3 comments

Quick Tip: Enumerate a User his AD Group Memberships

Published on Thursday, August 28, 2014 in ,

Using the two following commands you can easily retrieve all the groups a user is member of. This command will also take account group membership caused by nested groups. Here’s the first line, it’s a multi-line command that will store all of the groups the users is a member of in the $tokenGroups variable. The groups are represented by their SID.

$tokenGroups = Get-ADUser -SearchScope Base -SearchBase 'CN=thomas,OU=Admin Accounts,DC=contoso,DC=com' `

-LDAPFilter '(objectClass=user)' -Properties tokenGroups | Select-Object `

-ExpandProperty tokenGroups | Select-Object -ExpandProperty Value

In order to easily translate them to their AD AccountName you can use the following command I blogged about earlier (Quick Tip: Resolving an SID to a AccountName)

$groups = $tokengroups | % {((New-Object System.Security.Principal.SecurityIdentifier($_)).Translate( [System.Security.Principal.NTAccount])).Value}

Using the “-SearchSCope Base –SearchBase …” approach seems to be necessary as you cannot simply use Get-ADUser username …

image001

Related Posts

3 Response to Quick Tip: Enumerate a User his AD Group Memberships

Anonymous
01 September, 2014 11:42

Suggestion to anonymize your LDAP Search base used in your example...

01 September, 2014 13:16

Doh. I usually pay a lot of attention that kind of stuff but I missed this one. Thanks a lot for taking the time to point this out!

Anonymous
09 September, 2014 16:39

Get-ADPrincipalGroupMembership ?

Add Your Comment