103

I often use the net user command to have a look at AD groups for a user:

net user /DOMAIN <username>

This works well, however the group names are truncated to around 20 characters. And in my organization, most group names are much longer than this.

Does anyone know of a way to get non-truncated AD groups through the command line?

Ross Ridge
  • 38,414
  • 7
  • 81
  • 112
Ben
  • 6,567
  • 10
  • 42
  • 64
  • 1
    Based on the date of this question, I'd guess that the 20 character truncation is no longer a thing as running that command returned groups with larger names. The answer below `whoami /groups` is also a good one. But it only lists the currently logged in user's groups. Impersonation and slick programming could get around that though ;) – Richard Barker Jul 07 '16 at 15:47
  • 6
    Ran it for a user on domain at my org; 20 character truncation is still an issue. – SherlockSpreadsheets Aug 10 '18 at 16:15
  • Good question, Aguado! – Craig Wilcox Oct 18 '19 at 17:53

7 Answers7

124

GPRESULT is the right command, but it cannot be run without parameters. /v or verbose option is difficult to manage without also outputting to a text file. E.G. I recommend using

gpresult /user myAccount /v > C:\dev\me.txt--Ensure C:\Dev\me.txt exists

Another option is to display summary information only which may be entirely visible in the command window:

gpresult /user myAccount /r

The accounts are listed under the heading:

The user is a part of the following security groups
---------------------------------------------------
P.Brian.Mackey
  • 43,228
  • 68
  • 238
  • 348
  • 7
    This one should be the answer – L.T. Sep 25 '15 at 12:20
  • 1
    If you are looking for a specific string you can use `findstr` instead of redirecting output to a file and then searching the file. For example, `gpresult /user myAccount /r | findstr mySearchString`. – Jesse Sep 07 '16 at 14:37
  • 9
    When I run this for my user account, it's great and I can see the security groups. When I run it for another user account, command returns: The user "userNameHere" does not have RSOP data. – SherlockSpreadsheets Aug 10 '18 at 16:20
  • 1
    gpresult does actually NOT show the groups I'm interested to get the full name which however do appear with net USER /domain – beginner_ Jun 14 '21 at 04:59
67

A little stale post, but I figured what the heck. Does "whoami" meet your needs?

I just found out about it today (from the same Google search that brought me here, in fact). Windows has had a whoami tool since XP (part of an add on toolkit) and has been built-in since Vista.

whoami /groups

Lists all the AD groups for the currently logged-on user. I believe it does require you to be logged on AS that user, though, so this won't help if your use case requires the ability to run the command to look at another user.

Group names only:

whoami /groups /fo list |findstr /c:"Group Name:"
Ross Presser
  • 6,027
  • 1
  • 34
  • 66
Doug
  • 671
  • 5
  • 2
  • I have been using `WhoAmI` to get my username for a very long time only to realize TODAY that you can do much more with it! Thank you. – MaYaN May 01 '15 at 08:43
  • 3
    list only group names: `for /f "tokens=1 delims=," %g in ('whoami /groups /fo csv /nh') do @echo "%~g"` (note: use `%%` instead of `%` in batch file) – Lectrode Oct 25 '15 at 20:28
  • perfect! Don't hesitate to offer fresh answers to stale posts! – Craig Wilcox Oct 18 '19 at 17:54
5

Or you could use dsquery and dsget:

dsquery user domainroot -name <userName> | dsget user -memberof

To retrieve group memberships something like this:

Tue 09/10/2013 13:17:41.65
C:\
>dsquery user domainroot -name jqpublic | dsget user -memberof
"CN=Technical Support Staff,OU=Acme,OU=Applications,DC=YourCompany,DC=com"
"CN=Technical Support Staff,OU=Contosa,OU=Applications,DC=YourCompany,DC=com"
"CN=Regional Administrators,OU=Workstation,DC=YourCompany,DC=com"

Although I can't find any evidence that I ever installed this package on my computer, you might need to install the Remote Server Administration Tools for Windows 7.

Major Malfunction
  • 103
  • 1
  • 7
4

Much easier way in PowerShell:

Get-ADPrincipalGroupMembership <username>

Requirement: the account you yourself are running under must be a member of the same domain as the target user, unless you specify -Credential and -Server (untested).

In addition, you must have the Active Directory Powershell module installed, which as @dave-lucre says in a comment to another answer, is not always an option.

