How to Check AD Group Membership with Command Line

Native Solution vs. Netwrix Auditor for Active Directory
{{ firstError }}
We care about security of your data. Privacy Policy
Native Solution Netwrix Auditor for Active Directory
Native Solution
Netwrix Auditor for Active Directory
Steps

To see user’s AD group membership using the command line:

  1. Open the command prompt by navigating to Start → Run (or pressing Win + R) and entering "cmd".
  2. Type the following command in the command line, specifying the user account you want to find group membership for:

net user username

  1. At the end of the resulting report, you will find a list of the local groups and global groups that the user belongs to:

 

To list members of AD group using the command line:

  1. Open the command prompt by navigating to Start → Run (or pressing Win + R) and entering "cmd".
  2. Enter the following command, specifying the required group name:

net localgroup groupname

  1. At the end of the resulting report, you will find a list of the members of the group:

NET commands also work if you need to check local users and group membership in Windows 10.

To see which groups a particular user belongs to:

  1. Run Netwrix Auditor → Navigate to "Reports" → Click “Predefined” → Expand the "Active Directory" section → Go to "Active Directory - State-in-Time" → Select "User Accounts - Group Membership"→ Click “View."
  2. Specify “Enabled” in the “Status” field and type “user” in the “Member Type” field -> Click “View Report.”

 

To check AD group members:

  1. Run Netwrix Auditor → Navigate to “Reports” → Click “Predefined” → Expand the “Active Directory” section → Go to “Active Directory – State-in-Time” → Select “Group Members” → Click “View”.
  2. Set up the following filters:
  • Status: Enabled
  • Member Type: User
  • Group path: The group path. You can specify the partial path to a particular group, using % as the wildcard character, or leave the wildcard to see a report for all groups.
  1. Click “View Report”.
Learn more about Netwrix Auditor for Active Directory

Grasp the Full Picture Instead of Tinkering with the Command Line

Best practices advise using Active Directory groups to grant access privileges to users — for example, access to specific computers, tools, and servers. However, over time, AD group configuration can get very complicated, making it challenging to understand who has access to what and ensure each user only has the permissions they need. IT admins often need to check AD group members in Windows 10 or detail all the groups that a particular user belongs to and then either provide that information to departmental leaders for access privilege attestation or analyze it themselves to fix broken inheritance and other security issues.

You can view AD group membership with the Active Directory Users and Computers (ADUC) console snap-in by finding the user or group of interest, drilling down into the object’s properties, and clicking the “Members” or “Member Of” tab. Another option is to get group membership with the command line — you can use the dsget user and dsquery group tools from the Active Directory Domain Services (AD DS) package, or native NET commands from the command line. However, the results of the NET USER and NET LOCALGROUP commands are hard to parse. While dsget and dsquery can be used to query ad group membership and provide more structured output, those commands work only on server versions of Windows and require you to input the distinguished name in LDAP Data Interchange Format. The last option is to use the Get-ADGroupMemberPowerShell cmdlet, which requires some scripting skills. As a result, reviewing Active Directory group membership with native tools can be difficult and time-consuming. 

Netwrix Auditor for Active Directory can save a great deal of precious time. Instead of checking AD group membership with a command line, system operators can get a group membership summary in a few clicks. In addition, Netwrix Auditor also reports on modifications, logon activity, and the configuration of Active Directory and Group Policy, including inactive user and computer accounts, Active Directory object permissions, and more. It will alert you to possible threats and offers an advanced search to speed investigations. You can use various predefined reports, all with filtering, exporting, and subscription options, and easily create your custom reports. This comprehensive functionality streamlines many everyday IT tasks, from change monitoring and access control to privilege review and anomalous behavior detection.

Related How-tos
How to Detect Changes to Organizational Units and Groups in Active Directory How to Detect Who Added a User to Domain Admins Group How to Export Members of a Particular AD Group How to Get AD User Group Membership with or without PowerShell How to Get Local Group Members Report with or without PowerShell How to List AD Group Members using PowerShell or Netwrix Auditor