What Active Directory groups am I in?

#windows #active-directory #tools

Written by Anders Marzi Tornblad

Today, while debugging an access rights issue, I needed to find out exactly which Active Directory groups one of my Windows user accounts belonged to. If the account and groups I was interested in had been local on the machine, I could have started Administrative Tools, Computer Management and opened the Local Users and Groups folder to get all information needed. However, both the user account and the groups I was interested in were in the Active Directory, so that tool was not helpful.

Two ways of checking using the command line

Instead, I started PowerShell and tried these three commands:

net user

net user is a Windows command-line tool, available in all versions from Windows Vista. It can be used to view, change, and create user accounts on Windows computers. By typing net user MY_USERNAME /domain you are presented with some details about your user account, including a bullet-list of all groups you are the member of. Keep in mind that the names of those groups may be truncated if they are long. Another thing to be aware of is that the groups listed by the net user command may not include all the groups that you are a member of. For a full list of Active Directory groups, you need to use the gpresult or the whoami approach.

PS C:\Users\MY_USERNAME> net user MY_USERNAME /domain
The request will be processed at a domain controller for domain work.example.com.

User name                    MY_USERNAME
Full Name                    Anders Marzi Tornblad
Comment                      Software Architect
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2021-05-13 15:59:30
Password expires             2021-08-13 15:59:30
Password changeable          2021-05-13 16:59:30
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   2021-07-02 09:18:48

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *PROJECT1-DB
                             *PROJECT2-Admin       *PROJECT1-RDP
                             *PROJECT2-Remote-Deskt*DB-DEV
                             *AppDB                *DB-PROD
                             *PROJECT1-Admin       *PROJECT2-DB
                             *Remote Users         *FTPGroup
                             *PROJECT1-FtpUser     *DBA
                             *Deployment-Admin
The command completed successfully.

gpresult

gpresult is a tool for showing the total applied Group Policies for an Active Directory user. If you run it with only the /r switch, it will show you what Group Policy Objects are applied to your user account, and all security groups that you are a member of.

PS C:\Users\MY_USERNAME> gpresult.exe /r

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
© 2018 Microsoft Corporation. All rights reserved.

Created on ‎2021-‎07-‎02 at 16:22:13


RSOP data for WE\MY_USERNAME on SERVER01 : Logging Mode
------------------------------------------------

OS Configuration:            Member Server
OS Version:                  10.0.17763
Site Name:                   N/A
Roaming Profile:             N/A
Local Profile:               C:\Users\MY_USERNAME
Connected over a slow link?: No


USER SETTINGS
--------------
    CN=Anders Marzi Tornblad,OU=WE,OU=Users,OU=Access,DC=work,DC=example,DC=com
    Last time Group Policy was applied: 2021-07-01 at 14:37:25
    Group Policy was applied from:      DC01.work.example.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        WE
    Domain Type:                        Windows 2008 or later
    
    Applied Group Policy Objects
    -----------------------------
        SetTimeFormatISO8601
        
    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)
            
    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        Remote Desktop Users
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        sec-server01-FTP-w
        PROJECT2-Remote-Desktop-Users
        Deployment-Admin
        PROJECT1-DB
        PROJECT2-Admin
        PROJECT3-RemoteDesktopUsers
        FTPGroup
        PROJECT2-DB
        PROJECT1-RDP
        DB-DEV
        AppDB
        DB-PROD
        PROJECT1-Admin
        PROJECT1-FtpUser
        Remote Users
        role-DAH-Administrators
        DBDB
        MSSQL07-SQL-Administrators
        SQL-Administrators
        DBA
        Drop-FTPUsers
        Authentication authority asserted identity
        Medium Mandatory Level

whoami

Finally, the whoami tool has been available since Windows Vista, and is useful for getting detailed information about your user account. The other two approaches can be used also for other user accounts, but whoami /groups is faster, because it does not need to contact the domain server.

