One of the essential parts of Active Directory administration is to manage user memberships in Active Directory. There may be times when the membership of a specific user need to be identified. In this article, we will explain how to use PowerShell to get the memberships of an Active Directory user.
Open PowerShell and you can use the following commands to retrieve the groups that a user is a member of.
To get the memberships of a user, you can use the Get-ADPrincipalGroupMembership cmdlet. This cmdlet retrieves information on the groups (including nested groups) that a user is a member of. The following command demonstrates how to retrieve the groups that the user "TestUser" is a member of:
Get-ADPrincipalGroupMembership -Identity "TestUser"
Where, "TestUser" is the the user name or the user's distinguished name (DN) for whom you want to retrieve the group memberships.
The output of this command will be a list of groups that the user is a member of, including the group name, the group distinguished name (DN), and the group category.
If you want to filter the results only to show groups of a particular type or category, you can use the -memberof parameter. For example, to only show the security groups that the user "TestUser" is a member of, you can use the following command:
(Get-ADPrincipalGroupMembership -Identity "TestUser" -memberof "SecurityGroup").name
This command retrieves the groups that the user "TestUser" is a member of that belong to the security group category. The output of this command will be a list of the security groups that the user is a member of, including their group names.
If you need to export group membership information for all users in Active Directory, you can use the following command to generate a CSV file with the relevant information:
Get-ADUser -Filter * -Properties * | ForEach-Object {Get-ADPrincipalGroupMembership $_ | Select-Object @{Name="Username";Expression={$_.SamAccountName}},@{Name="Groupname";Expression={$_.Name}},@{Name="GroupDN";Expression={$_.DistinguishedName}}} | Export-Csv "C:\GroupMemberships.csv" -NoTypeInformation
This command retrieves all Active Directory users and their group memberships, including the username, group name, and group distinguished name. It then pipes the results to the Export-Csv cmdlet to export the results to a CSV file named "GroupMemberships.csv."
In conclusion, PowerShell provides a straightforward and efficient way to retrieve the group memberships of an Active Directory user. By using the Get-ADPrincipalGroupMembership cmdlet, administrators can easily retrieve the groups that a user is a member of, including nested groups. Additionally, PowerShell allows administrators to filter the results to show only specific types of groups or to export group membership information for all users in Active Directory.