- Open the PowerShell ISE on your domain controller → Run the following script, specifying the username for the account you’re interested in and the path to export:
Get-ADPrincipalGroupMembership Username> | select name, groupcategory, groupscope | export-CSV C:\data\ADUserGroups.csv
- Open the file produced by the script in MS Excel.
- Run Netwrix Auditor → Navigate to "Reports" → Expand the "Active Directory" section → Go to "Active Directory - State-in-Time" → Select "User Accounts - Group Membership"→ Click 'View".
If you want to get this report by email regularly, simply choose the "Subscribe" option and define the schedule and recipients.
Enforce the Least Privilege Model by Regularly Reviewing Active Directory Group Membership Reports
The least privilege principle requires you to restrict each user’s access rights to the specific assets they require to perform their everyday work. To enforce this best practice, you can create a list of user group membership using PowerShell that details specific group names such as Enterprise Admins and Domain Admins, so you can review which groups specific user accounts belong to. Regular review of such reports enables you to remove any unnecessary privileges to harden security and reduce your attack surface area in case a user decides to abuse his or her access rights or the account is compromised by attackers or malware.
However, scripting PowerShell cmdlet commands eats up your valuable time. Plus, after viewing Active Directory group membership lists, you can’t export the report data into a more human-readable format for later review or distribution to your team members. Netwrix Auditor for Active Directory delivers a comprehensible report enriched with all the detail you need to easily check what groups a particular user is a member of. Plus, you can easily export the results to CSV or PDF format, or subscribe to the report to receive it automatically on the schedule you choose.