How to Get AD User Group Membership with or without PowerShell

Native Solution vs. Netwrix Auditor for Active Directory
{{ firstError }}
We care about security of your data. Privacy Policy
Native Solution Netwrix Auditor for Active Directory
Native Solution
Netwrix Auditor for Active Directory
Steps
  1. Open the PowerShell ISE.
    If you don't have the Active Directory module installed on your Windows machine, you need to download the correct Remote Server Administration Tools (RSAT) package for your OS.
    To activate the module, use the import-module ActiveDirectorycommand from an elevated PowerShell prompt.
  2. Run one of the following PowerShell scripts, specifying the AD user account name (samaccountname) you’re interested in and the path to export.

Import-Module ActiveDirectory

$UserName = “Administrator“ 

$ReportPath = “C:\data\ADUserGroups.csv“

Get-ADPrincipalGroupMembershipwindows $Username | select name, groupcategory, groupscope | export-CSV C:\data\ADUserGroups.csv

  • Get-ADPrincipalGroupMembership cmdlet retrieves Active Directory group membership for the specified user. It displays information about each group, including the name, category (Security or Distribution), and scope (Global, Universal, or Domain Local). This cmdlet looks directly into the group’s memberOf property. The above script will generate output as a CSV file, using the export-CSV cmdlet with pipeline symbol, and open the file in MS Excel.
  • The Get-ADUsercmdlet in Windows PowerShell can retrieve information about Active Directory users. It allows you to query many attributes of user objects stored in Active Directory. This cmdlet also works for any AD partition or an AD LDS (Lightweight Directory Services) Instance. The script below uses -Propertiesparameter and MemberOf as values to get a group list in LDIF format containing distinguished names of the groups. This method is not suitable for reporting as it gives the output in a distinguished name format by default:

Import-Module ActiveDirectory

$UserName = “Administrator“

$ReportPath = “C:\data\ADUserGroups.txt“

#-Identity parameter can be used, or only the value can be provided as $UserName

(Get-ADUser $UserName –Properties MemberOf | Select MemberOf).MemberOf |Out-File -FilePath $reportpath 

If the Windows user logged in does not have the privileges to run the script, you need to provide the alternate credentials to run the script through -Credential parameter, which provides the authentication for PowerShell.

  1. Run Netwrix Auditor → Navigate to "Reports" → Expand the "Active Directory" section → Go to "Active Directory - State-in-Time" → Select "User Accounts - Group Membership"→ Click 'View." You can also search for group membership for a specific user.
  2. To save the report, click the "Export" button → Choose a format from the dropdown menu → Click "Save".
Learn more about Netwrix Auditor for Active Directory

Get AD User Group Membership Report without Tedious PowerShell Tinkering

The least privilege principle requires you to restrict users’ access rights to the specific assets they need to perform their everyday work. By removing unnecessary permissions, you harden security and reduce your attack surface area by limiting the damage that can be done if a user decides to abuse their access rights or the account is compromised by attackers or malware. 

To enforce this best practice with native tools, you can either manually review user object properties in ADUC or get data on AD group membership by using PowerShell scripts to generate reports that detail specific domain local group names (such as EnterpriseAdmins and Domain Administrators) and manually check which groups a certain user account belongs to. However, both options eat up your valuable time. Moreover, reviewing Active Directory group membership lists can be cumbersome, especially in complex environments due to a high number of security groups and nested groups. On top of that, if you want to filter your report or add more details, you will need more expertise in PowerShell scripting and cmdlet parameters.

With Netwrix Auditor for Active Directory, it takes just a few clicks to get an understandable report enriched with all the details you need to check which groups a particular user is a member of. You can easily export the results to CSV or PDF format and send them to department heads for review. You can even set up subscriptions for yourself and other employees who need to participate in regular entitlement reviews; those people will receive it automatically on the schedule you specify, with zero additional effort.

 

Related How-tos
How to Get AD User Group Membership with or without PowerShell How to Monitor Active Directory Group Membership Changes How to List AD Group Members using PowerShell or Netwrix Auditor