on September 4, 2010
On Windows OS we can find the list of local user groups created on a system from Contorl Panel -> User Accounts. This information can be obtained from command line also using net command. Syntax is shown below.
net localgroup
Example: Running this command shows the following local groups on my system.
C:\>net localgroup Aliases for \\techblogger-pc ---------------------------------------------------------------------------- *Administrators *Backup Operators *Debugger Users *Guests *Network Configuration Operators *Power Users *Remote Desktop Users *Replicator *Users The command completed successfully.
How to list the users in a local group?
Use the below command to know the list of members of a group from command line.
net localgroup groupName
For example to get the list of all remote desktop users on a system we can run the below command.
net localgroup "Remote Desktop users"
How to find the list of all groups a user is member of?
You can run the below command to list the groups a user is member of. This command prints the details of the given user account. You can find the group membership information in the last two line of this command output.
net user userName
Example:
H:\>net user John User name John Full Name Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never Password last set 12/2/2010 11:00 PM Password expires 4/1/2011 11:00 PM Password changeable 12/2/2010 11:00 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon Logon hours allowed All Local Group Memberships *Debugger Users *Users Global Group memberships *None
Related Posts:
Add user to group from windows command line
Remove user from group using windows command prompt
cmd Viewing user groups
Viewing user groups in the Windows Command Prompt (cmd) allows you to see the various groups that exist on your system, as well as which users are part of those groups. This is particularly useful for system administrators who need to manage permissions and access rights effectively. Below, I’ll explain how to view user groups in cmd, along with examples and expected outputs.
1. Viewing All User Groups
To view all user groups on your Windows system, you can use the net localgroup command.
Basic Syntax:
Example:
To list all local groups, simply enter:
Output:
Output Explanation:
- This command displays a list of all local groups on the computer. Groups like
Administrators,Guests, andUsersare commonly found on Windows systems.
2. Viewing Members of a Specific User Group
To view the members of a specific user group, you can use the net localgroup command followed by the group name.
Basic Syntax:
Example:
To view the members of the Administrators group, enter:
Output:
Output Explanation:
- This command lists all users that are members of the
Administratorsgroup. In this example,YourUsernameandAdministratorare shown as members.
3. Viewing Group Membership of a Specific User
To view which groups a specific user belongs to, you can use the net user command followed by the username.
Basic Syntax:
Example:
To view the group memberships of a user named YourUsername, enter:
Output:
Output Explanation:
- This command provides detailed information about the specified user, including their local group memberships (e.g.,
Usersin this case).
4. Summary
Viewing user groups in the Windows Command Prompt can be accomplished using commands like net localgroup to list all groups and net user to find group memberships for specific users. These commands are valuable for managing user access and permissions within a Windows environment, helping administrators ensure that users have appropriate rights based on their roles.
In this post, we’ll learn how to get all groups a user is a member of using PowerShell.
We’ll also show multiple methods to know in which groups a user belongs to by exploring the following:
-
1
Get all Groups a user is a member of-
1.1
Which groups a user is a member of using Command Prompt -
1.2
Get Group Membership PowerShell-
1.2.1
Check Group Scope Using PowerShell -
1.2.2
Get Global Security Group for a user is a member of -
1.2.3
Get Local Security Group for a user is a member of
-
1.2.1
-
1.3
Get All Groups for the current user is a member of -
1.4
Get All Groups for the current user is a member of without importing AD module
-
1.1
You might alto like to read Logon failure: The user has not been granted the requested logon type at this computer.
Consider you have a domain user, and you would like to check which local and global groups a user is a member of. but
- You didn’t have permission on the Active Directory.
- Or you can’t import Active Directory Module.
In this case, you can easily use “net user” cmdlet to Get all Groups a user is a member of as the following:
Which groups a user is a member of using Command Prompt
Steps
- Run Command Prompt / Windows Power-Shell as administrator.
- Run the below cmdlet.
net user /domain usernameIn my scenario, I would like to know if the “spfarm” user is a member of the Domain Admins group or not.
net user /domain spfarm- Check Global and local Group Membership line to find all groups in that a user “spepmfarm” is a member of.
Besides this method is an easy and fast, it’s very helpful to check:
- If the account is active and not disabled.
- Account expiration status.
- When the account password expires.
- The last date password changed.
- If the account can change its password.
- Last logon.
- Which local group a user is a member of.
- Which global domain group a user is a member of.
Note: if the group name is long (> 21 chars) it will truncate the group name.
Get Group Membership PowerShell
The previous method is very helpful and doesn’t require permission on the AD server to get all groups a user is a member of. but as we earlier mentioned, if the group name is long (> 21 chars) it will truncate the group name.
So in this case, you can use the build-in “Get-ADPrincipalGroupMembership” to get Get all Groups a user is a member of using PowerShell.
Steps
- Run Windows PowerShell as Administrator.
- Import Active Directory Module.
import-module activedirectoryNote: if you can’t import AD module, try to install RAST feature as the following:
Install-WindowsFeature RSAT-AD-PowerShell- Run “Get-ADPrincipalGroupMembership“.
