How to Get AD User Group Membership with or without PowerShell

{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Active Directory
Native Auditing
Netwrix Auditor for Active Directory
Steps
  1. Open the PowerShell ISE.
    If you don't have the Active Directory module installed on your Windows machine, you need to download the correct Remote Server Administration Tools (RSAT) package for your OS.
    To activate the module, use the import-module ActiveDirectory command from an elevated PowerShell prompt.
  2. Run one of the following PowerShell scripts, specifying the AD user account name (samaccountname) you’re interested in and the path to export.
  • This report will output the user group list with group categories and scope:

Import-Module ActiveDirectory

$UserName = “T.Simpson[SO1]“ 

$ReportPath = “C:\data\ADUserGroups.csv“

Get-ADPrincipalGroupMembership $Username | select name, groupcategory, groupscope | export-CSV C:\data\ADUserGroups.csv 

  • This report will get group list in LDIF format:

Import-Module ActiveDirectory

$UserName = “T.Simpson“

$ReportPath = “C:\data\ADUserGroups.txt“

(Get-ADUser $UserName –Properties MemberOf | Select MemberOf).MemberOf |Out-File -FilePath $reportpath 

  1. Open the file produced by the script in MS Excel.
How to Get AD User Group Membership Reports - Powershell
  1. Run Netwrix Auditor → Navigate to "Reports" → Expand the "Active Directory" section → Go to "Active Directory - State-in-Time" → Select "User Accounts - Group Membership"→ Click 'View".
  2. To save the report, click the "Export" button → Choose a format from the dropdown menu → Click "Save".
Netwrix Auditor User Account Group Membership Report: shows user accounts with the group membership, group path and type of each account

Get AD User Group Membership Report without Tedious PowerShell Tinkering

The least privilege principle requires you to restrict each user’s access rights to the specific assets they require to perform their everyday work. By removing unnecessary permissions, you harden security and reduce your attack surface area by limiting the damage that can be done by if a user decides to abuse their access rights or the account is compromised by attackers or malware. 

To enforce this best practice with native tools, you can either manually review user object properties in ADUC, or get data on AD group membership by using PowerShell scripts to generate reports that detail specific domain local group names (such as Enterprise Admins and Domain Administrators) and manually check which groups a certain user account belongs to. However, both of these options eat up your valuable time. Moreover, reviewing Active Directory group membership lists can be cumbersome, especially in complex environments due to high number of security groups and nested groups. On top of that, if you want to filter your report or add more details, you will need more expertise in PowerShell scripting and cmdlet parameters.

With Netwrix Auditor for Active Directory, it takes just a few clicks to get a comprehensible report enriched with all the details you need to easily check which groups a particular user is a member of. Plus, you can easily export the results to CSV or PDF format and send it to department heads for review. You can even set up subscriptions for yourself and other employees who need participate in regular entitlement review; those people will receive it automatically on the schedule you specify, with zero additional effort on your part.

Related How-tos