≡ Menu

Powershell: How to get all the AD groups current user belongs

This simple script will help you to get the list of ALL(both direct and indirect groups) the current user belongs. Generally we use Quest cmdlets to get this direct and indirect group membership information but this script uses buil-in dotnet method which is available on all computers if you have dotnet installed. So, no need of external dependencies like Quest AD cmdlets.

Function Get-AllUserGroups {
[cmdletbinding()]
param()
$Groups = [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups
foreach ($Group in $Groups) {
  $GroupSID = $Group.Value
  $GroupName = New-Object System.Security.Principal.SecurityIdentifier($GroupSID)
  $GroupDisplayName = $GroupName.Translate([System.Security.Principal.NTAccount])
  $GroupDisplayName
  }
}

I still haven’t figured out a way to get the same information for a given user(not currently logged on user) using dotnet methods. Please let me know if you are aware of any such procedure.

[UPDATE]

Shay Levy has provided a way to do get the all groups of a given user account(see comments section). I am updating it here for everyone’s quick reference.

#curtsy : Shay Levy             

$userName = ‘sitaram’            
Add-Type -AssemblyName System.DirectoryServices.AccountManagement            
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain            
$user = [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($ct,$userName)            
$user.GetGroups() #gets all user groups (direct)            
$user.GetAuthorizationGroups() #gets all user groups including nested groups (indirect)

Hope this helps…

{ 6 comments… add one }

  • Shay Levy May 22, 2012, 8:58 pm

    You could also use the WHOAMI utility:

    WHOAMI /GROUPS /FO CSV | ConvertFrom-Csv

    Here’s a way with .NET 3.5 to get another users` groups:

    $userName = ‘sitaram’
    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
    $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
    $user = [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($pc,$userName)
    $user.GetGroups() #gets all user groups (direct)
    $user.GetAuthorizationGroups() #gets all user groups including nested groups (indirect)

  • Geoffrey Dawson July 4, 2012, 4:15 am

    Hello Sitaram,

    Thanks for sharing this script. I’m sure this will help many IT admins. Its nice of you to share this.

    I was just wondering if there are any complications put forth by Builtin Groups in Active Directory, which as you know, are domain specific. I ask only because one of the SME forums I participate in, there was some points raised related to this – How to enumerate the list of all Active Directory domain security groups that a user belongs to?

    Do you happen to know if Builtin groups complicate the assessment when using your script, or other scripts? If so, request you to please share for everyone.

    Thank you.

  • jheycie September 28, 2012, 9:39 am

    Hi there

    Sorry if its a stupod question but what does the $user stands for?
    Is it typed in as $jheycie.GetGroups?

    Thanks in advance.

    userName = ‘sitaram’
    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
    $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
    $user = [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($pc,$userName)
    $user.GetGroups() #gets all user groups (direct)
    $user.GetAuthorizationGroups() #gets all user groups including nested groups (indirect)

  • Sitaram Pamarthi October 4, 2012, 12:19 pm

    Hi jheycie,

    >>what does the $user stands for?
    It is a directoryservice object created with below statement in code.
    $user = [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($pc,$userName)

    >>Is it typed in as $jheycie.GetGroups?
    No. It should be $User.GetGroups() only.

    Are you noticing any errors?

  • Aten December 13, 2012, 9:58 pm

    Where it says:
    FindByIdentity($pc,$userName)

    should be read:
    indByIdentity($ct,$userName)

  • Yash Advani March 1, 2013, 11:13 am

    Hi,

    I tried to use this particular script but i believe i am missing something.
    Can you help me out?
    What i need to do is provide a user to the script and it should give me the groups this user is part of.
    However i am not running this script on the AD machine, rather it is a remote machine. Can someone help???

    Thanks

Leave a Comment