Determining the groups to which a user belongs

If you have a Microsoft Windows domain and want to determine the groups to which an account belongs from a command line interface (CLI), aka a command prompt, you can do so using the DSQUERY and DSGET commands. The dsquery command allows you to query the Active Directory (AD) service according to specified criteria. E.g. the dsquery user command finds users in the directory. By adding a user name at the end of the command, you can view information for that user. E.g., for a user named Pamela in a domain named "Mayflower" with a Windows Small Business Server (SBS) 2003 server, I could use the command below, which would show the user's full name:
C:\>dsquery user -samid pamela
"CN=Pamela M. Rolm,CN=Users,DC=mayflower,DC=lan"

I can pipe the output of that command into the DSGET command, which will display information for the object piped into it. E.g., for the above account, I can use dsquery user -samid pamela | dsget -memberof , which will show me the user's account is only in the domain users group:

C:\>dsquery user -samid pamela | dsget user -memberof
"CN=Domain Users,CN=Users,DC=mayflower,DC=lan"

That information can be further expanded by adding -expand to the end of the command.

C:\>dsquery -samid pa
C:\>dsquery user -samid pamela | dsget user -memberof -expand
"CN=Domain Users,CN=Users,DC=mayflower,DC=lan"
"CN=Users,CN=Builtin,DC=mayflower,DC=lan"


C:\>

For the administrator account on the system, the results show the account belongs to many more groups:

C:\>dsquery user -samid administrator | dsget user -memberof
"CN=Mobile Users,OU=Security Groups,OU=MyBusiness,DC=mayflower,DC=lan"
"CN=Group Policy Creator Owners,CN=Users,DC=mayflower,DC=lan"
"CN=Domain Admins,CN=Users,DC=mayflower,DC=lan"
"CN=Enterprise Admins,CN=Users,DC=mayflower,DC=lan"
"CN=Schema Admins,CN=Users,DC=mayflower,DC=lan"
"CN=Administrators,CN=Builtin,DC=mayflower,DC=lan"
"CN=TelnetClients,CN=Users,DC=mayflower,DC=lan"
"CN=Domain Users,CN=Users,DC=mayflower,DC=lan"

And with the -expand option added.

C:\>dsquery user -samid administrator | dsget user -memberof -expand
"CN=Mobile Users,OU=Security Groups,OU=MyBusiness,DC=mayflower,DC=lan"
"CN=Group Policy Creator Owners,CN=Users,DC=mayflower,DC=lan"
"CN=Domain Admins,CN=Users,DC=mayflower,DC=lan"
"CN=Enterprise Admins,CN=Users,DC=mayflower,DC=lan"
"CN=Schema Admins,CN=Users,DC=mayflower,DC=lan"
"CN=Administrators,CN=Builtin,DC=mayflower,DC=lan"
"CN=TelnetClients,CN=Users,DC=mayflower,DC=lan"
"CN=Domain Users,CN=Users,DC=mayflower,DC=lan"
"CN=Offer Remote Assistance Helpers,CN=Users,DC=mayflower,DC=lan"
"CN=Usage Report Users,OU=Security Groups,OU=MyBusiness,DC=mayflower,DC=lan"
"CN=Users,CN=Builtin,DC=mayflower,DC=lan"

The command will provide similar information for an administrator account in a domain with a Windows Server 2012 domain controller as well.

c:\>dsquery user -samid Thomas | dsget user -memberof -expand
"CN=RA_AllowMediaAccess,CN=Users,DC=Midland,DC=local"
"CN=RA_AllowVpnAccess,CN=Users,DC=Midland,DC=local"
"CN=WSSUsers,CN=Users,DC=Midland,DC=local"
"CN=RA_AllowNetworkAlertAccess,CN=Users,DC=Midland,DC=local"
"CN=RA_AllowHomePageLinks,CN=Users,DC=Midland,DC=local"
"CN=RA_AllowAddInAccess,CN=Users,DC=Midland,DC=local"
"CN=RA_AllowComputerAccess,CN=Users,DC=Midland,DC=local"
"CN=RA_AllowShareAccess,CN=Users,DC=Midland,DC=local"
"CN=RA_AllowDashboardAccess,CN=Users,DC=Midland,DC=local"
"CN=RA_AllowRemoteAccess,CN=Users,DC=Midland,DC=local"
"CN=Domain Admins,CN=Users,DC=Midland,DC=local"
"CN=Schema Admins,CN=Users,DC=Midland,DC=local"
"CN=Domain Users,CN=Users,DC=Midland,DC=local"
"CN=Denied RODC Password Replication Group,CN=Users,DC=Midland,DC=local"
"CN=Administrators,CN=Builtin,DC=Midland,DC=local"
"CN=Users,CN=Builtin,DC=Midland,DC=local"


c:\>

References

  1. Useful commands for Windows administrators
    Rob van der Woude's Scripting Pages

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px