantages and disadvantages!

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.