Get-ADPrincipalGroupMembership username_withoutdomain | select name
“Get-ADPrincipalGroupMembership” helps you to get the local and global security groups in which a user is a member of
Check Group Scope Using PowerShell
Groups are characterized by a scope to define where the group can be granted permissions.
There are three group scopes are defined by Active Directory:
- Domain Local.
- Global.
- Universal.
You might also like to read Active Directory Security Groups.
To check if a group scope using PowerShell, you should select “Groupscope” as shown below:
Get-ADPrincipalGroupMembership spfarm | select name,groupscope
Get Global Security Group for a user is a member of
Get-ADPrincipalGroupMembership spfarm | select name,groupscope | Where-Object Groupscope -eq "Global"
Get Local Security Group for a user is a member of
Get-ADPrincipalGroupMembership spfarm | select name,groupscope | Where-Object Groupscope -eq "domainlocal"
Get All Groups for the current user is a member of
Instead of typing specific user, you can also get all groups for the current user is a member of by using $env:USERNAME
Get-ADPrincipalGroupMembership $env:USERNAME | select name,groupscopeIf the above cmdlets is not working for any reason, so in this case, you should try the following:
(get-aduser $env:USERNAME -Properties memberof | select -expand memberof | get-adgroup) | select Name,groupscope
Alternatively, you can also use the below power-shell cmdlet that not requires to import AD module.
((New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$($env:username)))")).FindOne().GetDirectoryEntry().memberOf | get-adgroup)| select Name,groupscopeThis cmdlet gives you the same result as shown below
Name groupscope
---- ----------
WF Admins Global
WSS_WPG DomainLocal
WSS_RESTRICTED_WPG_V4 DomainLocal
WSS_ADMIN_WPG DomainLocal
EPMSys Accounts Global
Domain Admins Global
IIS_IUSRS DomainLocal
Performance Log Users DomainLocal
Performance Monitor Users DomainLocal
Administrators DomainLocal
PS C:\Users\spfarm>Conclusion
In conclusion we have learned how to get all groups a user is a member of, we have also learned how to get local and global Group Membership for a user is a member of using PowerShell.
Applies To
- Windows PowerShell.
- Command Prompt.
- Windows Server 2016.
- Windows Server 2012.
You might also like to read
- Logon failure: The user has not been granted the requested logon type at this computer.
- Open URL in a browser in PowerShell.
- Show only two numbers after fractions for long decimal in PowerShell Script.
- Windows Server 2016: Switch from Server Core to Desktop Experience.
The Active Directory Users and Computers (ADUC) graphical MMC snap-in can be used to view the list of Active Directory groups that the user is a member of. Simply open this snap-in (run the dsa.msc command), find the user and go to the Member of tab. This shows the current user’s AD group membership.
However, this method only shows the user’s direct group membership and does not allow you to export a list of groups in any form. To list all the groups that the user is a member of (including nested ones) and export the list to a CSV/TXT file, it is more convenient to use command-line tools or PowerShell cmdlets.
List AD groups a user is a member of with PowerShell
To check the user’s membership in AD groups, use the cmdlets from the PowerShell Active Directory module. Use one of the following commands:
Get-ADPrincipalGroupMembership jbrion | Select name
or
Get-ADUser jbrion -Properties Memberof | Select -ExpandProperty memberOf
Both commands list the Active Directory groups the jbrion user account is a member of. However, the output doesn’t include nested AD groups.
To include nested group membership to the output, use the following PowerShell script, which uses a simple LDAP filter to check the membership:
$username = 'jbrion' $filter = "member:1.2.840.113556.1.4.1941:=" + (Get-ADUser $username).DistinguishedName Get-ADGroup -LDAPFilter "($filter)" |select SamAccountName,ObjectClass
Export AD Group Members to CSV using PowerShell
To export the resulting AD group membership report to a text or CSV file, you can use the >> operator or the Export-CSV cmdlet.
For example, export the list of Distinguished Names (DNs) of all the groups the user is a member of to a plain TXT file:
Get-ADUser j.brion -Properties Memberof | Select -ExpandProperty memberOf >> c:\ps\ad_group.txt
Or select the group attributes you need and export the group membership to a CSV file:
Get-ADPrincipalGroupMembership j.brion | Select-Object name,description,GroupCategory,GroupScope,distinguishedName| Export-Csv -NoTypeInformation c:\ps\ad_group.csv -Encoding UTF8
List Active Directory Group Members with PowerShell
In some cases, you may need to view a full list of AD group members (including nested ones). Use this command:
Get-ADGroupMember -Identity fs01-salary -Recursive | ft SamAccountName, SID, name
If you need to add specific user attributes for each group member, add the foreach loop:
Get-ADGroupMember -Identity fs01-salary -Recursive | foreach { Get-ADUser $_ -Properties * } | select displayName,company,department,title,email
Check AD Group Membership via Command Line
You can also list the Active Directory user’s group membership from the command prompt using the built-in net user command:
NET USER username /DOMAIN
The command output contains the user’s domain (Global Group Memberships) and Local Group Memberships.
