Skip to main content

Enumerate Active Directory User and Computer group membership

Overview

Summary

Enumerate the group memberships for a user or computer

Features / Tools

Benefits

  • Answer "Which groups does ____ belong to?"

Guidance

Current Logged in User

PowerShell
Get-ADPrincipalGroupMembership -Identity $env:USERNAME | select DistinguishedName

User by samAccountName

PowerShell
$identity = "john.doe" # Replace with users samAccountName
Get-ADPrincipalGroupMembership -Identity $identity | select DistinguishedName
CMD
dsquery user -samid john.doe | dsget user -memberof -expand

Current Computer

PowerShell
# Computer samAccountNames end in a $, so we append it to $env:computername
Get-ADPrincipalGroupMembership -Identity $("$env:COMPUTERNAME$") | select DistinguishedName

Computer by samAccountName

PowerShell
$computerName = "Desktop-1234"
# Computer samAccountNames end in a $, so this must be appended
$samAccountName = $computerName + "$"
Get-ADPrincipalGroupMembership -Identity $samAccountName | select DistinguishedName

Note we do not append $ to the computer name for dsquery

CMD
dsquery computer -name Desktop1234 | dsget computer -memberof -expand
dsquery computer -name Desktop1234 | dsget computer -memberof -expand