How to get all groups that a user is a member of?

PowerShell's [`Get-ADGroupMember`][1] cmdlet returns members of a specific group. Is there a cmdlet or property to get all the groups that a particular user is a member of?

[1]:

[To see links please register here]

`Get-Member` is a cmdlet for listing the members of a .NET `object`. This has nothing to do with user/group membership. You can get the current user's group membership like so:

PS> [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups |
Format-Table -auto

BinaryLength AccountDomainSid Value
------------ ---------------- -----
28 S-1-5-21-... S-1-5-21-2229937839-1383249143-3977914998-513
12 S-1-1-0
28 S-1-5-21-... S-1-5-21-2229937839-1383249143-3977914998-1010
28 S-1-5-21-... S-1-5-21-2229937839-1383249143-3977914998-1003
16 S-1-5-32-545
...

If you need access to arbitrary users' group info then @tiagoinu suggestion of using the Quest AD cmdlets is a better way to go.

(GET-ADUSER –Identity USERNAME –Properties MemberOf | Select-Object MemberOf).MemberOf

Import-Module ActiveDirectory
Get-ADUser -SearchBase "OU=Users,DC=domain,DC=local" -Filter * | foreach-object {
write-host "User:" $_.Name -foreground green
Get-ADPrincipalGroupMembership $_.SamAccountName | foreach-object {
write-host "Member Of:" $_.name
}
}

Change the value of -SearchBase to reflect the OU you need to list the users from :)

This will list all of the users in that OU and show you which groups they are a member of.

I wrote a PowerShell function called Get-ADPrincipalGroupMembershipRecursive. It accepts the DSN of a user, computer, group, or service account. It retrieves an initial list of groups from the account's memberOf attribute, then recursively checks those group's memberships. Abbreviated code is below. Full [source code with comments can be found here][1].

function Get-ADPrincipalGroupMembershipRecursive( ) {

Param(
[string] $dsn,
[array]$groups = @()
)

$obj = Get-ADObject $dsn -Properties memberOf

foreach( $groupDsn in $obj.memberOf ) {

$tmpGrp = Get-ADObject $groupDsn -Properties memberOf

if( ($groups | where { $_.DistinguishedName -eq $groupDsn }).Count -eq 0 ) {
$groups += $tmpGrp
$groups = Get-ADPrincipalGroupMembershipRecursive $groupDsn $groups
}
}

return $groups
}

# Simple Example of how to use the function
$username = Read-Host -Prompt "Enter a username"
$groups = Get-ADPrincipalGroupMembershipRecursive (Get-ADUser $username).DistinguishedName
$groups | Sort-Object -Property name | Format-Table



[1]:

[To see links please register here]

Get-QADUser -SamAccountName LoginID | % {$_.MemberOf } | Get-QADGroup | select name

Get-ADPrincipalGroupMembership USERLOGON | select name

A more concise alternative to the one posted by Canoas, to get group membership for the currently-logged-on user.

I came across this method in this blog post:

[To see links please register here]

([ADSISEARCHER]"samaccountname=$($env:USERNAME)").Findone().Properties.memberof

An even better version which uses a regex to strip the LDAP guff and leaves the group names only:

([ADSISEARCHER]"samaccountname=$($env:USERNAME)").Findone().Properties.memberof -replace '^CN=([^,]+).+$','$1'

More details about using the [ADSISEARCHER] type accelerator can be found on the scripting guy blog:

[To see links please register here]

Get-ADUser -Filter { memberOf -RecursiveMatch "CN=Administrators,CN=Builtin,DC=Fabrikam,DC=com" } -SearchBase "CN=Administrator,CN=Users,DC=Fabrikam,DC=com" -SearchScope Base
## NOTE: The above command will return the user object (Administrator in this case) if it finds a match recursively in memberOf attribute.

This is the simplest way to just get the names:

`Get-ADPrincipalGroupMembership "YourUserName"`

`# Returns
distinguishedName : CN=users,OU=test,DC=SomeWhere
GroupCategory : Security
GroupScope : Global
name : testGroup
objectClass : group
objectGUID : 2130ed49-24c4-4a17-88e6-dd4477d15a4c
SamAccountName : testGroup
SID : S-1-5-21-2114067515-1964795913-1973001494-71628`

Add a select statement to trim the response or to get every user in an OU every group they are a user of:

` foreach ($user in (get-aduser -SearchScope Subtree -SearchBase $oupath -filter * -Properties samaccountName, MemberOf | select samaccountName)){
Get-ADPrincipalGroupMembership $user.samaccountName | select name}`