Listing an AD User’s Group Membership

A question I encountered recently was how to tell which groups an Active Directory user was a member of.  This was important to see so that the user account could be removed from groups that they no longer should have access to.  This can occur when the individual changes their affiliation with the enterprise.

The way I found to do this was using a utility, dsget.exe, provided by Microsoft  in their Remove Server Admin Tools ( http://www.microsoft.com/en-us/download/details.aspx?id=28972 ).  This utility can is meant to display various properties about an object in the directory.  Group member is just one of them.  The user that runs this command will need to have the necessary privileges to view the properties of the object that are being queried.

To list all of the groups a user object is a member of, the command line might look like this:

c:> dsget user “cn=<username>,ou=orgunit,dc=domain,dc=orgnanme” -memberof -expand

This command then returns the list of groups the user  specified in <username> is a member of.