More than six years ago, I wrote a post, detailing how I could identify users’ Active Directory group memberships. While the method I detailed certainly works, it isn’t as simple as it might have been. Having recently found myself needing to perform that very same task again, I decided to revisit this topic, to show how I did it this time around.
The task was to identify the group memberships of all members of a given Active Directory Group. The first change I made was that I based my search around SamAccountName, rather than DistinguishedName. They are shorter, easier to read, and (within a domain) just as canonical. I used the
Get-ADGroupMember command, and piped it to
Select SamAccountName – the complete command looked like this:
Get-ADGroupMember <Active Directory Group Name> | Select SamAccountName
The next change I made was to use the command
Get-ADPrincipalGroupMembership to identify the group memberships. This time I piped it to
Select Name – the complete command looked like this:
Get-ADPrincipalGroupMembership <SamAccountName> | select name
I repeated this for each of the members of the original group, and was able to quickly identify the group memberships for each user.