How to get all groups that a user is a member of?

No need for long scripts when it is a simple one liner..

**QUEST Command**

(Get-QADUser -Identity john -IncludedProperties MemberOf | Select-Object MemberOf).MemberOf

**MS AD Command**

(GET-ADUSER –Identity john –Properties MemberOf | Select-Object MemberOf).MemberOf



I find the MS AD cmd is faster but some people like the Quest ones better..

Steve

Old school way from CMD:

net user mst999 /domain

The below works well:

get-aduser $username -Properties memberof | select -expand memberof

If you have a list of users:

$list = 'administrator','testuser1','testuser2'
$list | `
%{
$user = $_;
get-aduser $user -Properties memberof | `
select -expand memberof | `
%{new-object PSObject -property @{User=$user;Group=$_;}} `
}

Get-Member is not for getting user's group membership. If you want to get a list of groups a user belongs to on the local system, you can do so by:

$query = "ASSOCIATORS OF {Win32_Account.Name='DemoUser1',Domain='DomainName'} WHERE ResultRole=GroupComponent ResultClass=Win32_Account"

Get-WMIObject -Query $query | Select Name

In the above query, replace DemoUser1 with the username you want and the DomainName with either your local computer name or domain name.

It is just one line:

(get-aduser joe.bloggs -properties *).memberof

end of :)

Use:

Get-ADPrincipalGroupMembership username | select name | export-CSV username.csv

This pipes output of the command into a [CSV][1] file.

[1]:

[To see links please register here]

I couldn't get the following to work for a particular user:

Get-ADPrincipalGroupMembership username

It threw an error that I was not willing to troubleshoot.

I did however come up with a different solution using Get-ADUser. I like it a bit better because if you don't know the account name then you can get it based off of a wildcard on the user's actual name. Just fill in **PartOfUsersName** and away it goes.

#Get the groups that list of users are the member of using a wildcard search

[string]$UserNameLike = "*PartOfUsersName*" #Use * for wildcards here
[array]$AccountNames = $(Get-ADUser -Filter {Name -like $UserNameLike}).SamAccountName

ForEach ($AccountName In $AccountNames) {
Write-Host "`nGETTING GROUPS FOR" $AccountName.ToUpper() ":"
(Get-ADUser -Identity $AccountName -Properties MemberOf|select MemberOf).MemberOf|
Get-ADGroup|select Name|sort name
}


Huge props to schmeckendeugler and 8DH for getting me to this solution. +1 to both of you.

Get group membership for a user:

$strUserName = "Primoz"
$strUser = get-qaduser -SamAccountName $strUserName
$strUser.memberof

See *[Get Group Membership for a User][1]*

But also see Quest's [Free PowerShell Commands for Active Directory][2].

[**Edit**: **Get-ADPrincipalGroupMembership** command is included in Powershell since v2 with Windows 2008 R2. See kstrauss' answer below.]

[1]:

[To see links please register here]

[2]:

[To see links please register here]

To get it recursive, you can use:

<#
.SYNOPSIS
Get all the groups that a user is MemberOf.

.DESCRIPTION
This script retrieves all the groups that a user is MemberOf in a recursive way.

.PARAMETER SamAccountName
The name of the user you want to check #>

Param (
[String]$SamAccountName = 'test',
$DomainUsersGroup = 'CN=Domain Users,CN=Users,DC=domain,DC=net'
)


Function Get-ADMemberOf {
Param (
[Parameter(ValueFromPipeline)]
[PSObject[]]$Group,
[String]$DomainUsersGroup = 'CN=Domain Users,CN=Users,DC=grouphc,DC=net'
)
Process {
foreach ($G in $Group) {
$G | Get-ADGroup | Select -ExpandProperty Name
Get-ADGroup $G -Properties MemberOf| Select-Object Memberof | ForEach-Object {
Get-ADMemberOf $_.Memberof
}
}
}
}


$Groups = Get-ADUser $SamAccountName -Properties MemberOf | Select-Object -ExpandProperty MemberOf
$Groups += $DomainUsersGroup
$Groups | Get-ADMemberOf | Select -Unique | Sort-Object

Almost all above solutions used the `ActiveDirecotry` module which might not be available by default in most cases.

I used below method. A bit indirect, but served my purpose.

List all available groups

`Get-WmiObject -Class Win32_Group`

And then list the groups the user belongs to

`[System.Security.Principal.WindowsIdentity]::GetCurrent().Groups`

Comparison can then be done via checking through the `SIDs`. This works for the logged in user. Please correct me if I am wrong. Completely new to PowerShell, but had to get this done for a work commitment.