What Active Directory groups am I in?
Today, while debugging an access rights issue, I needed to find out exactly which Active Directory groups one of my Windows user accounts belonged to. If the account and groups I was interested in had been local on the machine, I could have started Administrative Tools, Computer Management and opened the Local Users and Groups folder to get all information needed. However, both the user account and the groups I was interested in were in the Active Directory, so that tool was not helpful.
Two ways of checking using the command line
Instead, I started PowerShell and tried these three commands:
net user MY_USERNAME /domaingpresult /rwhoami /groups
net user
net user is a Windows command-line tool, available in all versions from Windows Vista. It can be used to view, change, and create user accounts on Windows computers. By typing net user MY_USERNAME /domain you are presented with some details about your user account, including a bullet-list of all groups you are the member of. Keep in mind that the names of those groups may be truncated if they are long. Another thing to be aware of is that the groups listed by the net user command may not include all the groups that you are a member of. For a full list of Active Directory groups, you need to use the gpresult or the whoami approach.
PS C:\Users\MY_USERNAME> net user MY_USERNAME /domain
The request will be processed at a domain controller for domain work.example.com.
User name MY_USERNAME
Full Name Anders Marzi Tornblad
Comment Software Architect
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2021-05-13 15:59:30
Password expires 2021-08-13 15:59:30
Password changeable 2021-05-13 16:59:30
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 2021-07-02 09:18:48
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users *PROJECT1-DB
*PROJECT2-Admin *PROJECT1-RDP
*PROJECT2-Remote-Deskt*DB-DEV
*AppDB *DB-PROD
*PROJECT1-Admin *PROJECT2-DB
*Remote Users *FTPGroup
*PROJECT1-FtpUser *DBA
*Deployment-Admin
The command completed successfully.gpresult
gpresult is a tool for showing the total applied Group Policies for an Active Directory user. If you run it with only the /r switch, it will show you what Group Policy Objects are applied to your user account, and all security groups that you are a member of.
PS C:\Users\MY_USERNAME> gpresult.exe /r
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
© 2018 Microsoft Corporation. All rights reserved.
Created on 2021-07-02 at 16:22:13
RSOP data for WE\MY_USERNAME on SERVER01 : Logging Mode
------------------------------------------------
OS Configuration: Member Server
OS Version: 10.0.17763
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\MY_USERNAME
Connected over a slow link?: No
USER SETTINGS
--------------
CN=Anders Marzi Tornblad,OU=WE,OU=Users,OU=Access,DC=work,DC=example,DC=com
Last time Group Policy was applied: 2021-07-01 at 14:37:25
Group Policy was applied from: DC01.work.example.com
Group Policy slow link threshold: 500 kbps
Domain Name: WE
Domain Type: Windows 2008 or later
Applied Group Policy Objects
-----------------------------
SetTimeFormatISO8601
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
Remote Desktop Users
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
sec-server01-FTP-w
PROJECT2-Remote-Desktop-Users
Deployment-Admin
PROJECT1-DB
PROJECT2-Admin
PROJECT3-RemoteDesktopUsers
FTPGroup
PROJECT2-DB
PROJECT1-RDP
DB-DEV
AppDB
DB-PROD
PROJECT1-Admin
PROJECT1-FtpUser
Remote Users
role-DAH-Administrators
DBDB
MSSQL07-SQL-Administrators
SQL-Administrators
DBA
Drop-FTPUsers
Authentication authority asserted identity
Medium Mandatory Levelwhoami
Finally, the whoami tool has been available since Windows Vista, and is useful for getting detailed information about your user account. The other two approaches can be used also for other user accounts, but whoami /groups is faster, because it does not need to contact the domain server.
PS C:\Users\MY_USERNAME> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
WE\sec-server01-FTP-w Group S-1-5-21-2306250448-3709213382-1498447966-1591 Mandatory group, Enabled by default, Enabled group
WE\PROJECT2-Remote-Desktop-Users Group S-1-5-21-2306250448-3709213382-1498447966-1493 Mandatory group, Enabled by default, Enabled group
WE\Deployment-Admin Group S-1-5-21-2306250448-3709213382-1498447966-1238 Mandatory group, Enabled by default, Enabled group
WE\PROJECT1-DB Group S-1-5-21-2306250448-3709213382-1498447966-1240 Mandatory group, Enabled by default, Enabled group
WE\PROJECT2-Admin Group S-1-5-21-2306250448-3709213382-1498447966-1259 Mandatory group, Enabled by default, Enabled group
WE\PROJECT3-RemoteDesktopUsers Group S-1-5-21-2306250448-3709213382-1498447966-1249 Mandatory group, Enabled by default, Enabled group
WE\FTPGroup Group S-1-5-21-2306250448-3709213382-1498447966-1491 Mandatory group, Enabled by default, Enabled group
WE\PROJECT2-DB Group S-1-5-21-2306250448-3709213382-1498447966-1210 Mandatory group, Enabled by default, Enabled group
WE\PROJECT1-RDP Group S-1-5-21-2306250448-3709213382-1498447966-1239 Mandatory group, Enabled by default, Enabled group
WE\DB-DEV Group S-1-5-21-2306250448-3709213382-1498447966-1532 Mandatory group, Enabled by default, Enabled group
WE\AppDB Group S-1-5-21-2306250448-3709213382-1498447966-1278 Mandatory group, Enabled by default, Enabled group
WE\DB-PROD Group S-1-5-21-2306250448-3709213382-1498447966-1587 Mandatory group, Enabled by default, Enabled group
WE\PROJECT1-Admin Group S-1-5-21-2306250448-3709213382-1498447966-1235 Mandatory group, Enabled by default, Enabled group
WE\PROJECT1-FtpUser Group S-1-5-21-2306250448-3709213382-1498447966-1230 Mandatory group, Enabled by default, Enabled group
WE\Remote Users Group S-1-5-21-2306250448-3709213382-1498447966-1214 Mandatory group, Enabled by default, Enabled group
WE\role-DAH-Administrators Group S-1-5-21-2306250448-3709213382-1498447966-1588 Mandatory group, Enabled by default, Enabled group
WE\DBDB Group S-1-5-21-2306250448-3709213382-1498447966-1236 Mandatory group, Enabled by default, Enabled group
WE\MSSQL07-SQL-Administrators Group S-1-5-21-2306250448-3709213382-1498447966-1520 Mandatory group, Enabled by default, Enabled group
WE\SQL-Administrators Group S-1-5-21-2306250448-3709213382-1498447966-1517 Mandatory group, Enabled by default, Enabled group
WE\DBA Group S-1-5-21-2306250448-3709213382-1498447966-1492 Mandatory group, Enabled by default, Enabled group
WE\Drop-FTPUsers Group S-1-5-21-2306250448-3709213382-1498447966-1593 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192In conclusion, I think the whoami /groups is the simplest and most suitable tool if you want information about your own user account, but any of the other two work well for requesting information about other user accounts, if you are logged in as an administrator.