1

I am trying to use the following code in Powershell to get the Active Directory groups for the current user so I can perform specific actions based on what groups the user belongs to. Here is the code:

$id = [Security.Principal.WindowsIdentity]::GetCurrent() $groups = $id.Groups | foreach-object { $_.Translate([Security.Principal.NTAccount]) } $groups

However, this code does not display all the Active Directory groups that a user belongs to. I am aware that WindowsIdentity.Groups does not return all groups, excluding groups that were on the token for deny-only or a group which is the SE_GROUP_LOGON_ID as documented here: https://blogs.msdn.microsoft.com/shawnfa/2008/02/07/which-groups-does-windowsidentity-groups-return/

I am looking to get all the groups that are returned in the command prompt by using net user \domain to get a list of groups that member belongs to from the domain controller. I don't mind if more groups are included, but at a minimum all of the domain controller's groups that are displayed with the net user command need to be there. I have also tried another way of retrieving the group names in Powershell (below). It returns another set of groups that is still different from what is returned by the domain controller using net user and also different from the first method above:

$strName = $env:username $strFilter = "(&(objectCategory=User)(samAccountName=$strName))" $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objSearcher.Filter = $strFilter $objPath = $objSearcher.FindOne() $objUser = $objPath.GetDirectoryEntry() $objUser.memberOf

Any help that can get me a list that contains all the groups returned using the net user command in the command prompt would be appreciated. Ideally, I am looking for an elegant solution like my first snippet of code above which returns the groups as objects. I am considering parsing out the names of the groups from the net user command's output directly in Powershell, but before I do that I wanted to make sure I am not missing more elegant solutions.

Improve this question
1
  • You can just run net user /domain in powershell Commented Feb 23, 2018 at 3:36

2 Answers 2

Reset to default
2

You can use the System.DirectoryServices.AccountManagement namespace like this:

[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.AccountManagement") [System.DirectoryServices.AccountManagement.UserPrincipal]::get_Current().GetAuthorizationGroups()
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This works, and I'm eternally greatful. It's extremely slow tho, you don't happen to know a way around the speed issue?
0

Here are few ways to attack this effort.

Using DOS commands, but then you have to turn them into object and extract what you are after.

gpresult /V /user $env:USERNAME whoami /GROUPS net user $env:USERNAME /Domain

PoSh, just doing something like the following... This gets all users, but you can of course filter on whatever username you wish.

### Show User and AD group membership # Get users with all their properties and their group membership, display user and group name ForEach ($TargetUser in (Get-ADUser -Filter * -Properties *)) { "`n" + "-"*12 + " Showing group membership for " + $TargetUser.SamAccountName Get-ADPrincipalGroupMembership -Identity $TargetUser.SamAccountName ` | Select Name } # Get users with base properties and their group membership, display user and group name ForEach ($TargetUser in (Get-ADUser -Filter *)) { "`n" + "-"*12 + " Showing group membership for " + $TargetUser.SamAccountName Get-ADPrincipalGroupMembership -Identity $TargetUser.SamAccountName ` | Select Name } # Get user and AD group info, display user and group name Get-ADUser -Filter "*" -SearchBase "CN=Users,DC=contoso,DC=com" ` -SearchScope OneLevel -Properties Name, MemberOf ` | Select-Object Name, @{Label="Memberof"; expression={($_.memberof ` | Get-ADGroup ` | Select-Object -ExpandProperty Name) -Join ","}} Get-ADUser -Filter "*" -SearchBase "CN=users,DC=contoso,DC=com" ` -SearchScope OneLevel -Properties Name, MemberOf | Select-Object Name, @{Label="Memberof"; expression={($_.memberof | Get-ADGroup ` | Select-Object -ExpandProperty Name) -Join ","}} ` | Format-List

Of course format as needed.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.