Powershell: How to get all the AD groups current user belongs

by Sitaram Pamarthi on May 22, 2012

This simple script will help you to get the list of ALL(both direct and indirect groups) the current user belongs. Generally we use Quest cmdlets to get this direct and indirect group membership information but this script uses buil-in dotnet method which is available on all computers if you have dotnet installed. So, no need of external dependencies like Quest AD cmdlets.

Function Get-AllUserGroups {
[cmdletbinding()]
param()
$Groups = [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups
foreach ($Group in $Groups) {
  $GroupSID = $Group.Value
  $GroupName = New-Object System.Security.Principal.SecurityIdentifier($GroupSID)
  $GroupDisplayName = $GroupName.Translate([System.Security.Principal.NTAccount])
  $GroupDisplayName
  }
}

I still haven’t figured out a way to get the same information for a given user(not currently logged on user) using dotnet methods. Please let me know if you are aware of any such procedure.

[UPDATE]

Shay Levy has provided a way to do get the all groups of a given user account(see comments section). I am updating it here for everyone’s quick reference.

#curtsy : Shay Levy             

$userName = ‘sitaram’            
Add-Type -AssemblyName System.DirectoryServices.AccountManagement            
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain            
$user = [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($ct,$userName)            
$user.GetGroups() #gets all user groups (direct)            
$user.GetAuthorizationGroups() #gets all user groups including nested groups (indirect)

Hope this helps…

This post was written by...

– who has written 462 posts on Techibee.com.

Sitaram Pamarthi is a windows administrators with 9+ years of experience.read more

{ 6 comments… read them below or add one }

Shay Levy May 22, 2012 at 8:58 pm

You could also use the WHOAMI utility:

WHOAMI /GROUPS /FO CSV | ConvertFrom-Csv

Here’s a way with .NET 3.5 to get another users` groups:

$userName = ‘sitaram’
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
$user = [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($pc,$userName)
$user.GetGroups() #gets all user groups (direct)
$user.GetAuthorizationGroups() #gets all user groups including nested groups (indirect)

Reply

Geoffrey Dawson July 4, 2012 at 4:15 am

Hello Sitaram,

Thanks for sharing this script. I’m sure this will help many IT admins. Its nice of you to share this.

I was just wondering if there are any complications put forth by Builtin Groups in Active Directory, which as you know, are domain specific. I ask only because one of the SME forums I participate in, there was some points raised related to this – How to enumerate the list of all Active Directory domain security groups that a user belongs to?

Do you happen to know if Builtin groups complicate the assessment when using your script, or other scripts? If so, request you to please share for everyone.

Thank you.

Reply

jheycie September 28, 2012 at 9:39 am

Hi there

Sorry if its a stupod question but what does the $user stands for?
Is it typed in as $jheycie.GetGroups?

Thanks in advance.

userName = ‘sitaram’
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
$user = [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($pc,$userName)
$user.GetGroups() #gets all user groups (direct)
$user.GetAuthorizationGroups() #gets all user groups including nested groups (indirect)

Reply

Sitaram Pamarthi October 4, 2012 at 12:19 pm

Hi jheycie,

>>what does the $user stands for?
It is a directoryservice object created with below statement in code.
$user = [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($pc,$userName)

>>Is it typed in as $jheycie.GetGroups?
No. It should be $User.GetGroups() only.

Are you noticing any errors?

Reply

Aten December 13, 2012 at 9:58 pm

Where it says:
FindByIdentity($pc,$userName)

should be read:
indByIdentity($ct,$userName)

Reply

Yash Advani March 1, 2013 at 11:13 am

Hi,

I tried to use this particular script but i believe i am missing something.
Can you help me out?
What i need to do is provide a user to the script and it should give me the groups this user is part of.
However i am not running this script on the AD machine, rather it is a remote machine. Can someone help???

Thanks

Reply

Leave a Comment

Previous post:

Next post: