How to Get AD User Group Membership Reports

We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Active Directory
  1. Open the PowerShell ISE on your domain controller → Run the following script, specifying the username for the account you’re interested in and the path to export:

Get-ADPrincipalGroupMembership Username> | select name, groupcategory, groupscope | export-CSV C:\data\ADUserGroups.csv 

  1. Open the file produced by the script in MS Excel.

Sample report: 

Active Directory user group membership report produced by the PowerShell script in MS Excel
  1. Run Netwrix Auditor → Navigate to "Reports" → Expand the "Active Directory" section → Go to "Active Directory - State-in-Time" → Select "User Accounts - Group Membership"→ Click 'View".
  2. To save the report, click the "Export" button → Choose a format from the dropdown menu → Click "Save".
Netwrix Auditor User Account Group Membership Report: shows user accounts with the group membership, group path and type of each account

Enforce the Least Privilege Model by Regularly Reviewing Active Directory Group Membership Reports

The least privilege principle requires you to restrict each user’s access rights to the specific assets they require to perform their everyday work. To enforce this best practice, you can create a list of user group membership using PowerShell that details specific group names such as Enterprise Admins and Domain Admins, so you can review which groups specific user accounts belong to. Regular review of such reports enables you to remove any unnecessary privileges to harden security and reduce your attack surface area in case a user decides to abuse his or her access rights or the account is compromised by attackers or malware. 

However, scripting PowerShell cmdlet commands eats up your valuable time. Plus, after viewing Active Directory group membership lists, you can’t export the report data into a more human-readable format for later review or distribution to your team members. Netwrix Auditor for Active Directory delivers a comprehensible report enriched with all the detail you need to easily check what groups a particular user is a member of. Plus, you can easily export the results to CSV or PDF format, or subscribe to the report to receive it automatically on the schedule you choose.