Get user's non-truncated Active Directory groups from command line
WindowsCmdActive DirectoryWindows Problem Overview
I often use the net user command to have a look at AD groups for a user:
net user /DOMAIN <username>
This works well, however the group names are truncated to around 20 characters. And in my organization, most group names are much longer than this.
Does anyone know of a way to get non-truncated AD groups through the command line?
Windows Solutions
Solution 1 - Windows
GPRESULT is the right command, but it cannot be run without parameters. /v or verbose option is difficult to manage without also outputting to a text file. E.G. I recommend using
gpresult /user myAccount /v > C:\dev\me.txt--Ensure C:\Dev\me.txt exists
Another option is to display summary information only which may be entirely visible in the command window:
gpresult /user myAccount /r
The accounts are listed under the heading:
The user is a part of the following security groups
---------------------------------------------------
Solution 2 - Windows
A little stale post, but I figured what the heck. Does "whoami" meet your needs?
I just found out about it today (from the same Google search that brought me here, in fact). Windows has had a whoami tool since XP (part of an add on toolkit) and has been built-in since Vista.
whoami /groups
Lists all the AD groups for the currently logged-on user. I believe it does require you to be logged on AS that user, though, so this won't help if your use case requires the ability to run the command to look at another user.
Group names only:
whoami /groups /fo list |findstr /c:"Group Name:"
Solution 3 - Windows
Or you could use dsquery and dsget:
dsquery user domainroot -name <userName> | dsget user -memberof
To retrieve group memberships something like this:
Tue 09/10/2013 13:17:41.65
C:\
>dsquery user domainroot -name jqpublic | dsget user -memberof
"CN=Technical Support Staff,OU=Acme,OU=Applications,DC=YourCompany,DC=com"
"CN=Technical Support Staff,OU=Contosa,OU=Applications,DC=YourCompany,DC=com"
"CN=Regional Administrators,OU=Workstation,DC=YourCompany,DC=com"
Although I can't find any evidence that I ever installed this package on my computer, you might need to install the Remote Server Administration Tools for Windows 7.
Solution 4 - Windows
Much easier way in PowerShell:
Get-ADPrincipalGroupMembership <username>
Requirement: the account you yourself are running under must be a member of the same domain as the target user, unless you specify -Credential and -Server (untested).
In addition, you must have the Active Directory Powershell module installed, which as @dave-lucre says in a comment to another answer, is not always an option.
For group names only, try one of these:
(Get-ADPrincipalGroupMembership <username>).Name
Get-ADPrincipalGroupMembership <username> |Select Name
Solution 5 - Windows
Use Powershell: Windows Powershell Working with Active Directory
Quick Tip – Determining Group AD Membership Using Powershell
Solution 6 - Windows
Based on answer by P.Brian.Mackey-- I tried using gpresult /user <UserName> /r command, but it only seemed to work for my user account; for other users accounts I got this result: The user "userNameHere" does not have RSOP data.
So I read through this blog-- https://blog.thesysadmins.co.uk/group-policy-gpresult-examples.html-- and came upon a solution. You have to know the users computer name:
gpresult /s <UserComputer> /r /user:<UserName>
After running the command, you have to ENTER a few times for the program to complete because it will pause in the middle of the ouput. Also, the results gave a bunch of data including a section for "COMPUTER SETTINGS> Applied Group Policy Objects" and then "COMPUTER SETTINGS> Security groups" and finally "USER SETTINGS> security groups" (this is what we are looking for with the AD groups listed with non-truncated descriptions!).
Interesting to note that GPRESULT had some extra members not seen in NET USER command. Also, the sort order does not match and is not alphabetical. Any body who can add more insights in the comments that would be great.
RESULTS: gpresult (with ComputerName, UserName)
For security reasons, I have included only a subset of the membership results. (36 TOTAL, 12 SAMPLE)
The user is a part of the following security groups
---------------------------------------------------
..
Internet Email
GEVStandardPSMViewers
GcoFieldServicesEditors
AnimalWelfare_Readers
Business Objects
Zscaler_Standard_Access
..
GCM
..
GcmSharesEditors
GHVStandardPSMViewers
IntranetReportsViewers
JetDWUsers -- (NOTE: this one was deleted today, the other "Jet" one was added)
..
Time and Attendance Users
..
RESULTS: net user /DOMAIN (with UserName)
For security reasons, I have included only a subset of the membership results. (23 TOTAL, 12 SAMPLE)
Local Group Memberships
Global Group memberships ...
*Internet Email *GEVStandardPSMViewers
*GcoFieldServicesEdito*AnimalWelfare_Readers
*Business Objects *Zscaler_Standard_Acce
...
*Time and Attendance U*GCM
...
*GcmSharesEditors *GHVStandardPSMViewers
*IntranetReportsViewer*JetPowerUsers
The command completed successfully.
Solution 7 - Windows
You could parse the output from the GPRESULT command.