Get AD user group membership with Get-ADPrincipalGroupMembership

• Author
• Recent Posts

Dan Greenhaus

Dan is an IT risk & information security analyst for a global financial company, where he is responsible for infrastructure vulnerability assessments. His primary areas of interest are Active Directory administration and the automation of repetitive tasks using PowerShell.

Latest posts by Dan Greenhaus (see all)

• Different ways of gaining remote computer access - Thu, Sep 8 2022
• Get AD user group membership with Get-ADPrincipalGroupMembership - Fri, Aug 5 2022
• Snapshot management in vSphere - Tue, Nov 2 2021

Prerequisite installation

The Get-ADPrincipalGroupMembership cmdlet is part of the Active Directory PowerShell module. To install the AD module, run the following command from an elevated command prompt:

import-module ActiveDirectory

If you are running Windows 10, the remote server administration tools (RSAT) are now part of the operating system and can be installed via Optional Features. To enable the tools, click Start > Settings > Apps > Optional features. After that, click the Add a feature panel and enter Remote in the search bar.

If you have an older version of Windows (prior to the 2018 update), you can download and install the RSAT from Microsoft.

How to use Get-ADPrincipalGroupMembership

One of the most common routine tasks for enterprise system administrators and helpdesk professionals is identifying Active Directory groups that a user is part of. At the enterprise level, access to many applications is granted via AD group membership.

At its most basic level, the syntax of Get-ADPrincipalGroupMembership looks like this:

Get-ADPrincipalGroupMembership -identity <username>

Get AD user group membership with Get ADPrincipalGroupMembership

Microsoft's documentation for Get-ADPrincipalGroupMembership states that it allows you to "Get the Active Directory groups that have a specified user, computer, group, or service account." It absolutely does do that…and also provides us with distinguishedName, GroupCategory, GroupScope, name, objectClass, objectGUID, SamAccountName, and SID for every group associated with that username.

If the user has more than one group (it's not uncommon for users to be members of more than 50 AD groups), you need to go through each one manually to find the group you are looking for. To avoid having to go through the results manually, we can pipe the results to a where-object cmdlet to allow us to filter the results.

Get-ADPrincipalGroupMembership <username> | Where-Object {$_.Name -like 'Adm*'}

The results of this command show any group memberships that begin with "Adm," including Administrator.

Obtaining descriptions of AD groups

Sometimes, it is not obvious what the name of the AD group stands for. Fortunately, we can take advantage of the description field and use its contents to look for additional clarification of the AD group's purpose. To take advantage of this, we can use the PowerShell pipe.

If you look at the results in the previous section, you will notice that the description field that appears in Active Directory is not included in the output.

Look at the following example:

Get-ADPrincipalGroupMembership "dgreenhaus" | Where-Object {$_.Name -like '*splunk*'} | Get-ADGroup -Properties Description 

Let's break it down section by section:

Get-ADPrincipalGroupMembership "dgreenhaus"

This line returns all AD groups associated with the username dgreenhaus.

 | Where-Object {$_.Name -like '*splunk*'}

Here, we take the results of the previous cmdlet, and only return those that contain with "splunk." This can be very useful, particularly if your company's naming syntax involves giving all AD groups that grant access to an application a prefix of "splunk."

| Get-ADGroup -Properties Description 

This gets the results of the previous cmdlet and queries every group in Active Directory. Once it finds a match, it includes the output in the description.

Displaying the description

If we want to search the AD group descriptions and search for an application name, we can change the order of our query as follows:

Get-ADPrincipalGroupMembership "dgreenhaus" | Get-ADGroup -Properties Description  | Where-Object {$_.description -like '*<insert Application name here*'} 

The above line gets all the group memberships for account "dgreenhaus," queries AD for the descriptions of the results, and then searches all those results for an application name (in this case, SolarWinds) or the phrase that you are looking for.

Getting the group membership

Making the output look nice and pretty

Once we have the output, we want to format it to make it easier to read, especially if you have more than one result, as well as to minimize superfluous information. To do this, we are going to pipe the information to a sort-object cmdlet, which will sort the results based on the object's property values. The default option is in ascending order.

If you want to sort by descending order, simply add the -Descending parameter. If you want to sort by a particular property, simply add -Property <property name> to the cmdlet.

Once the results are sorted, we can remove the superfluous information and display only the information we want. To do this, we can pipe the results from Get-ADPrincipalGroupMembership to Get-ADGroup and then filter those results using where-object to only the groups that contain the word app in the description. We can then pipe it to select-object name, description, which will show us only what we want to see: the AD group name and the AD group description for the user.

Get-ADPrincipalGroupMembership "dgreenhaus" | Get-ADGroup -Properties Description  | Where-Object {$_.description -like '*app*'}  | Sort-Object -descending | select-object name, description

We get the following results:

Formatting the output for Get ADPrincipalGroupMembership