How to Check Active Directory (AD) Groups Membership using PowerShell

How to Check AD Group Membership, Get Active Directory Groups Membership using PowerShell.  Windows PowerShell makes managing any Active Directory (AD) components effortless. We can handle any AD features, including managing active directory objects such as users, computers, and groups. This article will focus on users and groups and discuss how to get a user’s group membership by using Windows PowerShell and the active directory module.

How to Check AD Group Membership

Prerequisites

We will need the following tools, components, and modules installed in our server or machine for us to follow along in this guide:

  • PowerShell version 4 or greater
  • Remote Server Administration Tools (RSAT) for Windows
  • Active Directory Module for PowerShell
  • A user account with Active Directory read rights
  • and a domain joined computer or server

We will tackle the installation of RSAT for Windows and the installation of the Active Directory module for PowerShell in the next section

Installing the Active Directory Module

Before proceeding with querying Active Directory objects with Windows PowerShell, it is crucial that we first install the Active Directory module. Running Active Directory commands without the module being installed or imported will throw an error.

Usually, running the Install-Module ActiveDirectory command in our console should fetch the package from a remote Content Delivery Network or CDN like PSGallery and install it on our server or machine. However, the Active Directory module is a special case. Before installing the Active Directory Module, we must install a pre-requisite package called the Remote Server Administration Tools or RSAT.

The RSAT enables IT administrators to remotely manage roles and features on a Windows Server. These tools include managing a domain controller with Active Directory Domain Services (AD DS) role installed in the server. We can do this through the graphical user interface, but we will show you the PowerShell method for installing RSAT on our workstation or server for this guide.

				
					# For Workstation
Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online

# For Server
Import-Module ServerManager
Install-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature
				
			

To check if the PowerShell module has been installed correctly, run the following snippet of code below to import it into our PowerShell session. Make sure that the current PowerShell session has been started with administrator privileges.

				
					Import-Module ActiveDirectory
				
			

Once imported correctly with no thrown errors, we can now start managing our active directory using PowerShell.

Get Active Directory Group Membership with PowerShell

What’s excellent about PowerShell is that we can be flexible and creative in achieving certain use cases by using different commands. So, here are a few PowerShell active directory commands that we can use to get a user’s group membership.

Using Get-ADGroupMember

For our first method, we can use the Get-ADGroupMember cmdlet to get all of the members of a particular group. The said command queries for all of the user, group, and computer objects in a specific group. The Get-ADGroupMember cmdlet is the correct command to use if we only know the group name that needs to be searched for.

Perhaps we need to find all members of the Administrators group. Using the Get-ADGroupMember command, we can use the Identity parameter specifying the group’s name. It is worth noting that the Identity parameter only targets group objects.

				
					Get-ADGroupMember -Identity 'Administrators' -Recursive
				
			

Our previous example shows an additional switch parameter called the Recursive parameter. By default, the PowerShell Get-ADGroupMember cmdlet does not return nested group members. However, to include groups within groups, we can use the Recursive parameter.

Get-ADGroupMember -Identity
Get-ADGroupMember - List users in 'Windows Admin' Group

Using Get-ADPrincipalGroupMembership

Another way of getting a group membership in PowerShell is by running the cmdlet Get-ADPrincipalGroupMembership. We can say that this is the direct opposite of the Get-ADGroupMember command. This command will return all of your group memberships or the groups you are a part of

The Get-ADPrincipalGroupMembership cmdlet is the correct command to use if we do not know the current group membership. This command will return all of the active directory groups of the user, computer, group, or service account. In addition, since we can target users, computers, and group objects, this command will also return nested group memberships.

Run the syntax below to get an active directory object’s group membership.

				
					Get-ADPrincipalGroupMembership -Identity "JDoe100"
Get-ADPrincipalGroupMembership -Identity "WIN-SRV01"
Get-ADPrincipalGroupMembership -Identity "Administrators"
				
			

Using Get-ADGroup

Surprisingly, we can also get the group members of a particular group with the Get-ADGroup command. According to the official Microsoft documentation, it turns out that the Get-ADGroup command contains a property for each group called members. This property holds a collection of active directory objects members of a group.

For example, to find the group members in the Administrators group, we could run the following syntax below

				
					Get-ADGroup -Identity "Administrators" -Property members
				
			

One of the advantages of using this command is unlike our previous two commands, the Get-ADGroup command will also display other AD objects that are not users, computers, or groups. Contacts are one of these AD objects displayed by the said command. We need to expand the Members property by piping the Select-Object command to display these other objects.

				
					Get-ADGroup -Identity "Administrators" -Property members | Select-Object -ExpandedProperty members
				
			

Another advantage of using the Get-ADGroup command is that we can use the other parameters only available to a few AD commands that can narrow down or filter our search results. Here are some of the parameters that we can use with our Get-ADGroup command:

  • Filter – this parameter allows us to narrow down what is returned in many different ways outside the scope of the query. In addition, using the Filter parameter can limit results by any AD attribute such as name, group type, email address, last login for users, etc.
  • SearchBase – this parameter allows us to specify an Organizational Unit’s (OU) distinguished name (DN) and will serve as a location for searching our groups. An OU is a container within the Active Directory that can hold users, groups, and computers.
  • SearchScope – this parameter is similar to the Recursive parameter that will also search for child objects. The below example has a SearchScope parameter value of 2, which tells the Get-ADGroup command to recursively look at all children, grandchildren, and down OUs.
 The example snippet below uses all of the three parameters given above:
				
					Get-ADGroup -Filter '*' -SearchBase 'OU=Locations,DC=company,DC=pri' -SearchScope 2
				
			

Alternative Ways on Getting a User's AD Group Membership

The following commands are some of the unconventional methods for getting a user’s Active Directory group membership through PowerShell. These methods do not need the active directory module and only need an open port to the domain controller. We recommend only using these methods if installing the active directory module is impossible.

Using AD Service Interfaces

According to Microsoft, the AD service interfaces or ADSI are built-in COM interfaces used to natively access directory services. A type accelerator class is within the ADSI library called the ADSI Searcher (signified by [ADSISearcher] class). We can use the ADSI Searcher to query for a user’s group membership by running the command below:

				
					([ADSISEARCHER]"samaccountname=$($env:USERNAME)").Findone().Properties.memberof
				
			

We can change the $env:USERNAME environment variable to any usernames that need querying. What’s great about the ADSI Searcher is that we can use regex in filtering if we are more comfortable using it.

				
					([ADSISEARCHER]"samaccountname=$($env:USERNAME)").Findone().Properties.memberof -replace '^CN=([^,]+).+$','$1
				
			

Using a New PowerShell Object

Another way of getting a user’s group membership is using the directory services library and creating a new object. We can say that this method is similar to our previous method because we will use the System.DirectoryServices.DirectorySearcher library, of which the ADSI Search class is a member.

				
					(New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$($env:USERNAME)))")).FindOne().GetDirectoryEntry().memberOf
				
			

Like the previous ADSI method, we can replace the environment variable with the username needing querying.

How to Check AD Group Membership using PowerShell Conclusion

This article discussed how to install the Remote Administration Tools and the Active Directory module for PowerShell. In addition, we have also discussed several commands that use the said module in querying a user’s group membership. Finally, we discussed alternative ways to check a user’s group membership without installing the AD module. We can achieve querying a users’ group membership in any way possible through PowerShell.

Avatar for Marion Mendoza
Marion Mendoza

Windows Server and VMware SME. Powershell Guru. Currently working with Fortune 500 companies responsible for participating in 3rd level systems support across the enterprise. Acting as a Windows Server engineer and VMware Specialist.

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x