How to Check AD Group Membership with Command Line


We care about security of your data. Privacy Policy
Native Solution Netwrix Auditor for Active Directory
Steps

To See Which Groups a Particular User Belongs to:

  1. Open the command prompt by navigating to Start → Run (or pressing Win + R) and entering "cmd".
  2. Type the following command in the command line, specifying the user account you want to find group membership for:

net userusername

  1. At the end of the resulting report, you will find a list of the local groups and global groups that the user belongs to:
How To See Which Groups a Particular User Belongs to - Command Line

 

To List All the Users in a Particular Group:

  1. Open the command prompt by navigating to Start → Run (or pressing Win + R) and entering "cmd".
  2. Enter the following command, specifying the required group name:

net group groupname

  1. At the end of the resulting report, you will find a list of the members of the group:
How to List All the Users in a Particular Group - Command Line

NET commands also work for Windows 10 local users and groups.

To See Which Groups a Particular User Belongs to:

  1. Run Netwrix Auditor → Navigate to "Reports" → Click “Predefined” → Expand the "Active Directory" section → Go to "Active Directory - State-in-Time" → Select "User Accounts - Group Membership"→ Click “View".
  2. Specify “Enabled” in the “Status” field and type “user” in the “Member Type” field -> Click “View Report”.
How To See Which Groups a Particular User Belongs to - Betwrix Auditor

 

To List All the Users in a Particular Group:

  1. Run Netwrix Auditor → Navigate to “Reports” → Click “Predefined” → Expand the “Active Directory” section → Go to “Active Directory – State-in-Time” → Select “Group Members” → Click “View”.
  2. Set up the following filters:
  • Status: Enabled
  • Member Type: User 
  • Group path: The group path. You can specify the partial path to a particular group, using % as a wildcard character, or leave wildcard to see report for all groups. 
  1. Click “View Report”.
How to List All the Users in a Particular Group - Netwrix Auditor

Grasp the Full Picture Instead of Tinkering with the Command Line

Best practices advise using Active Directory groups to grant access privileges to users — for example, access to specific computers, tools and servers. But over time, AD group configuration can get very complicated, making it challenging to understand who has access to what and ensure each user has only the permissions they need. IT admins often need to list the membership of each security group or detail all the groups that a particular user belongs to, and then either provide that information to departmental leaders for access privilege attestation, or analyze it themselves to fix broken inheritance and other issues.

You can check group membership with the Active Directory Users and Computers (ADUC) console snap-in by finding the user or group of interest and drilling down into the object’s properties and clicking the “Members” or “Member Of” tab. Another option is to get group membership with command line — you can use the dsget user and dsquery group tools from the Active Directory Domain Services (AD DS) package, or native NET commands from the command line. However, the results of the NET GROUP, NET USER and NET LOCALGROUP command are hard to parse, and while dsget and dsquery provide more structured output, those commandswork only on server versions of Windows and require you to input the distinguished name in LDAP Data Interchange Format. The last option is to use the Get-ADGroupMember PowerShell cmdlet, but that requires some scripting skills. As a result, reviewing Active Directory group membership with native tools can be both difficult and time consuming. 

Netwrix Auditor for Active Directory can save a great deal of precious time. Instead of checking AD group membership with command line, system operators can get a summary of group membership in a few clicks. In addition, Netwrix Auditor also reports on modifications, logon activity, and the configuration of Active Directory and Group Policy, including inactive user and computer accounts, Active Directory object permissions, and more. It will alert you to possible threats and offers an advanced search to speed investigations. You can take advantage of a wide variety of predefined reports, all with filtering, exporting and subscription options, and easily create your own custom reports. This comprehensive functionality streamlines many common IT tasks, from change monitoring and access control to privilege review and anomalous behavior detection.