For group names only, try one of these:

(Get-ADPrincipalGroupMembership <username>).Name
Get-ADPrincipalGroupMembership <username> |Select Name
Ross Presser
  • 6,027
  • 1
  • 34
  • 66
  • 1
    Great answer! This does work, yet I'm not too sure it makes it easier :). You have to parse the result to get a list of group names (I would expand with that!). That's not a challenge for PS-savvy techies, but the leap from DOS batch to PS is never an easy one! – hector-j-rivas Jun 19 '20 at 16:32
0

Use Powershell: Windows Powershell Working with Active Directory

Quick Tip – Determining Group AD Membership Using Powershell

JProgrammer
  • 2,750
  • 2
  • 25
  • 36
Mitch Wheat
  • 295,962
  • 43
  • 465
  • 541
  • 3
    You can't do this without installing the Active Directory Powershell module (which isn't always an option) – Dave Lucre Jan 20 '16 at 04:50
  • 2
    While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/low-quality-posts/12605366) – Zulan Jun 07 '16 at 20:20
  • @Zulan: you're wasting your time on an answer that's 7 years old! Not only that but it also seems incongruous as you haven't commented the accepted answer in the same way. – Mitch Wheat Jun 08 '16 at 00:18
  • @MitchWheat: Did you notice the `From Review` link at the end of his comment? He didn't comment on the accepted answer because he didn't come across it in review. – zondo Jun 08 '16 at 00:51
  • I did. I would have thought a reviewer would at least check the accepted answer though. – Mitch Wheat Jun 08 '16 at 02:13
  • @MitchWheat: If you haven't already, check out the [respective review queue](https://stackoverflow.com/review/low-quality-posts) to understand how this works. For link-only answers I see no reason to compare with the other answers. Considering the change in culture over the years, it can be difficult to review "historic" answers. I try to take into account popularity, and whether the links are still valid, to see if an exception should be made. – Zulan Jun 08 '16 at 07:38
  • Regarding the accepted answer, it is clear that it is worse than the highest voted. I can see the argument to review it as "should be a comment". But IMHO the existing comment + voting is enough of a filter. – Zulan Jun 08 '16 at 07:45
  • like I said: "Incongruous". And I know how the review queue works, thanks. – Mitch Wheat Jun 08 '16 at 08:08
  • This answer is out of date; modern Powershell provides a [much more succinct answer.](https://stackoverflow.com/a/57873433/864696) – Ross Presser Sep 10 '19 at 14:56
0

Based on answer by P.Brian.Mackey-- I tried using gpresult /user <UserName> /r command, but it only seemed to work for my user account; for other users accounts I got this result: The user "userNameHere" does not have RSOP data.

So I read through this blog-- https://blog.thesysadmins.co.uk/group-policy-gpresult-examples.html-- and came upon a solution. You have to know the users computer name: 

gpresult /s <UserComputer> /r /user:<UserName>

After running the command, you have to ENTER a few times for the program to complete because it will pause in the middle of the ouput. Also, the results gave a bunch of data including a section for "COMPUTER SETTINGS> Applied Group Policy Objects" and then "COMPUTER SETTINGS> Security groups" and finally "USER SETTINGS> security groups" (this is what we are looking for with the AD groups listed with non-truncated descriptions!).

Interesting to note that GPRESULT had some extra members not seen in NET USER command. Also, the sort order does not match and is not alphabetical. Any body who can add more insights in the comments that would be great.

RESULTS: gpresult (with ComputerName, UserName)

For security reasons, I have included only a subset of the membership results. (36 TOTAL, 12 SAMPLE)

The user is a part of the following security groups
---------------------------------------------------
..
 Internet Email 
 GEVStandardPSMViewers  
 GcoFieldServicesEditors    
 AnimalWelfare_Readers  
 Business Objects   
 Zscaler_Standard_Access    
..
 GCM    
..
 GcmSharesEditors   
 GHVStandardPSMViewers  
 IntranetReportsViewers 
 JetDWUsers     -- (NOTE: this one was deleted today, the other "Jet" one was added)
..
 Time and Attendance Users  
..

RESULTS: net user /DOMAIN (with UserName)

For security reasons, I have included only a subset of the membership results. (23 TOTAL, 12 SAMPLE)

Local Group Memberships  
Global Group memberships    ...
                             *Internet Email       *GEVStandardPSMViewers
                             *GcoFieldServicesEdito*AnimalWelfare_Readers
                             *Business Objects     *Zscaler_Standard_Acce
                             ...
                             *Time and Attendance U*GCM
                             ...
                             *GcmSharesEditors     *GHVStandardPSMViewers
                             *IntranetReportsViewer*JetPowerUsers
The command completed successfully.
SherlockSpreadsheets
  • 2,062
  • 3
  • 27
  • 47
-13

You could parse the output from the GPRESULT command.

serialhobbyist
  • 4,768
  • 5
  • 43
  • 65