How to get all groups that a user is a member of?

Question

PowerShell\'s Get-ADGroupMember cmdlet returns members of a specific group. Is there a cmdlet or property to get all the groups that a particular user is a member of?

Answer 1

Get-Member is not for getting user's group membership. If you want to get a list of groups a user belongs to on the local system, you can do so by:

$query = "ASSOCIATORS OF {Win32_Account.Name='DemoUser1',Domain='DomainName'} WHERE ResultRole=GroupComponent ResultClass=Win32_Account"

Get-WMIObject -Query $query | Select Name

In the above query, replace DemoUser1 with the username you want and the DomainName with either your local computer name or domain name.

Answer 2

To get it recursive, you can use:

<# 
    .SYNOPSIS   
        Get all the groups that a user is MemberOf.

    .DESCRIPTION
        This script retrieves all the groups that a user is MemberOf in a recursive way.

    .PARAMETER SamAccountName
        The name of the user you want to check #>

Param (
    [String]$SamAccountName = 'test',
    $DomainUsersGroup = 'CN=Domain Users,CN=Users,DC=domain,DC=net'
)


Function Get-ADMemberOf {
    Param (
        [Parameter(ValueFromPipeline)]
        [PSObject[]]$Group,
        [String]$DomainUsersGroup = 'CN=Domain Users,CN=Users,DC=grouphc,DC=net'
    )
    Process {
        foreach ($G in $Group) {
            $G | Get-ADGroup | Select -ExpandProperty Name
            Get-ADGroup $G -Properties MemberOf| Select-Object Memberof | ForEach-Object {
                Get-ADMemberOf $_.Memberof
            }
        }
    }
}


$Groups = Get-ADUser $SamAccountName -Properties MemberOf | Select-Object -ExpandProperty MemberOf
$Groups += $DomainUsersGroup
$Groups | Get-ADMemberOf | Select -Unique | Sort-Object

Answer 3

The below works well:

get-aduser $username -Properties memberof | select -expand memberof

If you have a list of users:

$list = 'administrator','testuser1','testuser2'
$list | `
    %{  
        $user = $_; 
        get-aduser $user -Properties memberof | `
        select -expand memberof | `
        %{new-object PSObject -property @{User=$user;Group=$_;}} `
    }

Answer 4

This is the simplest way to just get the names:

Get-ADPrincipalGroupMembership "YourUserName"

# Returns distinguishedName : CN=users,OU=test,DC=SomeWhere GroupCategory : Security GroupScope : Global name : testGroup objectClass : group objectGUID : 2130ed49-24c4-4a17-88e6-dd4477d15a4c SamAccountName : testGroup SID : S-1-5-21-2114067515-1964795913-1973001494-71628

Add a select statement to trim the response or to get every user in an OU every group they are a user of:

foreach ($user in (get-aduser -SearchScope Subtree -SearchBase $oupath -filter * -Properties samaccountName, MemberOf | select samaccountName)){ Get-ADPrincipalGroupMembership $user.samaccountName | select name}

Answer 5

Get-Member is a cmdlet for listing the members of a .NET object. This has nothing to do with user/group membership. You can get the current user's group membership like so:

PS> [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups | 
         Format-Table -auto

BinaryLength AccountDomainSid    Value
------------ ----------------    -----
          28 S-1-5-21-...        S-1-5-21-2229937839-1383249143-3977914998-513
          12                     S-1-1-0
          28 S-1-5-21-...        S-1-5-21-2229937839-1383249143-3977914998-1010
          28 S-1-5-21-...        S-1-5-21-2229937839-1383249143-3977914998-1003
          16                     S-1-5-32-545
...

If you need access to arbitrary users' group info then @tiagoinu suggestion of using the Quest AD cmdlets is a better way to go.

Answer 6

While there are many excellent answers here, there is one which I was personally looking for that was missing. Once I figured it out - I thought I should post it in case I want to find it later, or it actually manages to help someone else at some point:

Get-ADPrincipalGroupMembership username | Format-Table -auto

A second approach for presenting this is to specify the individual columns you are interested in eg:

Get-ADPrincipalGroupMembership username | select name, GroupScope, GroupCategory

This gives all the AD groups the username belongs to - but also presents all of the default properties of each group formatted nicely as a table.

The key benefit this gives you is you can see at a glance which are distribution lists, & which are Security groups. You can further see at a glance which are Universal, which are DomainLocal & which are Global.
Why would you care about this last bit?

• Universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give universal security groups rights and permissions on resources in any domain in the forest.
• Global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain.
• Domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located.