PS C:\Users\MY_USERNAME> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                            Attributes
=========================================== ================ ============================================== ==================================================
Everyone                                    Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users                Alias            S-1-5-32-555                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON       Well-known group S-1-5-14                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                    Well-known group S-1-5-4                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
LOCAL                                       Well-known group S-1-2-0                                        Mandatory group, Enabled by default, Enabled group
WE\sec-server01-FTP-w                       Group            S-1-5-21-2306250448-3709213382-1498447966-1591 Mandatory group, Enabled by default, Enabled group
WE\PROJECT2-Remote-Desktop-Users            Group            S-1-5-21-2306250448-3709213382-1498447966-1493 Mandatory group, Enabled by default, Enabled group
WE\Deployment-Admin                         Group            S-1-5-21-2306250448-3709213382-1498447966-1238 Mandatory group, Enabled by default, Enabled group
WE\PROJECT1-DB                              Group            S-1-5-21-2306250448-3709213382-1498447966-1240 Mandatory group, Enabled by default, Enabled group
WE\PROJECT2-Admin                           Group            S-1-5-21-2306250448-3709213382-1498447966-1259 Mandatory group, Enabled by default, Enabled group
WE\PROJECT3-RemoteDesktopUsers              Group            S-1-5-21-2306250448-3709213382-1498447966-1249 Mandatory group, Enabled by default, Enabled group
WE\FTPGroup                                 Group            S-1-5-21-2306250448-3709213382-1498447966-1491 Mandatory group, Enabled by default, Enabled group
WE\PROJECT2-DB                              Group            S-1-5-21-2306250448-3709213382-1498447966-1210 Mandatory group, Enabled by default, Enabled group
WE\PROJECT1-RDP                             Group            S-1-5-21-2306250448-3709213382-1498447966-1239 Mandatory group, Enabled by default, Enabled group
WE\DB-DEV                                   Group            S-1-5-21-2306250448-3709213382-1498447966-1532 Mandatory group, Enabled by default, Enabled group
WE\AppDB                                    Group            S-1-5-21-2306250448-3709213382-1498447966-1278 Mandatory group, Enabled by default, Enabled group
WE\DB-PROD                                  Group            S-1-5-21-2306250448-3709213382-1498447966-1587 Mandatory group, Enabled by default, Enabled group
WE\PROJECT1-Admin                           Group            S-1-5-21-2306250448-3709213382-1498447966-1235 Mandatory group, Enabled by default, Enabled group
WE\PROJECT1-FtpUser                         Group            S-1-5-21-2306250448-3709213382-1498447966-1230 Mandatory group, Enabled by default, Enabled group
WE\Remote Users                             Group            S-1-5-21-2306250448-3709213382-1498447966-1214 Mandatory group, Enabled by default, Enabled group
WE\role-DAH-Administrators                  Group            S-1-5-21-2306250448-3709213382-1498447966-1588 Mandatory group, Enabled by default, Enabled group
WE\DBDB                                     Group            S-1-5-21-2306250448-3709213382-1498447966-1236 Mandatory group, Enabled by default, Enabled group
WE\MSSQL07-SQL-Administrators               Group            S-1-5-21-2306250448-3709213382-1498447966-1520 Mandatory group, Enabled by default, Enabled group
WE\SQL-Administrators                       Group            S-1-5-21-2306250448-3709213382-1498447966-1517 Mandatory group, Enabled by default, Enabled group
WE\DBA                                      Group            S-1-5-21-2306250448-3709213382-1498447966-1492 Mandatory group, Enabled by default, Enabled group
WE\Drop-FTPUsers                            Group            S-1-5-21-2306250448-3709213382-1498447966-1593 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity  Well-known group S-1-18-1                                       Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level      Label            S-1-16-8192

In conclusion, I think the whoami /groups is the simplest and most suitable tool if you want information about your own user account, but any of the other two work well for requesting information about other user accounts, if you are logged in as an administrator.