The Get-ADPrincipalGroupMembership PowerShell cmdlet enables you to query all the Active Directory group memberships of a user. In this tutorial, you'll learn to work with Get-ADPrincipalGroupMembership, and see how you can use this useful cmdlet to quickly and easily use a PowerShell one-liner to search and see whether a user is a member of a particular Active Directory group. Simply put, if your organization uses Active Directory security groups, the ability to use this cmdlet is an absolute must.

Prerequisite installation ^

The Get-ADPrincipalGroupMembership cmdlet is part of the Active Directory PowerShell module. To install the AD module, run the following command from an elevated command prompt:

import-module ActiveDirectory

If you are running Windows 10, the remote server administration tools (RSAT) are now part of the operating system and can be installed via Optional Features. To enable the tools, click Start > Settings > Apps > Optional features. After that, click the Add a feature panel and enter Remote in the search bar.

If you have an older version of Windows (prior to the 2018 update), you can download and install the RSAT from Microsoft.

How to use Get-ADPrincipalGroupMembership

One of the most common routine tasks for enterprise system administrators and helpdesk professionals is identifying Active Directory groups that a user is part of. At the enterprise level, access to many applications is granted via AD group membership.

At its most basic level, the syntax of Get-ADPrincipalGroupMembership looks like this:

Get-ADPrincipalGroupMembership -identity <username>
Get AD user group membership with Get ADPrincipalGroupMembership

Get AD user group membership with Get ADPrincipalGroupMembership

Microsoft's documentation for Get-ADPrincipalGroupMembership states that it allows you to "Get the Active Directory groups that have a specified user, computer, group, or service account." It absolutely does do that…and also provides us with distinguishedName, GroupCategory, GroupScope, name, objectClass, objectGUID, SamAccountName, and SID for every group associated with that username.

If the user has more than one group (it's not uncommon for users to be members of more than 50 AD groups), you need to go through each one manually to find the group you are looking for. To avoid having to go through the results manually, we can pipe the results to a where-object cmdlet to allow us to filter the results.

Get-ADPrincipalGroupMembership <username> | Where-Object {$_.Name -like 'Adm*'}

The results of this command show any group memberships that begin with "Adm," including Administrator.

Obtaining descriptions of AD groups ^

Sometimes, it is not obvious what the name of the AD group stands for. Fortunately, we can take advantage of the description field and use its contents to look for additional clarification of the AD group's purpose. To take advantage of this, we can use the PowerShell pipe.

If you look at the results in the previous section, you will notice that the description field that appears in Active Directory is not included in the output.

Look at the following example:

Get-ADPrincipalGroupMembership "dgreenhaus" | Where-Object {$_.Name -like '*splunk*'} | Get-ADGroup -Properties Description 

Let's break it down section by section:

Get-ADPrincipalGroupMembership "dgreenhaus"

This line returns all AD groups associated with the username dgreenhaus.

 | Where-Object {$_.Name -like '*splunk*'}

Here, we take the results of the previous cmdlet, and only return those that contain with "splunk." This can be very useful, particularly if your company's naming syntax involves giving all AD groups that grant access to an application a prefix of "splunk."

| Get-ADGroup -Properties Description 

This gets the results of the previous cmdlet and queries every group in Active Directory. Once it finds a match, it includes the output in the description.

Displaying the description

Displaying the description

If we want to search the AD group descriptions and search for an application name, we can change the order of our query as follows:

Get-ADPrincipalGroupMembership "dgreenhaus" | Get-ADGroup -Properties Description  | Where-Object {$_.description -like '*<insert Application name here*'} 

The above line gets all the group memberships for account "dgreenhaus," queries AD for the descriptions of the results, and then searches all those results for an application name (in this case, SolarWinds) or the phrase that you are looking for.

Getting the group membership

Getting the group membership

Making the output look nice and pretty ^

Once we have the output, we want to format it to make it easier to read, especially if you have more than one result, as well as to minimize superfluous information. To do this, we are going to pipe the information to a sort-object cmdlet, which will sort the results based on the object's property values. The default option is in ascending order.

If you want to sort by descending order, simply add the -Descending parameter. If you want to sort by a particular property, simply add -Property <property name> to the cmdlet.

Once the results are sorted, we can remove the superfluous information and display only the information we want. To do this, we can pipe the results from Get-ADPrincipalGroupMembership to Get-ADGroup and then filter those results using where-object to only the groups that contain the word app in the description. We can then pipe it to select-object name, description, which will show us only what we want to see: the AD group name and the AD group description for the user.

Get-ADPrincipalGroupMembership "dgreenhaus" | Get-ADGroup -Properties Description  | Where-Object {$_.description -like '*app*'}  | Sort-Object -descending | select-object name, description

We get the following results:

Subscribe to 4sysops newsletter!

Formatting the output for Get ADPrincipalGroupMembership

Formatting the output for Get ADPrincipalGroupMembership

avataravatar
3 Comments
  1. Mike Kanakos 4 months ago

    Nice screenshots ! …wink, wink..

  2. Oz Edri 4 months ago

    There’s a mistake in the breakdown – you wrote “return those that start with “APP.””, but actually it’ll return those that contains “splunk”.

    avatar

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account