Related features:

Related Powershell Guides:

How to find all groups a user is a member of using Get-ADPrincipalGroupMembership

The Get-ADPrincipalGroupMembership PowerShell cmdlet helps retrieve all AD groups a specified user, computer, or service account is a member of, both directly and indirectly (nested groups). This is essential for compliance, troubleshooting, and security audits as you can quickly identify misconfigurations and ensure least privilege. This article shows three ways to perform this task:

  • ADManager Plus
  • PowerShell
 

Get AD user group membership using ADManager Plus

ADManager Plus offers a GUI-based method to get an AD user group membership list.

  1. Login to ADManager Plus and navigate to Reports tab > User Reports.
  2. Under Nested Reports, select Groups for Users.
  3. Select your domain and click + to select your preferred user. Enter the user's name, select, and click OK. To add multiple users in bulk, click the CSV tab and import a CSV file containing the user list.
  4. Click Generate.
A report on all the groups a user is part of in Active Directory using ADManager Plus
 
 

Choose if you'd like to include nested groups

 
 

Export report to different formats like CSV, PDF, XLS, HTML, XLSX, and CSVDE

Get started

Get a list of AD groups a user is a member of using PowerShell

Step 1: Open PowerShell ISE as an administrator.

Step 2: If you don't have the AD module installed, download the correct RSAT package for your OS and run the command below to activate it.

Import-Module ActiveDirectory

Step 3: Run the command below to get AD group membership for a user. This returns all group objects that the user is a member of, including properties like DistinguishedName, GroupCategory, GroupScope, Name, ObjectClass, and SID. Replace "username" with the user's login name.

Get-ADPrincipalGroupMembership -Identity "username"

Get AD user group membership using ADUC

AD Users and Computers (ADUC) is a common method to find group memberships. Note that this only lists the groups that the user is directly a part of.

  1. Open ADUC.
  2. Right-click on your preferred user account and select Properties.
  3. Select the Member Of tab to view all the groups the user is directly a member of.

Example use cases using Get-ADPrincipalGroupMembership

Example 1: Show group names for the user "james"

This pipes the output and displays only the group names (instead of full group details).

Get-ADPrincipalGroupMembership -Identity "james" | Select-Object Name

Example 2: Export group names to CSV

Saves the list of group names to a CSV file for reporting or documentation.

Get-ADPrincipalGroupMembership -Identity "james" | Select-Object Name | Export-Csv -Path "C:\James_Groups.csv" -NoTypeInformation

Example 3: List groups with descriptions

Retrieves a list of all groups that the user is a member of and displays their name and description for better context.

Get-ADPrincipalGroupMembership -Identity "james" | Get-ADGroup -Properties Description | Select-Object Name, Description

Example 4: Get group memberships for a user in an AD LDS instance

Queries an AD Lightweight Directory Services (AD LDS) instance to list a user's group memberships.

PS C:\> Get-ADPrincipalGroupMembership -Server localhost:60000 -Identity "CN=David,DC=AppNC" -Partition "DC=AppNC"

Example 5: Get group memberships for the Administrator

Retrieves all groups that the built-in Administrator account belongs to.

PS C:\> Get-ADPrincipalGroupMembership -Identity Administrator

Example 6: Get group memberships for an account in a resource domain

Displays group memberships for a user across a specified resource domain and partition.

PS C:\> Get-ADPrincipalGroupMembership -Identity Administrator -ResourceContextServer Child.company.com -ResourceContextPartition "DC=company,DC=com"

Example 7: View Group Membership Information in Tabular Form

Outputs the user's group memberships in a tabular format with names and descriptions.

Get-ADPrincipalGroupMembership -Identity administrator | Get-ADGroup -Properties Description | Select Name, Description

Supported parameters

The following are few parameters that can be used with the Get-ADPrincipalGroupMembership cmdlet:

Parameter Description
-Identity Specifies the user, group, computer, or service account whose membership to check.
-AuthType Specifies the authentication method (Negotiate or Basic).
-Credential Uses alternate credentials for the operation.
-Partition Searches a specified AD partition for group membership.
-Server Specifies domain controller or AD DS instance to connect to.
-ResourceContextPartition For searching cross-domain group memberships.
-ResourceContextServer For searching for group memberships in a remote domain.

Limitations of using native tools to get group memberships

While powerful, relying solely on PowerShell and ADUC for extensive user reporting can present challenges:

  • PowerShell commands can get complex with different use cases and scenarios.
  • IT admins can spend a lot of time troubleshooting errors, which negatively impacts productivity.
  • Delegation can get tricky since technicians require elevated permissions.
  • ADUC provides results for a single user at a time with no options to run bulk checks.
  • ADUC only shows direct group memberships and does not display nested groups.

Highlights of using ADManager Plus to get group memberships

ADManager Plus bridges the gap between powerful AD reporting and ease of use. Here's why it's a better choice for many IT teams:

  • Generate detailed AD group membership reports with just a few clicks.
  • View nested group memberships and filter by group type, scope, or OU without scripting.
  • Customize and schedule reports for automatic delivery to stakeholders or auditors.
  • Perform AD user management actions—like removing or transferring members—directly from reports.
  • Export AD reports in multiple formats such as CSV, PDF, XLS, or HTML for easy sharing and compliance.
  • Avoid complex PowerShell scripts with intuitive, GUI-based bulk user and group management tools.

Simplify group management and reporting with ADManager Plus

Try it now for free

FAQ

1. How to get a list of AD groups a user is a member of using powershell?

The Get-ADPrincipalGroupMembership PowerShell cmdlet can be used to list all AD groups a user is a member of. Run the command below by replacing "username" with the user's login name:

Get-ADPrincipalGroupMembership -Identity "username"

Alternatively, script-free tools like ManageEngine ADManager Plus can be used to list the same, but with added benefits such as multiple export formats, scheduling, and management operations directly the report.

2. How do I check if a user is a member of a group in AD?

You can check if a user is a member of a particular group using Get-ADUser combined with filtering on the MemberOf property:

$user = "username"
(Get-ADUser -Identity $user -Properties MemberOf).MemberOf -contains "CN=GroupName,OU=Groups,DC=domain,DC=com"

This can also be done using the Get-ADPrincipalGroupMembership cmdlet, which offers a more comprehensive approach:

$user = "username"
$groupName = "GroupName"
$groups = Get-ADPrincipalGroupMembership -Identity $user | Select-Object -ExpandProperty Name
$groups -contains $groupName

If you prefer script-free methods, see how ADManager Plus compares to PowerShell in checking group memberships.

 
  • Get AD user group membership using ADManager Plus
  • Get a list of AD groups a user is a member of using PowerShell
  • Get AD user group membership using ADUC
  • Supported parameters
  • Limitations of using native tools to get group memberships
  • Highlights of using ADManager Plus to get group memberships
  • FAQ
The one-stop solution to Active Directory Management and Reporting
Highlights AD Management Active Directory Reports Exchange Management Popular products
Email Download Link