Home » PowerShell » Get-ADPrincipalGroupMembership – Active Directory

Get-ADPrincipalGroupMembership – Active Directory

PowerShell Get-ADPrincipalGroupMembership cmdlet in active directory gets active directory groups that have users, computers, service accounts, and group member of.

Get-AdPrincipalGroupMembership active directory cmdlet requires a global catalog to perform the group search. If you want to search for local groups in different domains, use ResourceContextParameter to specify the server name in the other domain name.

In this article, I will explain how to use the Get-AdPrincipalGroupMembership active directory cmdlet to get group memberships for a user, get group memberships for an account in the resource domain, and get group memberships for adcomputer in PowerShell.

Get-ADPrincipalGroupMembership Syntax

Get-AdPrincipalGroupMembership cmdlet in active directory to get active directory groups that have user, group, computer, and service account members of.

Get-ADPrincipalGroupMembership
   [-AuthType <ADAuthType>]
   [-Credential <PSCredential>]
   [-Identity] <ADPrincipal>
   [-Partition <String>]
   [-ResourceContextPartition <String>]
   [-ResourceContextServer <String>]
   [-Server <String>]
   [<CommonParameters>]

Description

AuthType – authentication method to use based on either Basic (or 1) or Negotiate (or 0). It has Negotiate default authentication method.

SSL (Secure Socket Layer) connection is required to use the Basic Authentication method.

Credential – It specifies user credentials required to perform the task.

To use the Credential parameter, use username as User1 or domain\User1 or you can create and use the PSCredential object by using the Get-Credential cmdlet.

-Partition – It specifies the distinguished name of an active directory partition.

-Identity – Identity parameter specified user, groups, computer, or service account object that you want to get active directory groups membership. You can identify user, group, computer, or service account by

  1. Distinguished
  2. Name
  3. SAMAccountName
  4. Security Identifier
  5. GUID

Get-AdPrincipalGroupMembership Examples

Let’s understand how to get active directory groups that have user, computer, or groups membership using examples below

Get Group Memberships for user in AD LDS Instance

Let’s consider an example to get all group memberships for user CN=Toms, DC=SHELLPRO in the active directory LDS instance

Get-ADPrincipalGroupMembership -Server localhost:60000 -Identity "CN=toms,DC=SHELLPRO,DC=LOCAL" -Partition "DC=SHELLPRO"

It retrieves all the groups for a user identified by a distinguished name.

Cool Tip: How to use reset active directory password in PowerShell!

Get AdUser Group Membership

You can get aduser group membership using the Get-AdPrincipalGroupMembership cmdlet for a specified user.

Get-ADPrincipalGroupMembership -Identity toms

In the above PowerShell, the Get-ADPrincipalGroupMembership cmdlet gets all the groups for the aduser specified by the Identity parameter.

The output of the above command to get aduser group membership is:

Get-AdPrincipalGroupMembership - Get all groups
Get-AdPrincipalGroupMembership – Get all groups for aduser

In the above output, it gets all groups details for the aduser, however, if you want to get an active directory group name and description for a specified user, run the below command

Get-ADPrincipalGroupMembership -Identity toms | Get-ADGroup -Properties Description | Select Name, Description

The first command gets group membership for aduser toms specified by the Identity parameter and passes group objects to the second command.

The Get-AdGroup command gets the Description property and passes the output to the third command.

The third command, Select Name and Description to print active directory group memberships for users on the console as below

Name                        Description
----                        -----------
Domain Users                All domain users
Administrators              Administrators have complete and unrestricted access to the computer/domain
Schema Admins               Designated administrators of the schema
Enterprise Admins           Designated administrators of the enterprise
Domain Admins               Designated administrators of the domain
Group Policy Creator Owners Members in this group can modify group policy for the domain

Cool Tip: How to find an adusers password expiration date in PowerShell!

Get Group Memberships for an account in Resource Domain

If you want to get all of the group memberships for the aduser account in the resource domain, use ResourceContextServer parameters to specify the resource domain, and run the below command

Get-ADPrincipalGroupMembership -Identity Toms -ResourceContextServer SALES.SHELLPRO.COM -ResourceContextPartition "DC=SHELLPRO,DC=COM"

Get-AdPrincipalGroupMembership Filter Groups

PowerShell Get-AdPrincipalGroupMembership cmdlet in the active directory gets all of the ad groups user account members of.

If you have a requirement to filter active directory groups to get specific groups based on condition, run the below command

Get-ADPrincipalGroupMembership -Identity Toms | Select Name | Where-Object {$_.Name -like 'Domain*'} | Sort Name

In the above PowerShell script,

Get-AdPrincipalGroupMembership cmdlet gets all the active directory groups specified by the Identity parameter and passes the output to the second command.

Second Command Select Name of the active directory group and pass the output to the third command.

The third command uses Where-Object cmdlet to specify search condition where active directory group name like ‘Domain*’ and pass output to the fourth command.

The fourth command, get all filtered list of active directory group membership for user Toms, output as below

Name
----
Domain Admins
Domain Users

Cool Tip: How to find Get-ADComputer last logon in PowerShell!

Get-AdPrincipalGroupMembership Computer Details

If you want to get active directory group memberships for ad computers member of, run the below command

Get-ADPrincipalGroupMembership -Identity 'CN=OPER-01,CN=Computers,DC=SHELLPRO,DC=LOCAL' | Select-Object Name

In the above PowerShell script, it gets all of the group memberships for the distinguished adcomputer specified by the Identity parameter and passes the output to the second command.

Second command select Name of active directory groups that adcomputer account member of and print it on console as below

PS C:\Windows\system32> Get-ADPrincipalGroupMembership -Identity 'CN=OPER-01,CN=Computers,DC=SHELLPRO,DC=LOCAL' | Select-Object Name

Name
----
Domain Computers
Domain Users

Cool Tip: How to find Get-ADGroup SID in PowerShell!

Conclusion

I hope the above article using PowerShell Get-AdPrincipalGroupMembership cmdlet in the active directory gets the active directory groups details of the user, ad computer, service account, or group member of.

Using the Get-AdPrincipalGroupMembership cmdlet get group membership for the specified user and group membership for the adcomputer.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.

Leave a Comment