134

Is there a way to view the members of an Active Directory group if you aren't a domain admin and can't log into to a domain controller?

Alan Hecht
  • 1,463
  • 2
  • 11
  • 10
  • These days If the group is in *Azure* AD, you may be able to view the members through the Azure Web Portal under Azure Active Directory / Groups. – Shawn Eary Apr 22 '22 at 16:45

3 Answers3

178

Absolutely. From a computer that's a member of the domain, open a command-prompt and run a:

NET GROUP "group name" /DOMAIN

Unless your administrators have changed the stock permissions on the group object you will be able to view the membership that way.

You can use AD Users and Computers even if you're not an administrator, but this, at least, can be done w/o installing anything.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • By 'not have access' I meant that I couldn't log into the box. I've corrected the question. – Alan Hecht Jun 08 '09 at 20:53
  • 4
    I do so love the "NET xxx" commands... *smile* – Evan Anderson Jun 08 '09 at 21:12
  • This gives me "The syntax of this command is:" error message. Not sure why, it seems to match the example given. – Cameron May 26 '16 at 20:15
  • @Cameron - What does `net group /domain` give you? – Evan Anderson May 27 '16 at 03:01
  • @Evan: It seems to give the list of groups in the domain. Actually the command in your answer seems to be working now. Huh. I think there may have been a backslash in the group name I was trying before, which seems to cause the command to fail to parse its arguments (despite the double quotes). – Cameron May 30 '16 at 21:40
  • 3
    For those getting `The option ... is unknown. The syntax of the command is:`, make sure you haven't altered `/DOMAIN` at all. (don't replace it with the domain name) – Stevoisiak Oct 19 '18 at 14:45
31

Well, you certainly don't have to be a Domain Admin to view the members of a group in AD - you can do it from "My Network Places -> Search Active Directory" in XP, or "Network -> Search Active Directory" in Vista/7.

However, you aren't going to be able to query for this information if you don't have access to a DC. By access here I mean a network connection - you don't need to be able to logon to a DC to get this information - as you just use the directory search tool mentioned above.

Rob Golding
  • 498
  • 5
  • 7
4

You should still be able to use Active Directory Users and Computers to see group memberships, assuming your PC is a member of the domain and you are logged in with a domain account. You just won't be able to modify said group memberships.

If not, then the domain admins have set security such that you're restricted from viewing the memberships in which case you won't be able to see memberships.

BTW - What exactly do you mean by "don't have access to the domain controller"?

EDIT: Evan Anderson is right, that you would need to install the admin tools to get AD Users & Computers.

squillman
  • 37,883
  • 12
  • 92
  • 146