If you need to list all users who are members of a specified AD group from cmd, use the net group command. For example:
NET GROUP "group name" /DOMAIN
If you need to list the security groups that your account is a member of, run:
whoami /groups
Cyril Kardashevsky
I enjoy technology and developing websites. Since 2012 I’m running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
-
Home
-
Partition Magic
- PowerShell Get User Group Membership Windows 10/11 [Full Guide]
By Ariel | Follow |
Last Updated
A lot of people are confused about the PowerShell get user group membership operation. Are you also troubled by it? Now, this post of MiniTool will show you how to get user group membership PowerShell on Windows 10/11.
As it’s well known to us all, PowerShell is a practical Windows built-in command-line shell and scripting environment tool. It’s widely used by people to deal with various works such as PowerShell get disk space, PowerShell run exe, PowerShell copy files, PowerShell gets folder size, installing SSH PowerShell, PowerShell unzip/zip files, etc.
However, a great many users and even experienced professionals are unclear about how to do these works in PowerShell. These PowerShell cmdlets are heatedly discussed among different forums, but most of them don’t provide detailed steps. That’s why we wrote this post. If you are also confused about PowerShell get user group membership, you can find the answer in the following part.
What Cmdlet Can Be Used to Get User Group Membership PowerShell
First of all, it’s important to figure out what cmdlet can be used to get users group membership PowerShell. After investigating extensive user reports and references, we find the following 3 cmdlets can help you get members of a group PowerShell.
- Get-ADPrincipalGroupMembership: This cmdlet can be used to get all groups a user is a member of a group sing PowerShell. It can get the Active Directory groups’ membership that a specified user, group, computer, or server account as a member.
- Get-ADUser: This cmdlet can help you get all groups the current user is a member of without importing the AD module. It can get a specified user group membership or perform a search to get multiple user objects.
- Get-ADGroupMember: This cmdlet is mainly used to get the members of a specified group or an Active Directory group. Members can be users, groups, and even computers.
Now, you should have an overall understanding of the PowerShell get members of group cmdlets. Let’s see how to get members of group PowerShell on Windows 10/11.
How to Make PowerShell Get User Group Membership on Windows 10/11
According to the above information, we summarize 3 ways to get group membership PowerShell on Windows 10/11.
# 1. PowerShell Get Group Membership via Get-ADPrincipalGroupMembership
The first and most common way for PowerShell get members of group is to use the Get-ADPrincipalGroupMembership. Here’s how to use it.
Step 1. Press the Win + R keys to open the Run box, and then type powershell in it and press Ctrl + Shift + Enter keys to open the elevated PowerShell window.
Step 2. In the pop-up window, type the following command and hit Enter to get all group memberships for the Administrator. Here you can replace Administrator with the user name that you want to get its membership.
Get-ADPrincipalGroupMembership -Identity Administrator
Step 3. If you want to get the members of an active directory group name and description for a specified user like Ariel, run the following command.
Get-ADPrincipalGroupMembership -Identity Ariel | Get-ADGroup -Properties Description | Select Name, Description
Step 4. If you want to get all of the group memberships for the administrator in the resource domain, you can try the following command. For example, we want to locate the resource domain. Make sure to replace the domain name according to your actual situation.
Get-ADPrincipalGroupMembership -Identity Administrator -ResourceContextServer MiniTool.Partition.Com -ResourceContextPartition “DC=Partition,DC=com”
# 2. PowerShell Get Group Membership via Get-ADUser
Another feasible way for PowerShell get members of a group is to use the Get-AdUser cmdlet. Here are detailed steps:
Step 1. Open the elevated PowerShell window again as we explain above.
Step 2. Type the following command and hit Enter to get the groups in Active Directory. Here you need to replace the username with the user name that you want to list its members.
Get-ADUser Username –Properties MemberOf).memberof | Get-ADGroup | Select-Object name
Step 3. Also, you can run the following command to get the ad groups of a specified username such as Ariel.
Get-ADUser Ariel –Properties MemberOf).MemberOf
# 3. PowerShell Get Group Membership via Get-ADGroupMember
If you want to get all members of a specified group, you can type the following commands in order and hit Enter after each one in the elevated PowerShell window. Similarly, you need to replace the account name with the name you want to list its membership.
Import-Module ActiveDirectory
Get-ADGroupMember -Identity $group | foreach-object {Write-Host $_.ArielAccountName}
Further reading: If you enter some issues like file system corruption and low disk space on Windows 10/11, don’t worry. MiniTool Partition Wizard can help you fix them easily by checking file system errors, extending/resizing partitions, analyzing disk space, upgrading to a larger hard disk, etc.
About The Author
Position: Columnist
Ariel has been working as a highly professional computer-relevant technology editor at MiniTool for many years. She has a strong passion for researching all knowledge related to the computer’s disk, partition, and Windows OS. Up till now, she has finished thousands of articles covering a broad range of topics and helped lots of users fix various problems. She focuses on the fields of disk management, OS backup, and PDF editing and provides her readers with insightful and informative content.